What does SI.L2-3.14.7 require for CMMC Level 2?

You must detect when someone is using systems or accessing data without authorization. This includes detecting unauthorized logins, privilege escalation, and suspicious file or data access.

What evidence do I need for SI.L2-3.14.7?

Unauthorized use monitoring policy, logging configuration, access control logs, incident records documenting unauthorized attempts and responses.

What's the most common failure for SI.L2-3.14.7?

No logging or monitoring of access. Or logs are collected but not reviewed, so unauthorized use goes undetected.

SI.L2-3.14.7

SI.L2-3.14.7: Identify Unauthorized Use

Identify unauthorized use of organizational systems.

Updated March 30, 2026

Unauthorized users should not access your systems or data. SI.L2-3.14.7 requires that you have mechanisms to identify when unauthorized access occurs and respond. The assessor will verify you are monitoring for unauthorized use and have documented incidents. Detecting unauthorized access depends on AU.L2-3.3.1 (audit logging), links to AC.L2-3.1.1 (access control enforcement), and triggers IR.L2-3.6.1 (incident response procedures).

Family System and Information Integrity

Practice SI.L2-3.14.7

Difficulty Medium

Key evidence Unauthorized use policy, access logs, incident documentation, response records

What the assessor is actually evaluating

The assessor will check:

Detection mechanisms: You should have logs or monitoring that would reveal unauthorized access attempts (failed logins, privilege escalation, suspicious access patterns).
Logging scope: Logs should cover system logins, file/data access, privilege changes, and other relevant events.
Review and response: Logs are reviewed periodically. When unauthorized access is detected, it is documented and investigated.

What a realistic SSP definition looks like

Policy: “The organization monitors and logs all user access to systems and data. Windows security event logs capture logon attempts, privilege escalation, and access events. SIEM analyzes logs for unauthorized access patterns. Alerts are generated for failed logins, privilege escalation attempts, and access to sensitive files by unauthorized users. Incidents are investigated and documented.”

Supporting details:

Logging: Windows Event Viewer logs logons, logoffs, privilege changes, and file access on critical systems.
SIEM analysis: Splunk rules detect multiple failed logins from the same user, elevation of privilege, and access to sensitive files.
Alerts: Real-time alerts for critical events. Daily log review for medium/low events.
Incident documentation: All detected unauthorized access attempts are logged in a ticket system with investigation results.

How to present your evidence

Evidence checklist

Unauthorized use policy with detection and response procedures
Windows Event Logging configured for logon, privilege, and access events
SIEM rules detecting unauthorized access patterns and anomalies
Access logs from past 30 days showing detection capability
Incident documentation from past 3-6 months with investigation and response

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “How do you identify unauthorized use of your systems?”

You: “We monitor access logs and have alerts configured for suspicious patterns. Windows event logs capture logins, file access, and privilege changes. Our SIEM detects unauthorized attempts.” [Pull up unauthorized use policy and SIEM dashboard]

Assessor: “Show me the security logs from a system.”

You: [Open Windows Event Viewer and show logon events (Event ID 4624), logoff events (4647), and failed logon attempts (4625). Display the event details]

Assessor: “What would trigger an alert for unauthorized access?”

You: “Multiple failed logon attempts from the same user, elevation of privilege, or access to sensitive files by a user who should not have access.” [Show SIEM alert rules]

Assessor: “Have you detected any unauthorized access attempts?”

You: “In the past month, we had three incidents: two failed password attempts and one user accessing a file they should not have access to. Each was investigated.” [Pull up incident tickets with investigation details and resolutions]

Common failures

No logging configured: Access events are not being logged. There is no way to detect unauthorized use.

Logs exist but are not reviewed: Security logs are generated but no one analyzes them. Unauthorized access goes undetected.

No detection rules or alerts: Logs are collected but there are no thresholds or rules for suspicious activity. Unauthorized access requires manual discovery.

Unauthorized attempts are not documented: When suspicious activity is discovered, it is not recorded or investigated.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Comprehensive logging: Security logs are enabled on all systems. Access events, logons, and privilege changes are logged.

Proactive detection: SIEM rules alert on suspicious patterns. Logs are reviewed daily. Incidents are documented and investigated.

If you use an MSP/MSSP

If your MSP manages systems or logging, ensure the service agreement specifies that access logs will be captured and reviewed. Request monthly reports of any unauthorized access attempts detected. Verify that SIEM or monitoring rules are configured for your environment.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

All Practices SI.L2-3.14.6: Monitor Communications →