What Level of CMMC Requires Security Information and Event Management (SIEM)?

By Casey Lang • March 30, 2021

As your organization works to determine the meaning and application of the various levels of the newly enacted Cybersecurity Maturity Model Certification (CMMC), questions arise. One particular issue surrounds the issue of SIEM as it pertains to the first level of CMMC. The short answer to whether it is required or not is: it’s complicated.

A Closer Look at Level 1 SIEM Requirements

The key word in the assessment guide and in the CMMC practice for Systems and Communication Protection (SC) found at SC.1.175 is ‘Monitor.’ This practice requirement is heavily focused on perimeter and boundary defense, meaning that your cyber boundaries must be controlled, protected, and monitored.

What it means to your company – Chances are, you already have a firewall. Consequently, the most common compliance issue the CyberSheath team sees with this particular requirement is a lack of proactive monitoring. In CMMC level 1, you only need to address the one SC requirement–boundary protection and control services, such as firewall, intrusion detection system (IDS), intrusion prevention system (IPS), and web proxy if it exists.

How CyberSheath can help – At CyberSheath, we monitor your IT infrastructure with Azure Sentinel. Level 1 monitoring is cost-effective as there is less activity required, with less log integration, less log consumption, and less Azure Sentinel cost.

For Level 1, the monitoring cost is mostly based on storage, and excludes licensing, deployment, and management of Microsoft Defender or the Log Analytics Agent, since only the boundary and perimeter devices need to be monitored. Also, typically Level 1 does include government community cloud (GCC) requirements, as there is no controlled unclassified information (CUI) to contend with, only federal contact information (FCI). The result is commercial Microsoft services are appropriate for the SIEM requirements of Level 1.

Requirements Shift as You Advance to Level 3

As your organization moves to higher levels of CMMC, more controls need to be enacted around monitoring users including detecting unauthorized use of accounts, responding to support incidents, tracking log correlation requirements, and more.

At Level 3, your organization needs the right log sources to support the investigative process, such as endpoint protection, perimeter monitoring, authentication logs, and other security tools. As you can see, the resources needed to achieve Level 3 are more advanced, and also carry higher Azure Sentinel data costs.

Another Consideration for SIEM Requirements

The System and Information Integrity control family requires the ability to detect malware, and update signatures, at appropriate locations. The assessment guide specifies items like the ability to detect malware on the network (IDS/IPS) and on endpoints (Anti-Virus/endpoint detection and response (EDR)).

If your company wants to use basic, built-in Windows Defender, this can meet a Level 1 requirement. However, if your organization wants to license Microsoft Endpoint Defender to solve for this, you have the opportunity to easily integrate with Sentinel for monitoring on Commercial licensing at a fairly low cost. While not a necessity for CMMC level 1, this solution is good to have and also better prepares you should you seek CMMC Level 3 in the future.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise.  Join Eric Noonan and Carl Herberger, VP of Security Services, on Wednesday, April 21st, 2021 at 9:00am (PST) | 12:00pm (EST), for “CMMC – How It Started. How It’s Going,” when they will talk through five common pain points experienced by organizations tackling DoD regulations.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or writing you SSP – this webinar will accelerate your journey. Register Now.


Webinar CMMC - How It Started. How It's Going.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO