3.14.6 — Watch the Network

The One-Liner

CUI exfiltrated to a foreign server and nobody notices for three months — that’s this requirement failing.

What It Says

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

What It Actually Means

You must actively watch for attacks — not just protect against them. Three monitoring domains, all required:

1. System monitoring. Detect attacks and indicators of attack on the systems themselves. This means endpoint detection (EDR), log analysis, behavioral anomaly detection, and system integrity monitoring. A process running that shouldn’t be, an unusual login pattern, a configuration change outside of change management — all indicators.

2. Inbound traffic monitoring. Watch what’s coming in from external networks. IDS/IPS at the perimeter, email filtering, web gateway analysis. Known attack signatures, command-and-control callbacks, exploit attempts — detected and alerted.

3. Outbound traffic monitoring. Watch what’s leaving your network. This is where most companies fall short. Data exfiltration, C2 beaconing, DNS tunneling, large file transfers to unknown destinations — all indicators of compromise that only outbound monitoring catches. If an attacker is inside your network sending CUI to an external server, outbound monitoring is what catches it.

The assessor checks:

• System monitoring is in place. EDR, SIEM, or equivalent is deployed and actively monitoring CUI systems.
• Inbound traffic is monitored. IDS/IPS or equivalent detects inbound attack patterns.
• Outbound traffic is monitored. DLP, proxy logs, DNS monitoring, or anomaly detection watches for data leaving the environment.
• Someone is watching. Monitoring without review is just logging. An analyst, SOC, or MDR provider reviews alerts and responds.

This doesn’t require a 24/7 internal SOC. A managed detection and response (MDR) service, a properly configured SIEM with alerting and daily review, or a combination of automated detection with human triage all satisfy the requirement.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are organizational systems monitored to detect attacks?	EDR + SIEM deployed on CUI systems; alerts generated for indicators of attack
2	Is inbound communications traffic monitored?	IDS/IPS or equivalent at the perimeter; inbound attack patterns detected and alerted
3	Is outbound communications traffic monitored?	DLP, proxy, DNS monitoring, or anomaly detection watching for data exfiltration and C2 traffic

---

What to Have Ready on Assessment Day

Documents they’ll review: System and information integrity policy; procedures addressing system monitoring; continuous monitoring strategy; system security plan; network diagrams showing monitoring points; system monitoring tool documentation; IDS/IPS configuration; system configuration settings; system audit logs and records

People they’ll talk to: System or network administrators; information security personnel; personnel responsible for system monitoring and intrusion detection; SOC analysts or MDR provider contact

Live demos they’ll ask for: “Show me your monitoring architecture — what tools and where.” “Show me an IDS/IPS alert.” “Show me how you detect outbound anomalies.” “Show me a recent investigation triggered by monitoring.” “Who reviews alerts and how often?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How do you monitor your CUI systems for attacks? Show me the tools.”
• “Show me your IDS/IPS — is it monitoring inbound traffic?”
• “How do you monitor outbound traffic? What would you see if CUI were being exfiltrated?”
• “Show me a recent alert — what triggered it and how did you respond?”
• “Where are your monitoring devices deployed? Show me on the network diagram.”
• “Are communication traffic flows understood? Is there a deployed capability to review that traffic?”
• “Who reviews monitoring alerts? How often?”

Real-World Example

A defense contractor uses a layered monitoring approach. Endpoint: Defender for Endpoint with EDR on all CUI systems — behavioral detection, automated investigation, and alert generation. Network perimeter: Palo Alto firewall with Threat Prevention subscription (IDS/IPS) — inspects inbound traffic for exploit attempts, malware delivery, and known attack signatures. Outbound: Palo Alto URL filtering and DNS Security blocks known-bad destinations; Defender for Cloud Apps monitors cloud service usage for shadow IT and data exfiltration patterns; Sentinel analytics rules detect anomalous outbound data volumes. Central correlation: Microsoft Sentinel aggregates all sources and runs analytics rules for cross-domain detection — impossible travel, lateral movement, privilege escalation followed by data access. The IT Security Lead reviews the Sentinel incident queue every morning. High-severity alerts trigger PagerDuty notifications for immediate response. Monthly monitoring metrics are reported: alerts generated, investigated, true positives, mean time to respond. The assessor reviews the network diagram showing monitoring points, examines two recent Sentinel incidents with investigation notes, and verifies both inbound and outbound monitoring capabilities are active.

---

Where Companies Trip Up

No outbound monitoring. Inbound traffic is monitored with a firewall IDS, but nobody watches what’s leaving. An attacker inside the network exfiltrating CUI data to an external server goes undetected. Deploy outbound monitoring: proxy logs, DNS monitoring, DLP, or anomalous transfer detection.

Monitoring deployed, nobody watching. IDS generates alerts but they go to an inbox nobody checks. The assessor asks “show me a recent alert investigation” and there are none. Assign alert review to a person or team with defined frequency — daily at minimum. Or use an MDR service.

Inbound only at the perimeter. IDS/IPS at the firewall but no monitoring of internal systems or traffic between zones. An attacker who gets past the perimeter moves laterally undetected. EDR on endpoints and internal traffic analysis complement perimeter monitoring.

No detection methodology. Monitoring tools are deployed but there’s no documented methodology for what constitutes an indicator of attack. Define what you’re looking for: brute force, impossible travel, C2 beaconing, data exfiltration patterns, privilege escalation, lateral movement. Build or buy detection rules.

Alert fatigue. Thousands of low-quality alerts drown out the real threats. Tune your detection rules — reduce false positives, prioritize high-fidelity detections, and suppress noise. A monitoring capability overwhelmed by noise is not effective monitoring.

---

How to Talk About This

To a CEO or Board

We monitor all CUI systems and all network traffic — both inbound and outbound — for signs of attack. Our monitoring detects external threats trying to get in and internal threats trying to get data out. Alerts are reviewed daily and high-severity incidents trigger immediate response.

To an Engineering Team

Endpoint: Defender for Endpoint EDR on all CUI systems. Perimeter: Palo Alto Threat Prevention (IDS/IPS) for inbound. Outbound: URL filtering, DNS Security, Defender for Cloud Apps, Sentinel anomalous volume rules. Central: Sentinel correlation for cross-domain detection. Daily incident queue review. PagerDuty for high-severity. Monthly metrics: alert volume, investigation count, MTTR. Detection rules tuned quarterly.

---

Connected Requirements

Requirement	Why it matters here
3.13.1 — Guard the Boundaries	Boundary controls where monitoring is deployed
3.3.5 — Connect the Dots	Log correlation feeds the analysis that monitoring depends on
3.14.7 — Catch Unauthorized Use	Monitoring detects unauthorized use — misuse detection is a subset of this capability
3.6.1 — Plan for Incidents	Monitoring alerts trigger the incident response process

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: SI.L2-3.14.6 | SPRS Weight: 5 points | POA&M Eligible: No