What does “monitor” mean in CMMC?

list of 800-171 and cmmc assessment objectives that require monitoring

Logan Therrien and Amira Armond from Kieri Solutions (an Authorized C3PAO) discuss the concept of monitoring and how it is evaluated by CMMC assessors.

Several assessment objectives in CMMC Level 2 require monitoring.

🔍 the physical facility where organizational systems reside is monitored;
🔍 the support infrastructure for organizational systems is monitored.
🔍 visitor activity is monitored.
🔍 installation of software by users is monitored.
🔍 communications are monitored at the external system boundary;
🔍 communications are monitored at key internal boundaries;
🔍 use of mobile code is monitored.
🔍 remote access sessions are monitored.
🔍 use of Voice over Internet Protocol (VoIP) technologies is monitored.
🔍 the system is monitored to detect attacks and indicators of potential attacks;
🔍 mobile device connections are monitored and logged.

How is monitoring different from audit logging?

Do you need a 24×7 operations center in order to monitor?

Why does CMMC require you to both control bad activity, as well as monitor for bad activity? If you are controlling it, then there is nothing to monitor!

How can you show proof that you are monitoring for something that is controlled? There are no results!

These questions, and more, are discussed in the video below.

Enjoy, and don’t forget to subscribe to our YouTube channel for lots of other CMMC training content.


Kieri Solutions is an Authorized CMMC Third Party Assessment Organization (C3PAO). Contact them if you are interested in scheduling a Joint Surveillance assessment or CMMC assessment. Kieri also has great programs for CMMC preparation, ranging from do-it-yourself packages to full concierge with-you-through-the-assessment packages.

Leave a Reply

Your email address will not be published. Required fields are marked *