This post explains how to satisfy SI.L2-3.14.7 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) by mapping and hardening your critical assets to substantially improve detection of unauthorized use of organizational systems, with concrete, budget-aware steps a small business can implement today.
What this control requires and the key objectives
At a high level SI.L2-3.14.7 requires organizations to identify which devices, services, and accounts are critical to business operations and then apply appropriate hardening and monitoring so unauthorized use becomes detectable. Key objectives are: (1) accurate, prioritized asset inventory; (2) hardened configurations and reduced attack surface on high-value assets; (3) instrumented detection capabilities (host and network) tailored to those assets; and (4) evidence to demonstrate these activities during assessments.
Step-by-step implementation approach
Begin with asset discovery and classification: maintain a CMDB or a controlled spreadsheet with fields for asset name, owner, business function, location (on-prem/cloud), OS, installed applications, exposed ports, authentication methods, and sensitivity/impact rating (e.g., High/Medium/Low). Use automated discovery tools (Nmap, Qualys, Tenable Nessus, or cloud inventory like AWS Config/Azure Resource Graph) to confirm the inventory and identify unmanaged devices. Score assets by business impact and exposure to focus hardening and monitoring on the top 10–20% that present the most risk.
Mapping critical assets and attack paths
Create simple mappings that show connectivity and trust relationships: directories (Active Directory/Okta), VPN/remote access gateways, mail systems, file shares, databases holding CUI, build servers, and critical SaaS. Use threat modeling techniques (e.g., STRIDE) to identify likely attack paths from internet-facing systems to internal high-value targets. Document jump-server requirements and identify where segmentation, firewalls, or zero-trust controls are needed to break those paths.
Hardening controls you should apply
Apply baseline hardening (CIS Benchmarks or vendor STIGs) to critical hosts: for Windows use Group Policy to enforce password rules, disable unused services, remove local admin rights, enable Windows Defender/EDR, configure Sysmon with a focused config (capture process creation, network connections, DLL loads) and forward logs to a collector. For Linux, ensure /etc/ssh/sshd_config has PermitRootLogin no and PasswordAuthentication no, enable FIPS/TLS where applicable, and install auditd rules to log execve and credential changes. Use automated config management (Ansible, Puppet, Chef, or PowerShell DSC) to enforce baselines and produce evidence of compliance (playbooks, runbooks, and reports).
Improve detection: logging, EDR, and SIEM integration
Instrument critical assets with host-based telemetry and centralize it. Deploy an EDR agent (Microsoft Defender for Business/Endpoint, CrowdStrike, or open-source Wazuh/OSSEC) to collect process, binary, and network indicators. Forward relevant logs (Windows Event IDs 4624/4625 for logons, 4688 for process creation, 4663 for object access; Linux auditd execve and permission changes) to a SIEM or log store (Splunk, Elastic, Azure Sentinel, or a lightweight ELK/Wazuh stack). Implement specific detection rules for behavior like unusual service account logins, privilege escalations, atypical data transfer volumes, or new scheduled tasks. Time synchronization (NTP/chrony) and log retention policies (90 days+ for sensitive environments) are essential for forensic timelines.
Small-business, real-world example
Example: A 50-person engineering firm using Microsoft 365, an on-prem domain controller, a jump host, and AWS for product data. Prioritize assets: AD, jump host, AWS RDS instance, file server with IP-restricted VPN. Actions: (1) Inventory via Microsoft Defender ATP + AWS Config; (2) Harden AD with GPO (restrict admin workstations, apply LAPS for local admin passwords); (3) Deploy Microsoft Defender for Endpoint on all workstations and enable EDR alerts to forward to Defender for Cloud/Log Analytics; (4) Configure Sysmon for domain controllers and forward to Elastic stack; (5) Implement network segmentation with VLANs and zero-trust VPN requiring MFA; (6) Run weekly vulnerability scans (Nessus) and monthly patch cycles. For low budget, replace commercial SIEM with Wazuh + Elastic on a small VM and use built-in cloud provider detection (GuardDuty) for AWS workloads.
Compliance evidence, testing, and continuous improvement
Collect artifacts: the inventory/CMDB, hardening baselines and automation scripts, vulnerability scan reports, SIEM alert examples, EDR telemetry demonstrating detections, and incident response playbooks. Test detection coverage through tabletop exercises and simple purple-team drills: simulate a lateral movement (create a service account login from an unusual host) and confirm alerts trigger. Track remediation SLAs and produce periodic risk-based dashboards for assessors. Automate evidence collection where possible (CIS-CAT or SCAP scans produce normative reports) to simplify audits.
Risks of not implementing this control
Failure to map and harden critical assets leaves you blind to unauthorized use and increases the chance of undetected lateral movement, ransomware spread, or exfiltration of CUI. Consequences include lost business, contract termination with DoD contractors, regulatory fines, and costly incident response and recovery. Small businesses often suffer longer downtime due to limited IR capabilities—detection gaps directly translate to longer dwell times for attackers.
Summary: To meet SI.L2-3.14.7, build a prioritized asset inventory, harden high-value systems using documented baselines and automation, instrument hosts and networks for telemetry, and centralize detection and alerting. Focus on practical, repeatable controls (CIS baselines, EDR, SIEM/log aggregation, segmentation, MFA) and gather clear evidence—this combination reduces attack surface, improves detection of unauthorized use, and produces defensible artifacts for NIST SP 800-171 / CMMC 2.0 assessments.
