3.14.7 — Catch Unauthorized Use

The One-Liner

A CUI system used for cryptocurrency mining and nobody notices — that’s no misuse detection.

What It Says

Identify unauthorized use of organizational systems.

What It Actually Means

You must know what “normal” looks like and detect when something deviates from it. Two things the assessor checks:

1. Authorized use is defined. You have a documented acceptable use policy or equivalent that establishes what your CUI systems are for and who may use them. This defines the baseline of normal: what activities are permitted, what times systems are typically used, what types of data are processed, and what software is authorized. Without defining “authorized,” you can’t detect “unauthorized.”

2. Unauthorized use is identified. You have mechanisms and processes to detect when systems are used outside the authorized scope. This includes:

   • Unauthorized users. Someone accessing a CUI system they’re not authorized for — detected via access control logs and alerts.
   • Unauthorized software. Unapproved applications running on CUI systems — detected via application control, software inventory, and EDR.
   • Unauthorized activity. CUI systems used for non-business purposes — personal file storage, cryptocurrency mining, hosting unauthorized services. Detected via network monitoring, endpoint telemetry, and anomaly detection.
   • Off-hours activity. CUI file access at 3 AM when nobody should be working — detected via SIEM rules for off-hours activity on sensitive resources.

This isn’t about catching people browsing social media. It’s about detecting misuse that represents a security risk — unauthorized access, shadow IT, resource abuse, and insider threats. The monitoring capabilities from 3.14.6 and the logging from 3.3.1 feed this requirement.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is authorized use of the system defined?	Acceptable use policy covering: authorized users, permitted activities, approved software, authorized data types, normal operating hours
2	Is unauthorized use of the system identified?	Detection mechanisms: SIEM rules for off-hours access, application control alerts, UBA for anomalous patterns, access control alerts for unauthorized users

---

What to Have Ready on Assessment Day

Documents they’ll review: Continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring; acceptable use policy; system security plan; system design documentation; monitoring tool documentation; system configuration settings; alert and investigation records

People they’ll talk to: System or network administrators; information security personnel; personnel responsible for system monitoring

Live demos they’ll ask for: “Show me your acceptable use policy.” “How do you detect unauthorized software on a CUI system?” “Show me a SIEM rule that detects off-hours CUI access.” “If an employee started mining cryptocurrency on a CUI server, how would you know?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How is authorized use of your CUI systems defined? Show me the policy.”
• “What types of unauthorized use can you detect? Give me examples.”
• “Show me a detection rule — what does it look for?”
• “If someone accessed CUI files at 3 AM on a Saturday, would you know?”
• “How do you detect unauthorized software running on CUI systems?”
• “Show me an example of unauthorized use being detected — what happened?”
• “Is unauthorized use defined as explicitly as authorized use?”

Real-World Example

A defense contractor’s acceptable use policy defines: CUI systems are for authorized defense contract work only; access is limited to named personnel on the CUI access list; approved software is defined in the application control whitelist; CUI file access is expected Monday–Friday 7 AM–7 PM EST. Detection mechanisms include: Sentinel analytics rule for CUI SharePoint access outside business hours (triggers an alert assigned to the IT Security Lead), WDAC blocks unauthorized software execution and generates Defender for Endpoint alerts, Conditional Access blocks non-compliant or unenrolled devices from CUI resources, and Defender for Cloud Apps detects shadow IT usage. When a SIEM rule fires for off-hours CUI access at 11 PM, the IT Security Lead investigates the next morning — it was an engineer meeting a contract deadline. The investigation is documented: alert received, user contacted, confirmed legitimate work, alert closed with justification. When a WDAC block fires for an unauthorized executable on a CUI workstation, it’s also investigated and resolved. Both investigation records are available for the assessor.

---

Where Companies Trip Up

No definition of authorized use. The assessor asks “what is authorized use?” and there’s no documented policy. Without a baseline, you can’t detect deviations. Write an acceptable use policy that covers CUI systems specifically.

External threat detection only. Monitoring catches external attacks (3.14.6) but not internal misuse. An employee using a CUI server for personal file storage or unauthorized applications goes undetected. Add detection rules for internal misuse patterns.

No baseline for “normal.” You can’t detect anomalous activity if you haven’t defined what normal looks like. Establish baselines: who accesses CUI, when, from where, and what they do. Use these baselines to build detection rules for deviations.

Detection without investigation. Alerts fire for unauthorized use but nobody investigates. A WDAC block on unauthorized software is detected but nobody follows up — was it a mistake or an insider threat? Every detection should be investigated and documented, even if the outcome is “legitimate activity.”

Acceptable use too vague. The policy says “use systems for authorized purposes” without specifics. Define what’s authorized: by user role, by permitted activity, by software, by time. The more specific the definition, the more precise the detection.

---

How to Talk About This

To a CEO or Board

We define exactly how CUI systems should be used — who, what, when, and how — and we detect when they’re used outside that scope. Off-hours access, unauthorized software, and anomalous activity all trigger alerts that our security team investigates.

To an Engineering Team

Acceptable use policy: named CUI users, approved software (WDAC whitelist), authorized activities, business hours baseline. Detection: Sentinel rules for off-hours CUI access, WDAC/AppLocker block alerts, Conditional Access for non-compliant devices, Defender for Cloud Apps for shadow IT, UBA anomaly detection. Every alert investigated and documented. Quarterly review of detection rules and baselines.

---

Connected Requirements

Requirement	Why it matters here
3.14.6 — Watch the Network	Network and system monitoring that feeds misuse detection
3.3.1 — Log Everything	Audit logs that provide evidence of unauthorized use
3.4.8 — Whitelist or Blacklist Software	Application control detects unauthorized software — a category of unauthorized use
3.1.1 — Who Gets In	Access controls that define and enforce who’s authorized — deviations are unauthorized use

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SI.L2-3.14.7 | SPRS Weight: 3 points | POA&M Eligible: No