Home / Guides / SIEM & Logging for CMMC

Best SIEM & Logging for CMMC: The Audit & Accountability Controls

Focus: cmmc siem logging Veteran-run · practitioner guide Updated Jul 2026 ~9 min read
The short answer

CMMC's Audit & Accountability (AU) control family says you have to generate logs, protect them, keep them, and actually review and correlate them to catch bad behavior. Generating logs is easy — every machine already does it. The part that trips up small shops is the reviewing, and doing that by hand across a dozen log sources is impossible for a two-person team. A right-sized SIEM is how a small contractor collects those logs in one place, gets alerted when something's wrong, and produces the monitoring evidence an assessor asks for.

Almost every small contractor generates plenty of logs and reviews exactly none of them. The firewall is logging, Windows is logging, Microsoft 365 is logging — all of it piling up in silos nobody opens until an incident forces the question. That gap is precisely what the AU family exists to close, and it's one of the most common places a self-assessment quietly falls apart.

Here's the thing worth saying plainly: CMMC never mentions the word "SIEM." It doesn't require you to buy a product at all. What it requires is an outcome — that events get recorded, that the records survive, and that a human or a system looks at them and reacts. A SIEM is just the most practical way most small shops reach that outcome without staffing a security operations center. Let's walk through what the controls actually ask for, what a small shop genuinely needs, and where the line sits between "keeping logs" and "monitoring."

Why CMMC requires logging at all

Logging isn't box-checking for its own sake. It's the difference between knowing what happened and guessing. When an account gets compromised, a drive walks out the door, or someone tries a password-spray against your VPN, the only thing standing between you and a blind investigation is a good audit trail. The government cares about this because the whole point of CMMC is protecting Controlled Unclassified Information — and you can't protect what you can't see moving.

CMMC Level 2 is built on the 110 controls in NIST SP 800-171, organized into 14 control families. Logging lives mainly in one of them, Audit & Accountability, but it doesn't stay in its lane. It feeds Incident Response, because you can't detect or investigate an incident you never recorded. It supports System & Information Integrity, because monitoring depends on having something to monitor. Get logging right and three families get easier. Skip it and those same three start to crumble.

Why it's higher-leverage than it looks A single well-fed log pipeline supports the AU family directly and props up IR and SI at the same time. Few controls pay off across three families at once. That's why logging deserves real attention early in a build, not a "we'll get to it" line item at the end.

What the AU family actually asks for

Strip away the reference-document language and the Audit & Accountability requirements come down to a handful of plain jobs. You need to do all of them, not just the first one.

Read that last item again, because it's where a self-assessment usually breaks. A shop will happily attest that "we retain logs for a year" and then have zero evidence that a single human ever looked at one. An assessor is going to ask who reviews the logs, how often, and what happens when they find something. If the honest answer is "nobody, never, nothing," you don't meet the control — no matter how much disk space your logs are eating.

SIEM vs raw logs — the real difference

Raw logs are what each device produces on its own: the Windows Event Log on every workstation, syslog off the firewall, sign-in logs in Microsoft 365, activity trails in whatever cloud you use. Every one of those sources is an island. Nothing connects the failed logins on the firewall to the successful login on a workstation to the new admin account created ten minutes later. That's three events on three islands that, read together, tell a story — and read apart, tell nothing.

A SIEM — Security Information and Event Management — is the tool that collects those islands into one place. It ingests logs from every source, normalizes them into a common format, and then correlates across them looking for patterns. When a sequence matches a known-bad shape, it raises an alert. That correlation and alerting is the whole value. It's the machine doing the "review and analyze" job that the AU family requires and that no small team can do by hand across a dozen sources at 2 a.m.

The trap "We keep logs" is not the same as "we monitor." Retaining raw logs satisfies the create-and-retain controls and nothing more. The review, correlation, and alerting controls need something actively watching. If your plan is a folder full of log files, you've met maybe half of the AU family and left the most-scrutinized half wide open.

What a small shop actually needs

Here's where a lot of small contractors get burned. They hear "SIEM," picture a Fortune 500 tool with a dedicated analyst team, and either overspend on a platform they can't run or freeze up and buy nothing. Both are wrong. What a small DoD shop needs is a SIEM built for people whose full-time job is not security. Practically, that means a few things.

Notice what's not on that list: a team of analysts, a six-figure license, or a year of tuning. If a SIEM assumes you have those, it's built for someone else.

The SMB-friendly SIEM I recommend

For a small contractor who has to satisfy the AU family without hiring a security team, the platform I point people to is Blumira. It's built specifically for the small-and-mid-size org that needs real detection and response but doesn't have a SOC — which is exactly the spot most DoD subcontractors sit in.

Blumira

SIEM + detection · SMB-fit

Blumira collects logs from your cloud identity, Microsoft 365, endpoints, and network gear into one place, then runs detections that ship already written and tuned so a small team isn't authoring rules or drowning in false alarms. It layers on a security team that watches alerts and calls you when something's real, plus honest log retention to back your defined period. For a small shop, that combination is what turns the AU (Audit & Accountability) review-and-respond controls from an unmet gap into a control you can actually demonstrate — while supporting SI (System & Information Integrity) monitoring and IR (Incident Response) detection at the same time. There's a genuinely usable free tier to start with, which matters when you're proving the concept before you spend.

Pre-tuned detectionsManaged watch teamCloud + endpointAU.L2SI.L2IR.L2
See Blumira →

Why this one and not an enterprise name? Because the enterprise SIEMs are priced and designed around a staffed SOC, and dropping one on a two-person shop means paying for horsepower you can't steer. Blumira's whole pitch is the opposite: give a small team detection and response that works out of the box. That's the right shape for a small contractor's AU program. Buy the tool to do the monitoring work — then, and this matters, write it into your SSP so the assessor can see the control is real, running, and owned by a named person.

Say this on your SSP, not more A SIEM helps you meet the technical side of AU and SI. It does not, by itself, make you "CMMC compliant," and no honest vendor will claim it does. You still need written policy defining what you log and how long you keep it, evidence that alerts get reviewed, and the other 100-plus controls. Map the tool to the controls it genuinely supports and your SSP tells the truth — which is exactly what gets graded.

How to roll it out without drowning

Standing up logging is one of those jobs that stays small if you sequence it and turns into a swamp if you don't. Four moves, in order.

  1. Define what you log — in policy first.Before you turn anything on, write down which events you capture, what detail each record holds, and how long you keep them. This is your Audit & Accountability policy, and it's the document the assessor reads against reality. Decide the retention period here — a common small-shop standard is 90 days hot and searchable plus a year in cold storage — and justify it.
  2. Point your sources at one collector.Feed the SIEM from the sources that matter: cloud identity and Microsoft 365 or Google Workspace, the firewall, endpoints inside your CUI boundary, and any server touching controlled data. Get time sync right across all of them so events line up.
  3. Tune to signal, then assign the review.Start from the shipped detections, silence the noise that doesn't apply to you, and — this is the part people forget — put a named person on alert review with a defined cadence. "The owner checks the Blumira dashboard every morning and logs it" is a real, gradeable control. "Nobody" is not.
  4. Keep the evidence.Screenshots of your detections, a log of reviews performed, records of what you did when an alert fired. An assessor grades whether the control operates, and operating leaves a paper trail. Capture it as you go instead of reconstructing it the week before the assessment.
The deadline that makes this urgent November 10, 2026 begins Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and affirmation language is already in contracts now. Logging is not a control you can stand up the week before an assessment — the whole point is a history of records and reviews, and history takes time to accumulate. Turn it on early so you have months of evidence, not days.

Want to see where logging sits against the other 109 controls before you spend a dollar? Run the free SPRS score estimator — it gives you a baseline in a couple of minutes. And if the assessment quote is what's scaring you off, read CMMC Compliance Cost for Small Business for the honest line-item breakdown.

Skip the guesswork

The SIEM does the monitoring. This documents it.

A tool doing the watching is half the AU family. The other half is the paperwork that proves it: an audit policy, a System Security Plan describing what you log and review, the 20 required policies, and an SPRS scorer that tells you where every control stands. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.

Frequently asked questions

Does CMMC actually require a SIEM?

CMMC does not name any product, and the word SIEM never appears in the controls. What the Audit & Accountability (AU) family requires is that you create audit logs, protect them, keep them long enough, and — critically — review and correlate them to catch problems. Raw logs on each machine meet the create requirement, but a small team can't review them by hand. A lightweight SIEM is how most small shops satisfy the review, correlation, and alerting parts without hiring a night shift.

What is the difference between raw logs and a SIEM for CMMC?

Raw logs are the event records each device produces on its own — Windows Event Log, firewall syslog, cloud sign-in logs. They satisfy the generate-and-retain controls but leave you blind, because nobody is watching a dozen scattered sources. A SIEM collects those logs into one place, normalizes them, correlates events across sources, and alerts when something matches a known-bad pattern. For CMMC, the SIEM is what turns "we keep logs" into "we monitor and respond," which is what the AU and IR controls are really asking for.

How long do I have to keep audit logs for CMMC?

The controls require you to retain audit records long enough to support after-the-fact investigation of incidents, and to define that retention period yourself in policy. Many small contractors set 90 days immediately searchable plus a full year in cheaper cold storage, then document that decision in the SSP. The exact number is your call — what an assessor checks is that you defined it, justified it, and actually keep logs that long.

Can a small contractor run a SIEM without a security team?

Yes, if you pick the right one. Traditional enterprise SIEMs assume a staffed security operations center to tune rules and chase alerts, and they'll bury a two-person shop. SMB-focused platforms ship with detection rules already written, tuned to cut false positives, and often include a team that watches alerts for you. That's the category a small DoD contractor should shop in — managed detection built for people whose day job isn't security.

Which controls does logging and SIEM map to?

Logging lives primarily in the Audit & Accountability (AU) family — creating audit records, capturing the right content, protecting logs from tampering, and reviewing them. It also directly supports Incident Response (IR), because you can't investigate an incident you never logged, and it feeds System & Information Integrity (SI) monitoring. A SIEM touches all three, which is why it's one of the higher-leverage tools in a CMMC build.

Does buying a SIEM make me CMMC compliant?

No single tool makes you compliant. A SIEM helps you satisfy the technical side of the AU and SI families, but you still need written policy defining what you log and how long you keep it, evidence that someone reviews alerts, and the rest of the 110 controls. Buy the tool to do the monitoring work, then document it in your SSP so the assessor can see the control is real, operating, and owned by a named person.