CMMC's Audit & Accountability (AU) control family says you have to generate logs, protect them, keep them, and actually review and correlate them to catch bad behavior. Generating logs is easy — every machine already does it. The part that trips up small shops is the reviewing, and doing that by hand across a dozen log sources is impossible for a two-person team. A right-sized SIEM is how a small contractor collects those logs in one place, gets alerted when something's wrong, and produces the monitoring evidence an assessor asks for.
Almost every small contractor generates plenty of logs and reviews exactly none of them. The firewall is logging, Windows is logging, Microsoft 365 is logging — all of it piling up in silos nobody opens until an incident forces the question. That gap is precisely what the AU family exists to close, and it's one of the most common places a self-assessment quietly falls apart.
Here's the thing worth saying plainly: CMMC never mentions the word "SIEM." It doesn't require you to buy a product at all. What it requires is an outcome — that events get recorded, that the records survive, and that a human or a system looks at them and reacts. A SIEM is just the most practical way most small shops reach that outcome without staffing a security operations center. Let's walk through what the controls actually ask for, what a small shop genuinely needs, and where the line sits between "keeping logs" and "monitoring."
Logging isn't box-checking for its own sake. It's the difference between knowing what happened and guessing. When an account gets compromised, a drive walks out the door, or someone tries a password-spray against your VPN, the only thing standing between you and a blind investigation is a good audit trail. The government cares about this because the whole point of CMMC is protecting Controlled Unclassified Information — and you can't protect what you can't see moving.
CMMC Level 2 is built on the 110 controls in NIST SP 800-171, organized into 14 control families. Logging lives mainly in one of them, Audit & Accountability, but it doesn't stay in its lane. It feeds Incident Response, because you can't detect or investigate an incident you never recorded. It supports System & Information Integrity, because monitoring depends on having something to monitor. Get logging right and three families get easier. Skip it and those same three start to crumble.
Strip away the reference-document language and the Audit & Accountability requirements come down to a handful of plain jobs. You need to do all of them, not just the first one.
Read that last item again, because it's where a self-assessment usually breaks. A shop will happily attest that "we retain logs for a year" and then have zero evidence that a single human ever looked at one. An assessor is going to ask who reviews the logs, how often, and what happens when they find something. If the honest answer is "nobody, never, nothing," you don't meet the control — no matter how much disk space your logs are eating.
Raw logs are what each device produces on its own: the Windows Event Log on every workstation, syslog off the firewall, sign-in logs in Microsoft 365, activity trails in whatever cloud you use. Every one of those sources is an island. Nothing connects the failed logins on the firewall to the successful login on a workstation to the new admin account created ten minutes later. That's three events on three islands that, read together, tell a story — and read apart, tell nothing.
A SIEM — Security Information and Event Management — is the tool that collects those islands into one place. It ingests logs from every source, normalizes them into a common format, and then correlates across them looking for patterns. When a sequence matches a known-bad shape, it raises an alert. That correlation and alerting is the whole value. It's the machine doing the "review and analyze" job that the AU family requires and that no small team can do by hand across a dozen sources at 2 a.m.
Here's where a lot of small contractors get burned. They hear "SIEM," picture a Fortune 500 tool with a dedicated analyst team, and either overspend on a platform they can't run or freeze up and buy nothing. Both are wrong. What a small DoD shop needs is a SIEM built for people whose full-time job is not security. Practically, that means a few things.
Notice what's not on that list: a team of analysts, a six-figure license, or a year of tuning. If a SIEM assumes you have those, it's built for someone else.
For a small contractor who has to satisfy the AU family without hiring a security team, the platform I point people to is Blumira. It's built specifically for the small-and-mid-size org that needs real detection and response but doesn't have a SOC — which is exactly the spot most DoD subcontractors sit in.
Blumira collects logs from your cloud identity, Microsoft 365, endpoints, and network gear into one place, then runs detections that ship already written and tuned so a small team isn't authoring rules or drowning in false alarms. It layers on a security team that watches alerts and calls you when something's real, plus honest log retention to back your defined period. For a small shop, that combination is what turns the AU (Audit & Accountability) review-and-respond controls from an unmet gap into a control you can actually demonstrate — while supporting SI (System & Information Integrity) monitoring and IR (Incident Response) detection at the same time. There's a genuinely usable free tier to start with, which matters when you're proving the concept before you spend.
Why this one and not an enterprise name? Because the enterprise SIEMs are priced and designed around a staffed SOC, and dropping one on a two-person shop means paying for horsepower you can't steer. Blumira's whole pitch is the opposite: give a small team detection and response that works out of the box. That's the right shape for a small contractor's AU program. Buy the tool to do the monitoring work — then, and this matters, write it into your SSP so the assessor can see the control is real, running, and owned by a named person.
Standing up logging is one of those jobs that stays small if you sequence it and turns into a swamp if you don't. Four moves, in order.
Want to see where logging sits against the other 109 controls before you spend a dollar? Run the free SPRS score estimator — it gives you a baseline in a couple of minutes. And if the assessment quote is what's scaring you off, read CMMC Compliance Cost for Small Business for the honest line-item breakdown.
A tool doing the watching is half the AU family. The other half is the paperwork that proves it: an audit policy, a System Security Plan describing what you log and review, the 20 required policies, and an SPRS scorer that tells you where every control stands. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.
CMMC does not name any product, and the word SIEM never appears in the controls. What the Audit & Accountability (AU) family requires is that you create audit logs, protect them, keep them long enough, and — critically — review and correlate them to catch problems. Raw logs on each machine meet the create requirement, but a small team can't review them by hand. A lightweight SIEM is how most small shops satisfy the review, correlation, and alerting parts without hiring a night shift.
Raw logs are the event records each device produces on its own — Windows Event Log, firewall syslog, cloud sign-in logs. They satisfy the generate-and-retain controls but leave you blind, because nobody is watching a dozen scattered sources. A SIEM collects those logs into one place, normalizes them, correlates events across sources, and alerts when something matches a known-bad pattern. For CMMC, the SIEM is what turns "we keep logs" into "we monitor and respond," which is what the AU and IR controls are really asking for.
The controls require you to retain audit records long enough to support after-the-fact investigation of incidents, and to define that retention period yourself in policy. Many small contractors set 90 days immediately searchable plus a full year in cheaper cold storage, then document that decision in the SSP. The exact number is your call — what an assessor checks is that you defined it, justified it, and actually keep logs that long.
Yes, if you pick the right one. Traditional enterprise SIEMs assume a staffed security operations center to tune rules and chase alerts, and they'll bury a two-person shop. SMB-focused platforms ship with detection rules already written, tuned to cut false positives, and often include a team that watches alerts for you. That's the category a small DoD contractor should shop in — managed detection built for people whose day job isn't security.
Logging lives primarily in the Audit & Accountability (AU) family — creating audit records, capturing the right content, protecting logs from tampering, and reviewing them. It also directly supports Incident Response (IR), because you can't investigate an incident you never logged, and it feeds System & Information Integrity (SI) monitoring. A SIEM touches all three, which is why it's one of the higher-leverage tools in a CMMC build.
No single tool makes you compliant. A SIEM helps you satisfy the technical side of the AU and SI families, but you still need written policy defining what you log and how long you keep it, evidence that someone reviews alerts, and the rest of the 110 controls. Buy the tool to do the monitoring work, then document it in your SSP so the assessor can see the control is real, operating, and owned by a named person.