Security alerts monitored and acted upon

Why it matters

CMMC 2.0 SI.L1-3.14.4 (NIST 800-171r2 3.14.4) requires that organizations identify and report security alerts and advisories in a timely manner. Without error monitoring, failed authentication attempts, rate limit hits, and access denials are written to console.log and lost on the next pod restart. Security incidents in FCI-handling systems go undetected until a user reports a symptom — often long after the breach. ISO 27001:2022 A.8.16 (Monitoring activities) reinforces this as a required operational control. The absence of a security contact (SECURITY.md or security.txt) also means external researchers have no path to report vulnerabilities responsibly.

Remediation

Configure Sentry or equivalent for real-time error alerting and add structured security event logging to lib/security-log.ts. Create a security contact file so external reporters have a path:

// instrumentation-client.ts (Next.js)
import * as Sentry from '@sentry/nextjs'
Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  beforeSend(event) {
    // Strip PII before sending to Sentry
    if (event.user) { delete event.user.email; delete event.user.ip_address }
    return event
  },
})

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied',
  ctx: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({ type: 'security_event', event, ...ctx, ts: new Date().toISOString() }))
}

Create public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

SI.L1-3.14.4 requires at least 2 of the 3 monitoring mechanisms — error alerting, structured security logging, and documented security contact.

Detection

ID: gov-cmmc-level-1.system-integrity.security-alerts
Severity: medium
CMMC Practice: SI.L1-3.14.4
What to look for: Look for error monitoring and alerting configuration. Check for Sentry, Datadog, Rollbar, BetterStack, or similar error monitoring SDKs in dependencies and initialization files. Examine whether security-relevant events are logged — failed authentication attempts, rate limit hits, authorization denials, unexpected errors. Look for a SECURITY.md file or a /.well-known/security.txt that documents a security contact. Check whether there is any on-call or alerting configuration connected to error monitoring.
Pass criteria: Count all security monitoring mechanisms configured (error monitoring, security contact, event logging). At least 2 of the following are present: error monitoring/alerting, security contact documentation (SECURITY.md or security.txt), structured security event logging. Report: "X of 3 security monitoring mechanisms configured."
Fail criteria: No error monitoring or alerting. No security contact documented. No structured logging of security events. Security incidents would go undetected until user-reported.
Skip (N/A) when: Never — security monitoring is a CMMC Level 1 requirement for identifying threats timely.
Detail on fail: Specify what's missing. Example: "No error monitoring SDK found in dependencies. No SECURITY.md or security.txt. Failed auth attempts logged to console only — no alerting or aggregation. Security incidents would be invisible." Keep under 500 characters.

Remediation: Add error monitoring and document your security contact:

// Install Sentry: npm install @sentry/nextjs
// instrumentation-client.ts
import * as Sentry from '@sentry/nextjs'

Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  tracesSampleRate: 0.1,
  beforeSend(event) {
    // Ensure no PII leaks into Sentry
    if (event.user) {
      delete event.user.email
      delete event.user.ip_address
    }
    return event
  }
})

Log security events in structured format for aggregation:

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied' | 'suspicious_request',
  context: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({
    type: 'security_event',
    event,
    ...context,
    timestamp: new Date().toISOString()
  }))
}

Create a security contact file at public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Policy: https://yourcompany.com/security-policy

Why it matters

Remediation

Configure Sentry or equivalent for real-time error alerting and add structured security event logging to lib/security-log.ts. Create a security contact file so external reporters have a path:

// instrumentation-client.ts (Next.js)
import * as Sentry from '@sentry/nextjs'
Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  beforeSend(event) {
    // Strip PII before sending to Sentry
    if (event.user) { delete event.user.email; delete event.user.ip_address }
    return event
  },
})

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied',
  ctx: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({ type: 'security_event', event, ...ctx, ts: new Date().toISOString() }))
}

Create public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

SI.L1-3.14.4 requires at least 2 of the 3 monitoring mechanisms — error alerting, structured security logging, and documented security contact.

Detection

ID: gov-cmmc-level-1.system-integrity.security-alerts
Severity: medium
CMMC Practice: SI.L1-3.14.4
What to look for: Look for error monitoring and alerting configuration. Check for Sentry, Datadog, Rollbar, BetterStack, or similar error monitoring SDKs in dependencies and initialization files. Examine whether security-relevant events are logged — failed authentication attempts, rate limit hits, authorization denials, unexpected errors. Look for a SECURITY.md file or a /.well-known/security.txt that documents a security contact. Check whether there is any on-call or alerting configuration connected to error monitoring.
Pass criteria: Count all security monitoring mechanisms configured (error monitoring, security contact, event logging). At least 2 of the following are present: error monitoring/alerting, security contact documentation (SECURITY.md or security.txt), structured security event logging. Report: "X of 3 security monitoring mechanisms configured."
Fail criteria: No error monitoring or alerting. No security contact documented. No structured logging of security events. Security incidents would go undetected until user-reported.
Skip (N/A) when: Never — security monitoring is a CMMC Level 1 requirement for identifying threats timely.
Detail on fail: Specify what's missing. Example: "No error monitoring SDK found in dependencies. No SECURITY.md or security.txt. Failed auth attempts logged to console only — no alerting or aggregation. Security incidents would be invisible." Keep under 500 characters.

Remediation: Add error monitoring and document your security contact:

// Install Sentry: npm install @sentry/nextjs
// instrumentation-client.ts
import * as Sentry from '@sentry/nextjs'

Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  tracesSampleRate: 0.1,
  beforeSend(event) {
    // Ensure no PII leaks into Sentry
    if (event.user) {
      delete event.user.email
      delete event.user.ip_address
    }
    return event
  }
})

Log security events in structured format for aggregation:

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied' | 'suspicious_request',
  context: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({
    type: 'security_event',
    event,
    ...context,
    timestamp: new Date().toISOString()
  }))
}

Create a security contact file at public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Policy: https://yourcompany.com/security-policy

Security alerts monitored and acted upon

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Security alerts monitored and acted upon

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History