Security alerts monitored and acted upon

ab-001568 · gov-cmmc-level-1.system-integrity.security-alerts

Severity: mediumactive

Why it matters

CMMC 2.0 SI.L1-3.14.4 (NIST 800-171r2 3.14.4) requires that organizations identify and report security alerts and advisories in a timely manner. Without error monitoring, failed authentication attempts, rate limit hits, and access denials are written to console.log and lost on the next pod restart. Security incidents in FCI-handling systems go undetected until a user reports a symptom — often long after the breach. ISO 27001:2022 A.8.16 (Monitoring activities) reinforces this as a required operational control. The absence of a security contact (SECURITY.md or security.txt) also means external researchers have no path to report vulnerabilities responsibly.

Severity rationale

Medium because unmonitored systems eventually surface breaches through user-reported symptoms rather than automated detection — increasing mean time to detect and respond.

Remediation

Configure Sentry or equivalent for real-time error alerting and add structured security event logging to lib/security-log.ts. Create a security contact file so external reporters have a path:

// instrumentation-client.ts (Next.js)
import * as Sentry from '@sentry/nextjs'
Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  beforeSend(event) {
    // Strip PII before sending to Sentry
    if (event.user) { delete event.user.email; delete event.user.ip_address }
    return event
  },
})

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied',
  ctx: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({ type: 'security_event', event, ...ctx, ts: new Date().toISOString() }))
}

Create public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

SI.L1-3.14.4 requires at least 2 of the 3 monitoring mechanisms — error alerting, structured security logging, and documented security contact.

Detection

ID: security-alerts
Severity: medium
CMMC Practice: SI.L1-3.14.4
What to look for: Look for error monitoring and alerting configuration. Check for Sentry, Datadog, Rollbar, BetterStack, or similar error monitoring SDKs in dependencies and initialization files. Examine whether security-relevant events are logged — failed authentication attempts, rate limit hits, authorization denials, unexpected errors. Look for a SECURITY.md file or a /.well-known/security.txt that documents a security contact. Check whether there is any on-call or alerting configuration connected to error monitoring.
Pass criteria: Count all security monitoring mechanisms configured (error monitoring, security contact, event logging). At least 2 of the following are present: error monitoring/alerting, security contact documentation (SECURITY.md or security.txt), structured security event logging. Report: "X of 3 security monitoring mechanisms configured."
Fail criteria: No error monitoring or alerting. No security contact documented. No structured logging of security events. Security incidents would go undetected until user-reported.
Skip (N/A) when: Never — security monitoring is a CMMC Level 1 requirement for identifying threats timely.
Detail on fail: Specify what's missing. Example: "No error monitoring SDK found in dependencies. No SECURITY.md or security.txt. Failed auth attempts logged to console only — no alerting or aggregation. Security incidents would be invisible." Keep under 500 characters.

Remediation: Add error monitoring and document your security contact:

// Install Sentry: npm install @sentry/nextjs
// instrumentation-client.ts
import * as Sentry from '@sentry/nextjs'

Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  tracesSampleRate: 0.1,
  beforeSend(event) {
    // Ensure no PII leaks into Sentry
    if (event.user) {
      delete event.user.email
      delete event.user.ip_address
    }
    return event
  }
})

Log security events in structured format for aggregation:

// lib/security-log.ts
export function logSecurityEvent(
  event: 'auth_failure' | 'rate_limited' | 'access_denied' | 'suspicious_request',
  context: { ip?: string; path?: string; userId?: string }
) {
  console.log(JSON.stringify({
    type: 'security_event',
    event,
    ...context,
    timestamp: new Date().toISOString()
  }))
}

Create a security contact file at public/.well-known/security.txt:

Contact: security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Policy: https://yourcompany.com/security-policy

External references

cmmc:2.0 · SI.L1-3.14.4 — Update Malicious Code Protection
iso-27001:2022 · A.8.16 — Monitoring activities
nist:rev2 · SP-800-171 3.14.4 — Update malicious code protection mechanisms when new releases are available

Taxons

observability regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from gov-cmmc-level-1·automated