CMMC Compliance Reference
CMMC 2.0 to eMonitor Feature Mapping: Which Controls Does Employee Monitoring Satisfy?
CMMC Level 2 requires 110 NIST SP 800-171 controls. This mapping guide identifies exactly which controls in the AC (Access Control), AU (Audit and Accountability), and IR (Incident Response) families are satisfied or evidenced by eMonitor's employee monitoring features — giving defense contractors a ready-to-use reference for SPRS self-assessments and C3PAO audit preparation.
Why No Monitoring Vendor Has Published This Mapping Until Now
CMMC control-to-feature mapping for employee monitoring is a compliance artifact that defense contractors need but that no monitoring vendor has formally published. The gap exists for two reasons: most monitoring vendors do not serve defense contractors specifically, and those that do tend to publish general compliance claims rather than control-by-control specificity.
This document corrects that. It maps specific NIST SP 800-171 revision 2 controls — the same controls forming the CMMC Level 2 assessment objective baseline — to specific eMonitor features with the precision that SPRS self-assessments require. A SPRS score is calculated by assigning point values to each of the 110 NIST 800-171 controls based on implementation status. Each control that employee monitoring satisfies, even partially, affects your score.
Important limitation: this mapping identifies where eMonitor contributes to control satisfaction. Most controls require multiple implementing technologies and procedural controls beyond what any single tool provides. This guide distinguishes between "eMonitor fully satisfies" (rare) and "eMonitor provides primary evidence for" (more common) and "eMonitor provides supporting evidence for" (most common).
The CMMC compliance guide provides the broader regulatory context for CMMC 2.0 and the role of monitoring across all control families.
CMMC 2.0 Framework: What Defense Contractors Must Understand
CMMC 2.0 (Cybersecurity Maturity Model Certification, version 2.0) is the DoD's framework for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense industrial base. The final rule (32 CFR Part 170) became effective December 16, 2024, with CMMC requirements beginning to appear in contracts through 2025 and 2026.
The Three CMMC Levels
CMMC 2.0 contains three levels with distinct requirements. Level 1 (Foundational) requires 17 practices aligned to FAR Clause 52.204-21 for organizations handling FCI only. Level 2 (Advanced) requires 110 practices derived from NIST SP 800-171 for organizations handling CUI — this is the level most defense subcontractors are assessed against. Level 3 (Expert) requires 24 additional practices from NIST SP 800-172 for organizations supporting the highest-priority DoD programs.
Employee monitoring is primarily relevant to Level 2. The 110 NIST SP 800-171 controls span 14 control families. Employee monitoring directly addresses controls in three families: AC (Access Control), AU (Audit and Accountability), and IR (Incident Response). It provides supporting evidence for controls in SI (System and Information Integrity) and CM (Configuration Management).
SPRS Self-Assessment Mechanics
The Supplier Performance Risk System (SPRS) self-assessment assigns a score from -203 to 110 based on each organization's implementation status across the 110 NIST 800-171 controls. Each control carries a point value (1, 3, or 5 points) based on its security significance. Organizations that have not implemented a control must subtract the point value from 110. A score of 110 means all controls are fully implemented. Most defense contractors score between 60 and 95 at initial assessment.
The audit trail evidence generated by employee monitoring directly affects scores for AU family controls, which collectively carry 27 points in the SPRS methodology. Correctly documenting eMonitor as the implementing system for applicable AU controls improves your SPRS score and reduces audit findings during C3PAO assessments.
AU Control Family: Audit and Accountability Mapping
The AU (Audit and Accountability) control family in NIST SP 800-171 contains nine controls that require organizations to create, protect, review, and report on system audit records. Employee monitoring software provides more direct evidence for AU controls than for any other CMMC control family, because the core function of monitoring — capturing user activity events in timestamped, tamper-resistant records — maps precisely to what AU controls require.
Detailed AU Control-to-Feature Mapping Table
| Control ID | NIST 800-171 Requirement | eMonitor Feature | Evidence Artifact | Satisfaction Level |
|---|---|---|---|---|
| AU.2.041 | Ensure that the actions of individual users can be traced to those users so they can be held accountable for their actions. | Activity Monitoring: per-user activity logs with username, timestamp, application, and URL for every recorded event | Exported activity log reports showing user-attributed events; user-specific activity timelines | Primary — eMonitor is the primary implementing control for this requirement in endpoint monitoring environments |
| AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Activity Monitoring + Data retention controls: continuous activity logging with configurable retention periods; encrypted, role-access-controlled storage | Activity log export demonstrating continuous record coverage; data retention policy documentation referencing eMonitor storage settings | Primary — eMonitor generates and retains endpoint activity audit records; must be paired with network and system log retention for full coverage |
| AU.3.045 | Review and update logged events. | Real-time Alerts and Notifications: configurable alert rules that notify administrators when specific event types are logged (unauthorized app usage, USB insertion, policy violations) | Alert configuration screenshots; alert history logs showing review events; administrator response documentation | Supporting — eMonitor alerts provide the review mechanism; formal log review procedures must be documented separately |
| AU.3.046 | Alert in the event of an audit logging process failure. | Alerts and Notifications: agent offline detection and administrator notification when monitoring agents stop reporting | Notification settings showing agent offline alerts configured; alert history showing offline event detection | Supporting — eMonitor detects agent disconnection events; system-level audit log failure alerts may require additional SIEM integration |
| AU.3.050 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Reporting Dashboards: cross-employee activity reports, productivity anomaly detection, DLP violation summaries combining file, USB, and web activity | Dashboard screenshots showing multi-dimensional activity correlation; exported investigation reports combining activity and alert data | Supporting — eMonitor correlates endpoint activity across event types; full log correlation for CMMC requires SIEM integration with network and system event sources |
| AU.3.051 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Reporting Dashboards + Export: on-demand report generation with filtering by user, time range, application, event type, and violation category; CSV and PDF export | Exported report samples demonstrating filtering capability; audit trail of report generation events | Primary — eMonitor provides on-demand report generation with the filtering granularity CMMC assessors require |
| AU.3.052 | Collect audit information (e.g., logs) into one or more central repositories. | Centralized Dashboard: all agent data aggregates to the central eMonitor dashboard regardless of employee location (remote, office, field) | Dashboard showing multi-location employee activity in unified view; documentation of central data storage architecture | Primary — eMonitor functions as the central audit repository for endpoint user activity across distributed environments |
The AU control family carries the highest aggregate SPRS point value among the families where employee monitoring contributes. AU.2.041 and AU.2.042 are each weighted at 5 points in the DoD's assessment methodology. Correctly documenting eMonitor as the implementing control for these requirements directly improves your SPRS baseline score.
AC Control Family: Access Control Mapping
The AC (Access Control) control family in NIST SP 800-171 contains 22 controls. Employee monitoring does not enforce access restrictions directly — that is the role of identity management systems, privilege access management tools, and network segmentation. However, monitoring provides critical evidence that access control policies are being enforced, which is what CMMC assessors evaluate.
AC Control-to-Feature Mapping Table
| Control ID | NIST 800-171 Requirement | eMonitor Feature | Evidence Artifact | Satisfaction Level |
|---|---|---|---|---|
| AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Activity Monitoring: per-user activity logs capture which users accessed which systems and applications, providing evidence that access is occurring as authorized | Activity logs showing user-attributed access events; anomaly alerts when unauthorized access patterns are detected | Supporting — eMonitor provides activity-based evidence that access controls are functioning; does not itself restrict access |
| AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | DLP Monitoring + Activity Monitoring: unauthorized application usage detection, website access violation logging, USB access logging with policy enforcement | DLP violation logs showing unauthorized transaction attempts; application usage reports showing access to non-permitted application categories | Supporting — eMonitor detects and logs violations of permitted transaction boundaries; access restriction enforcement requires complementary technical controls |
| AC.2.005 | Provide privacy and security notices consistent with CUI rules. | Monitoring transparency: eMonitor supports documented employee notification processes for monitoring activities, providing evidence that privacy notices align with CUI handling requirements | Employee acknowledgment documentation; monitoring policy notices referencing eMonitor activity capture scope | Supporting — eMonitor's transparent monitoring approach supports this control; formal CUI privacy notices require separate policy documentation |
| AC.2.006 | Limit use of portable storage devices on external systems. | DLP: real-time USB insertion monitoring, unauthorized USB device detection, USB activity logging with device identification and timestamp | USB monitoring logs; USB block event records; real-time alert history for unauthorized USB connections | Primary (detection/logging) — eMonitor detects and logs USB activity; device blocking requires endpoint management integration (e.g., Group Policy or MDM) for full enforcement |
IR Control Family: Incident Response Mapping
The IR (Incident Response) control family in NIST SP 800-171 contains three controls that require organizations to establish an operational incident-handling capability and track and document incidents. Employee monitoring data is frequently the primary evidence source when incidents involve insider threat activity, unauthorized data access, or policy violations — making eMonitor directly relevant to IR control evidence.
IR Control-to-Feature Mapping Table
| Control ID | NIST 800-171 Requirement | eMonitor Feature | Evidence Artifact | Satisfaction Level |
|---|---|---|---|---|
| IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes: preparation, detection, analysis, containment, recovery, and user response activities. | Real-time Alerts + Activity Monitoring: real-time anomaly detection alerts for suspicious activity (unusual file access, USB insertion, policy violations) that trigger the detection phase of incident response; detailed activity logs supporting the analysis phase | Incident response procedure documentation referencing eMonitor as the detection/evidence tool; alert history logs showing anomaly detection events; activity log exports used in incident analysis | Supporting — eMonitor provides detection and analysis capabilities; complete IR capability requires documented procedures, defined roles, and communications protocols beyond monitoring software |
| IR.2.093 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Reporting Dashboards + Export: incident documentation through activity log exports, DLP violation reports, and alert history reports that provide the evidentiary basis for internal incident reports and external notifications | Exported incident evidence reports; DLP violation summaries used in incident documentation; alert history exports supporting incident timeline reconstruction | Supporting — eMonitor generates the evidence artifacts for incident documentation; formal incident tracking and reporting to authorities requires a documented IR management process |
| IR.3.098 | Test the organizational incident response capability. | Activity Monitoring + Alerts: eMonitor's anomaly detection can be used in tabletop exercises and simulated incident scenarios to verify detection capability functions as expected | Tabletop exercise documentation showing eMonitor detection validation; test alert records from simulated policy violation events | Supporting — eMonitor supports IR testing as a detection tool; full IR testing requires structured exercises with documented outcomes beyond monitoring capability testing |
Supporting Evidence for SI and CM Control Families
Employee monitoring provides supporting evidence for controls in two additional NIST SP 800-171 families that CMMC assessors evaluate. These are not primary satisfying controls, but they contribute evidence that reduces audit findings.
SI (System and Information Integrity) Supporting Controls
SI.1.210 (Identify, report, and correct information and information system flaws in a timely manner) benefits from eMonitor's application usage monitoring, which detects employees using outdated or unauthorized software versions. SI.2.214 (Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks) is partially addressed by eMonitor's activity monitoring for endpoint-level behavioral anomalies. Note that SI.2.214 primarily requires network monitoring solutions; eMonitor provides endpoint behavioral context that complements network-layer detection.
CM (Configuration Management) Supporting Controls
CM.2.061 (Establish and maintain baseline configurations and inventories of organizational systems) benefits from eMonitor's application usage inventory, which identifies all software actively used by employees across your environment. This data supplements formal configuration management tooling. CM.2.064 (Establish and enforce security configuration settings for information technology products employed in organizational systems) is evidenced by eMonitor's unauthorized application detection, which identifies when employees use applications outside of approved configuration baselines.
The NIST 800-171 control requirements guide covers the complete 14-family control framework and eMonitor's role across all applicable controls.
Using This Mapping in Your SPRS Self-Assessment
SPRS self-assessment accuracy determines your contractual compliance position and your risk profile during C3PAO audits. Incorrectly documenting control satisfaction — either overclaiming or underclaiming — creates audit risk. This section explains how to use the eMonitor control mapping correctly in your SPRS assessment.
Step 1: Identify Your CUI Environment Boundary
The first step is defining which systems are in scope for your CMMC assessment. If eMonitor agents are installed on systems that process, store, or transmit CUI — which includes most employee workstations in a defense contracting environment — eMonitor is an in-scope system and must itself be assessed for security controls. Confirm that eMonitor meets applicable security configuration requirements before claiming it as an implementing control.
Step 2: Document eMonitor as the Implementing System for AU Controls
For each AU control where eMonitor provides primary or supporting evidence, document the following in your System Security Plan (SSP): the control identifier, the control requirement text, eMonitor as the implementing system, the specific eMonitor feature that satisfies the requirement, the evidence artifact type (activity log export, alert configuration, dashboard screenshot), and the location where evidence is stored. The SSP is the primary artifact C3PAO assessors review; specificity about implementing systems reduces assessor questions and audit findings.
Step 3: Assign Correct Implementation Status Codes
NIST 800-171 assessment uses four implementation status codes: Implemented (fully satisfies the requirement), Partially Implemented (satisfies part of the requirement with compensating measures planned or in place), Not Implemented (requirement not met), and Not Applicable (requirement does not apply to your environment). For most AU controls, eMonitor supports "Implemented" or "Partially Implemented" status depending on whether complementary controls (SIEM, formal log review procedures, incident response documentation) are also in place. Claiming "Implemented" when complementary controls are absent creates C3PAO audit risk.
Step 4: Collect and Retain Evidence Artifacts
Evidence artifacts for eMonitor-based control claims should include: screenshots of the eMonitor dashboard showing active monitoring of in-scope systems, exported activity logs demonstrating per-user activity attribution (for AU.2.041), data retention settings showing log retention periods aligned with your SSP (for AU.2.042), alert configuration screenshots showing anomaly detection rules (for AU.3.045), and report export samples demonstrating on-demand reporting capability (for AU.3.051). Retain these artifacts for three years, consistent with CMMC assessment record-keeping requirements.
The SOX compliance guide covers the related requirements for financial services organizations managing both CMMC and SOX audit evidence.
What Employee Monitoring Alone Cannot Satisfy
Honest compliance guidance requires acknowledging what eMonitor does not provide. The CMMC control families where employee monitoring has no direct contribution are MA (Maintenance), MP (Media Protection), PE (Physical and Environmental Protection), PS (Personnel Security), RA (Risk Assessment), SA (System and Communications Protection), and SC (System and Communications Protection). These families require different implementing technologies and organizational procedures.
Within the AC, AU, and IR families covered by this mapping, several controls require complementary implementations alongside eMonitor. AC controls for session management, account management, and privilege escalation require identity management systems. AU controls for audit log protection from tampering require the storage security controls of eMonitor's cloud infrastructure plus your own backup and integrity verification procedures. IR controls for incident documentation and reporting to authorities require formal incident response plans and communication procedures that exist outside any monitoring tool.
No single tool satisfies CMMC Level 2 in isolation. Employee monitoring is one component of a defense-in-depth control environment. This mapping identifies eMonitor's specific contribution within that environment.
Frequently Asked Questions
Which CMMC controls does employee monitoring satisfy?
Employee monitoring satisfies controls primarily in the AU (Audit and Accountability) family, including AU.2.041 through AU.3.052, by generating system activity logs, protecting audit records, and supporting audit log review. It also contributes evidence for AC controls AC.1.001 and AC.1.002 through access activity logging, AC.2.006 through USB monitoring, and IR controls IR.2.092 and IR.2.093 through anomaly detection and incident evidence generation. The AU family is where monitoring provides the strongest and most direct control satisfaction.
How does eMonitor map to NIST 800-171 AU controls?
eMonitor maps to NIST 800-171 AU controls through its activity logging, alert, and reporting modules. AU.2.041 is satisfied by automatic per-user activity event logging. AU.2.042 is satisfied by tamper-resistant log retention with configurable retention periods. AU.3.045 is supported by real-time alert notifications for anomalous events. AU.3.051 is satisfied by on-demand filtered report generation. AU.3.052 is satisfied by centralized data aggregation from all monitored endpoints into one dashboard, regardless of employee location.
What is the AU control family in CMMC?
The AU (Audit and Accountability) control family in CMMC Level 2 contains nine controls derived from NIST SP 800-171 (3.3.1 through 3.3.9 in the NIST numbering). These controls require organizations to create and retain system audit logs, protect audit information from unauthorized access and modification, review audit logs for anomalous activity, and generate reports from audit data. The AU family carries 27 aggregate points in the SPRS methodology, making it one of the highest-value control families for SPRS score improvement.
Does eMonitor satisfy CMMC AC.1.001 through AC.2.006?
eMonitor contributes supporting evidence for AC.1.001 and AC.1.002 by logging all user access events, which enables verification that access is occurring within authorized boundaries. For AC.2.006 (portable storage device restrictions), eMonitor provides primary detection and logging capability through its USB monitoring module — recording all USB connections with device identification, user attribution, and timestamps. Full AC.2.006 enforcement typically requires endpoint management tools (Group Policy or MDM) paired with eMonitor's detection and logging capability.
How do I use this mapping for my SPRS self-assessment?
Use this mapping as a reference when scoring controls in your SPRS self-assessment. For each control where eMonitor provides evidence, document eMonitor as the implementing system in your System Security Plan, identify the specific feature module, and retain exported reports or screenshots as evidence artifacts. Assign implementation status codes accurately: "Implemented" only when eMonitor satisfies the full requirement; "Partially Implemented" when complementary controls (SIEM, formal procedures) are required. Retain all evidence for three years.
Is eMonitor itself a CUI-handling system subject to CMMC requirements?
eMonitor agents installed on systems that process, store, or transmit CUI are in scope for CMMC assessment. The eMonitor agents themselves capture activity data — not CUI directly — but they operate on CUI-handling endpoints and transmit behavioral data to eMonitor's cloud environment. Organizations must assess whether the eMonitor platform meets applicable NIST 800-171 requirements as part of their system boundary definition. Contact eMonitor's compliance team for a detailed security architecture review before your CMMC assessment.
What is the SPRS point value of AU controls that eMonitor satisfies?
AU.2.041 and AU.2.042 each carry 5 points in the DoD SPRS methodology, meaning that correctly documenting eMonitor as the implementing control for these two requirements alone contributes 10 points to your SPRS score improvement. AU.3.045, AU.3.046, AU.3.050, AU.3.051, and AU.3.052 carry 1-3 points each. The total AU family contribution available through correct eMonitor documentation is approximately 17-27 SPRS points, depending on whether complementary controls are in place for partial requirements.
Where does employee monitoring fit in a CMMC audit evidence package?
In a CMMC C3PAO audit evidence package, employee monitoring evidence typically appears in three locations: the System Security Plan (SSP) describing eMonitor as the implementing system for AU controls, the Plan of Action and Milestones (POA&M) documenting any partially implemented controls where eMonitor contributes but additional work is required, and the evidence repository containing exported activity logs, alert configurations, and dashboard screenshots. Organize eMonitor evidence artifacts by control family and control number to facilitate assessor review.
Related Compliance Resources
CMMC Compliance for Employee Monitoring
Complete guide to CMMC 2.0 and how monitoring programs fit within defense contractor compliance frameworks.
Read the guide →NIST 800-171 Employee Monitoring Guide
Full 14-family analysis of NIST SP 800-171 requirements and employee monitoring's role across all control families.
Read the guide →SOX Compliance and Employee Monitoring
Audit trail and access control requirements for financial organizations managing both SOX and CMMC obligations.
Read the guide →