CMMC Level 2 is approaching. Here's the logging stack you need.

What CMMC actually is

With Phase 1 effective as of November 2025, the Cybersecurity Maturity Model Certification requires, per the DoD, that "contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implement adequate cybersecurity practices to protect the defense industrial base." CMMC is itself derived from NIST SP 800-171 (Level 2) and related federal standards (FAR 52.204-21, NIST 800-172 for Level 3).

CMMC breaks contractors into three levels, with stricter controls applied to contractors handling higher-sensitivity data:

The rollout happens in four phases:

• Phase 1 (November 10, 2025): Self-assessed Level 1 and 2 status required (DoD may also require Level 2 C3PAO assessments at its discretion during Phase 1.)
• Phase 2 (November 10, 2026): Third-party C3PAO-assessed Level 2 required
• Phase 3 (November 10, 2027): Level 3 introduced
• Phase 4 (November 10, 2028): Full implementation across all applicable DoD contracts

In other words, if you're bidding on DoD work, the clock is ticking.

What "adequate cybersecurity practices" actually means for SIEM

The CMMC rulemaking (derived from NIST), is specific about what it expects for audit logging. Here's what each relevant control requires, and how RunReveal maps to it.

3.3.1 - Log Creation and Retention

Organizations are required to create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

RunReveal centralizes security logs from cloud, SaaS, and endpoint sources with flexible ingestion, normalization, and enrichment. The architecture scales to terabytes per day without performance penalties, and storage-based pricing makes it realistic to retain logs for the timeframes CUI handling demands.

3.3.2 - Individual User Traceability

Audit records must include the information needed to link events to the actions of an individual user.

RunReveal's enrichment layer attaches identity context (user, role, device, session) to events at ingest, so investigations can trace activity back to a specific person, without manually stitching fields across sources.

3.3.3 - Event Review

Organizations are required to regularly review and update what events are logged, ensuring logging reflects current systems and requirements. 

RunReveal's detection-as-code model makes reviewing and updating logged events a repeatable (and auditable) process. Security teams can inspect, version-control, and update what's being captured across all sources without relying on proprietary tooling or manual change logs.

3.3.4 - Alerting on Audit Failures

NIST SP 800-171 requires organizations to alert in the event of an audit logging process failure.

RunReveal health checks provide automated monitoring for your log sources. When a source stops sending logs or starts dropping records, you know immediately. That keeps your audit coverage continuous and your data gaps visible.

3.3.5 - Correlation and Reporting

Organizations must correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

RunReveal's correlated alerting reduces false positives by weighing multiple data points before firing. That matters in a small defense shop where nobody has time to chase every anomalous login.

3.3.6 - Audit Record Reduction and Reporting

Under this control, “Organizations must provide audit record reduction and report generation capabilities to support on-demand analysis and reporting”.

RunReveal delivers SQL-powered dashboards and analytics for core security metrics, detection performance, and operational KPIs. Your team writes queries in a language they already know.

3.3.7 - Authoritative Time Source

This control requires organizations to provide a capability that compares and synchronizes internal system clocks with authoritative time sources.

While accurate timing across third-party tools depends on NTP (or equivalent) on source systems, RunReveal supports clock synchronization compliance by normalizing and preserving event timestamps at ingest, making later queries for anomalies straightforward.

3.3.8 and 3.3.9 - Protecting Audit Data Integrity

These controls require protecting audit information and audit logging tools from unauthorized access, modification, and deletion, and limiting management of audit logging to privileged users.

RunReveal supports immutable log storage and role-based access controls to restrict audit log management to privileged users only.

Additionally, RunReveal supports Kubernetes-based on-premises and in-VPC deployments, so contractors with data residency, air-gapped, or regulatory requirements can keep logs in their own environment, and still run the same platform.

A lot of words to confirm what you probably suspected: you need a SIEM

Legacy SIEM platforms were built for large enterprises with dedicated security teams and infrastructure budgets. 

Compare that reality to the DoD's own finding that "small businesses comprise more than seventy percent of the companies that do business with the Department.", and what’s the end result? Smaller defense contractors end up stuck between the Department's requirements and private sector tools that were priced for a different kind of customer.

That gap shows up in the numbers. As of October 2025, only 431 CMMC Level 2 certifications had been issued, out of the estimated 80,000 contractors in the Defense Industrial Base estimated to require Level 2. That's the practical state of the DIB heading into Phase 2. 

For most contractors, standing up a SIEM is the single most impactful step they can take toward CMMC compliance. It covers the bulk of the controls and puts the rest of your audit and investigation workflow on firmer ground.

If you're targeting a C3PAO assessment in the next 12 months, logging and retention controls are usually the longest-lead item. A 30-minute scoping call can tell you whether you're three weeks or three months from audit-ready. Interested? Reach out to our team.