AU.L2-3.3.3  

Reference: CMMC 2.11

Family: AU

Level Introduced: 2

Title: Event Review

Practice:
Review and update logged events.

CMMC Clarification:
Organizations should periodically review logged events that identify possible security incidents, and the organization should update the list of events that need to be logged as necessary. Non-security events that should have logging requirements reviewed include 1) logging all installed software on endpoints to identify license irregularities or 2) logging connections to a VPN server or load balancer to manage capacity and quality of service.

Example
You are in charge of IT operations for your organization. You are responsible for identifying and documenting which events are relevant to the security of your organization's systems. Your organization has decided that this list of security revelant events should be updated annually or when a new security threats or events have been identified requiring additional events to be logged and reviewed.

You perform your annual review of events to log. The list includes events your organization reviewed and determined to be important for security. This list started as the list of recommended events given by the manufacturers of your operating systems / devices but has grown from experience operating the security of your environment and learned additional best practices from security training and knowledge sharing with peers.

There is a security incident at your organization. Working with the security officer, a forensics review shows the logs appears to have been deleted by a remote user, and you notice that remote sessions are not currently logged. You update the list of events to include all VPN sessions.

Source: CMMC v2.0