Reference: CMMC 2.0
Level Introduced: 2
Title: Audit Protection
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. This protection starts with ensuring proper configuration of logging to ensure proper space for the needed log retention. The logs must also be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being
accessed directly from logs or from audit tools.
You are in charge of IT operations in your organization. Your responsibilities include protecting audit information and audit logging tools. You protect the audit information by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators. Centralized audit information is protected from deletion or alteration and only approved individuals can view the information in the audit tool. The central audit information server is backed up daily with those backups being encrypted and sent offsite where they are physically secured by a third-party.