CMMC v2.11 Practices

AU.L2-3.3.1  

Reference: CMMC v2.11

Family: AU

Level Introduced: 2

Title: System Auditing

Practice:
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Further Discussion:
OSAs must ensure that all applicable systems create and retain audit logs that contain enough information to identify and investigate potentially unlawful or unauthorized system activity. OSAs must define the audit logs it needs to collect as well as the specific events to capture within the selected logs. Captured audit records are checked to verify that they contain the required events.

In defining the audit log retention period, OSAs must ensure that logs are retained for a sufficiently long period to allow for the investigation of a security event. The retention period must take into account the delay of weeks or months that can occur between an initial compromise and the discovery of attacker activity.

Example
You set up audit logging capability for your company. You determine that all systems that contain CUI must have extra detail in the audit logs. Because of this, you configure these systems to log the following information for all user actions [b,c]:
• time stamps;
• source and destination addresses;
• user or process identifiers;
• event descriptions;
• success or fail indications; and
• filenames.

Potential Assessment Considerations
• Are audit log retention requirements appropriate to the system and its associated level of risk [e]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11