Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY AU

AU.L2-3.3.8

Audit Protection

Requirement

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Further discussion

Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. The logs must be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools. Example You are in charge of IT operations in a company that handles CUI. Your responsibilities include protecting audit information and audit logging tools. You protect the information from modification or deletion by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators [a,b,c]. Only a small group of security professionals can view the data on the central audit server [b,c,d]. For an additional layer of protection, you back up the server daily and encrypt the backups before sending them to a cloud data repository [a,b,c]. Potential Assessment Considerations • Is there a list of authorized users for audit systems and tools [a]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/