CMMC 2.13
CMMC · Rev 2.132FAMILY AU
AU.L2-3.3.8
Audit Protection
Requirement
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Further discussion
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. The logs must be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools.
Example
You are in charge of IT operations in a company that handles CUI. Your responsibilities include protecting audit information and audit logging tools. You protect the information from modification or deletion by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators [a,b,c]. Only a small group of security professionals can view the data on the central audit server [b,c,d]. For an additional layer of protection, you back up the server daily and encrypt the backups before sending them to a cloud data repository [a,b,c].
Potential Assessment Considerations
• Is there a list of authorized users for audit systems and tools [a]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/