CMMCDocs.comThe Audit and Accountability (AU) control family in NIST SP 800-171 Rev 2 contains nine requirements that collectively mandate comprehensive logging, review, and protection of audit records across all systems that process CUI. These controls are among the most frequently failed in CMMC assessments because they require technical capability, process maturity, and ongoing operational commitment.
AU.L2-3.3.1 — Create and Retain Audit Records
Create and retain system audit logs and records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. At minimum, your logs must capture: successful and failed login attempts, account creation, modification, and deletion, privilege escalation events, file access and modification on CUI repositories, system configuration changes, use of privileged functions, and security-relevant application events.
Retention periods should be defined in your policy — 90 days of online storage and one year of archived storage is a common standard, though some organizations retain longer based on contract requirements.
AU.L2-3.3.2 — Unique User Accountability
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable. This means no shared accounts on CUI systems. Every action must be attributable to a specific person. Service accounts must be documented and their use logged. If multiple administrators use a shared admin account, you fail this control.
AU.L2-3.3.3 — Review and Update Audited Events
Review and update the list of audited events. Your logging configuration should not be static. Periodically review what you are logging to ensure it remains appropriate. After security incidents, system changes, or new threat intelligence, update your audit configuration to capture relevant events. Document these reviews.
AU.L2-3.3.4 — Alert on Audit Process Failure
Alert in the event of an audit logging process failure. If logging stops — because a disk fills up, a service crashes, or a network path breaks — you must be notified. Configure monitoring to detect when log sources stop sending data. A SIEM that silently stops receiving logs provides no value.
AU.L2-3.3.5 — Correlate Audit Records
Correlate audit record review, analysis, and reporting processes for investigation and response. This is where a SIEM earns its value. Individual log entries are useful, but correlating events across multiple systems — a failed VPN login followed by a successful login from a different IP, followed by access to a CUI file share — tells a story that individual logs cannot. Your SIEM should have correlation rules that detect common attack patterns and generate actionable alerts.
Protecting Audit Records
Requirements AU.L2-3.3.8 and AU.L2-3.3.9 address protection of audit information. Logs must be protected from unauthorized access, modification, and deletion. An attacker who compromises a system and deletes the logs eliminates the evidence of their activity. Store logs on a separate system from the sources they monitor. Restrict administrative access to the SIEM/log management platform. Use write-once storage or integrity verification to detect log tampering.
Practical SIEM Recommendations
For most small defense contractors, a cloud-based SIEM provides the best balance of capability and cost. Microsoft Sentinel integrates natively with GCC High environments. Solutions like Blumira and Arctic Wolf offer managed SIEM services that include monitoring and alerting without requiring a dedicated SOC team. Whatever solution you choose, ensure it collects logs from all CUI-boundary systems, retains them per your policy, supports search and correlation, and generates alerts for security-relevant events.