CMMCDocs.comAU.L2-3.3.1
Also known as: Audit events requirement
The NIST SP 800-171 requirement that mandates the contractor create and retain audit records of system events sufficient to identify unauthorized activity.
AU.L2-3.3.1 is the foundational audit logging requirement of NIST SP 800-171. It requires the contractor to 'create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.'
A C3PAO will ask: which events are you logging on which Information Systems, how long are you retaining them, who reviews them, and on what cadence. Acceptable evidence includes the audit policy itself, sample audit log entries from in-scope systems, the SIEM or log aggregation configuration, and records of periodic log review.
Most contractors implement AU.L2-3.3.1 with a SIEM platform (Splunk, Microsoft Sentinel, Elastic, etc.) or a managed detection and response (MDR) service. The SR risk-managed-asset and shared responsibility considerations come into play when log management is outsourced.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account