AU.L2-3.3.1 System Auditing: CMMC Level 2 Control
System auditing is the foundation of detecting and investigating unauthorized activity in your environment. AU.L2-3.3.1 requires you to create and maintain audit logs with sufficient detail to support monitoring, analysis, investigation, and reporting of security incidents.
What this means
This control mandates that organizations establish comprehensive system audit logging capabilities across IT infrastructure. You must capture events and activities with enough detail to enable investigators to reconstruct what happened, identify who took an action, and determine when it occurred. Retention policies must balance operational needs with storage constraints while preserving logs long enough to support security investigations and compliance reporting.
How to comply
- 1.Enable logging on all systems including servers, workstations, network devices, and applications
- 2.Configure audit settings to capture user identity, timestamps, actions performed, and resource affected
- 3.Establish log retention periods aligned with your organization's investigation and reporting requirements
- 4.Centralize logs in a secure repository with restricted access to prevent tampering or deletion
- 5.Define and document audit log policies specifying what events must be logged and for how long
- 6.Test log collection and retention mechanisms to ensure audit data is reliably captured and stored
- 7.Implement controls to protect audit logs from unauthorized modification or deletion
Evidence auditors look for
- System audit log configuration files showing enabled logging for critical events
- Centralized logging solution (SIEM) with log collection rules for all infrastructure
- Documented audit log retention policy specifying minimum retention periods by log type
- Sample audit logs demonstrating captured user identity, timestamps, and actions
- Access controls and backup procedures protecting audit log integrity
- Log volume and storage capacity planning documentation
- Testing records confirming audit logs are being generated and retained as configured
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates audit log policy creation, monitors log generation across your infrastructure, and generates evidence reports showing compliance with retention and protection requirements—eliminating manual log audits.
See how GRCWatch handles this control automatically
Start free trial