📊 9 Practices
NIST 3.3.1 - 3.3.9
Audit and Accountability Policy
Audit and Accountability Domain (AU)
📖 What This Policy Covers
Audit and Accountability is your organization's security camera system -- it records everything that happens so you can prove what occurred, investigate incidents, and demonstrate compliance. This policy covers what events must be logged, what details each log must contain, how logs are protected from tampering, how long logs are retained, how logs are monitored and reviewed, and what happens when logging fails.
Purpose
This policy ensures that all security-relevant activities are logged and monitored, audit logs provide sufficient detail for incident investigation, logs are protected from unauthorized access or modification, the organization can demonstrate compliance with CMMC Level 2 requirements, and accountability is maintained for all user and system activities.
Scope
Applies to all information systems, applications, databases, network devices, and security tools processing, storing, or transmitting CUI or sensitive data. Covers authentication attempts, privileged actions, CUI access, configuration changes, and security events across cloud (AWS, Azure, GCP), on-premise, hybrid, and SaaS environments.
🎯 Why It Matters
Without audit logs, you can't detect breaches, investigate incidents, or prove compliance. The average time to detect a breach is 207 days (IBM 2022) -- comprehensive logging cuts this dramatically. Assessors will specifically test whether your logs capture the right events with enough detail. Incomplete logging is one of the most common CMMC assessment failures because it's easy to have logging 'enabled' but missing critical event types or proper retention.
🔐 Key Requirements
1. Audit Log Creation
Define what events must be logged and what details each log entry must contain.
- ✓ Authentication events: successful/failed logins, lockouts, password changes, MFA enrollment/bypass
- ✓ Authorization events: access denials, permission changes, role modifications
- ✓ CUI access: opening, viewing, downloading, creating, modifying, deleting, sharing CUI files
- ✓ Configuration changes: firewall rules, security policies, system configs, audit log config changes
- ✓ Privileged actions: admin commands, privileged account usage, user provisioning/deprovisioning
- ✓ Network events: VPN connections, firewall denials, IDS/IPS alerts, malware detections
- ✓ Each log entry MUST include: event type, timestamp (NTP-synchronized ISO 8601), source (hostname/IP), user ID, outcome (success/failure), and contextual details
2. Audit Log Protection
Protect audit logs from unauthorized access, modification, and deletion.
- ✓ Audit logs are read-only to all users except designated IT Security personnel
- ✓ System administrators have no direct write/delete access to audit logs
- ✓ All audit log access is itself logged (meta-logging)
- ✓ Append-only/immutable storage where possible (AWS S3 Object Lock, Azure immutability policies)
- ✓ Cryptographic hash (SHA-256) of log files generated daily for integrity verification
- ✓ File integrity monitoring (FIM) on log directories with alerts on unauthorized changes
- ✓ Logs encrypted at rest (AES-256) and in transit (TLS 1.2+)
3. Audit Log Retention
Define retention periods and storage tiers for different log types.
- ✓ CUI systems: 3 years retention (NIST SP 800-171 + DFARS compliance)
- ✓ Authentication logs: 1 year
- ✓ Privileged access logs: 2 years
- ✓ Network logs: 90 days
- ✓ Application logs: 6 months
- ✓ Hot storage (0-90 days): online, instant search in SIEM
- ✓ Warm storage (90 days - 1 year): compressed, indexed in cloud object storage
- ✓ Cold storage (1+ years): archived, retrievable within 24 hours (Glacier, tape)
- ✓ Legal hold logs exempt from deletion; all retention policy changes require CISO approval
4. Audit Log Monitoring & Review
Continuous monitoring with real-time alerting and scheduled human reviews.
- ✓ Real-time alerts for: multiple failed logins (>5 in 5 min), privileged access outside business hours, MFA bypass, config changes to critical systems, CUI exfiltration attempts, ransomware indicators, logging failures
- ✓ Critical alerts: page on-call SOC analyst 24/7; High alerts: response within 1 hour; Medium: within 4 hours
- ✓ Weekly reviews by IT Security: privileged account activity, SIEM anomalies, log source health, top failed auth users/IPs
- ✓ Monthly reviews by CISO: executive dashboard, security trends, investigation outcomes, alert tuning
- ✓ Quarterly reviews for executive leadership: high-level metrics, compliance status
5. Audit Failure Response
What happens when logging fails and how to prevent capacity-related failures.
- ✓ Automated alerts when logging fails: page on-call IT Security + System Admin immediately
- ✓ Response within 4 hours: investigate root cause, implement temporary measures, document in incident ticket
- ✓ For critical CUI systems: system continues with local buffer (max 24 hours) or enters read-only mode until logging restored
- ✓ Capacity monitoring: alert at 70% disk usage, auto-scaling for cloud log storage
- ✓ Daily log file rotation with compression; automated deletion past retention period
- ✓ Annual capacity review: current rate, projected growth, 6-month buffer
6. Audit Reduction & Reporting
Techniques to manage log volume and on-demand reporting capabilities.
- ✓ Filtering, aggregation, deduplication, and sampling to manage volume
- ✓ Never reduce: CUI access, authentication, privileged actions, security events
- ✓ CISO approval required for any audit reduction decisions
- ✓ On-demand reports: user activity, CUI access, privileged access, failed auth, config changes, incident timelines
- ✓ Export formats: PDF, CSV, Excel, JSON with automatic PII/password redaction
- ✓ Scheduled reports: weekly to IT Security, monthly to CISO, quarterly to executive leadership
7. Time Synchronization
All systems synchronized to authoritative time source for consistent audit trails.
- ✓ All systems synchronized via NTP to authoritative time source (time.nist.gov)
- ✓ Time accuracy within 1 second of UTC
- ✓ Alert if time drift exceeds 5 seconds
- ✓ Audit logs include timezone in ISO 8601 format
👥 Roles & Responsibilities
CISO / IT Director
- • Overall accountability for audit and accountability program
- • Approve audit policy and exceptions
- • Review audit summary reports monthly
- • Ensure audit logs available for investigations and compliance
IT Security Team / SOC
- • Configure and maintain SIEM and logging infrastructure
- • Monitor audit logs for security events 24/7
- • Respond to security alerts within defined SLAs
- • Conduct weekly audit log reviews and generate monthly reports
System Administrators / Application Owners
- • Enable audit logging on all systems per this policy
- • Forward logs to centralized SIEM
- • Troubleshoot logging issues
- • Notify IT Security of logging failures within 4 hours
All Users
- • Understand that actions are logged and monitored
- • Report suspicious activity observed in systems
- • Cooperate with investigations involving audit log review
🛠️ Implementation Roadmap (8 Weeks)
1
Audit Infrastructure
Weeks 1-2- → Week 1: Select SIEM (Azure Sentinel, Splunk, ELK), size infrastructure, deploy and configure log ingestion (agents, syslog, cloud integrations)
- → Week 2: Onboard log sources by priority -- CUI systems first, then identity systems (Azure AD, AD, VPN), network security (firewalls, IDS/IPS), endpoints (AV, EDR)
2
Alert Rules & Monitoring
Weeks 3-4- → Week 3: Import pre-built detection rules, create custom rules (failed logins, after-hours admin access, CUI exfiltration), tune for 1 week to reduce false positives
- → Week 4: Create dashboards (SOC overview, executive summary, CUI access heatmap), configure automated reports, set up on-call rotation (PagerDuty, Opsgenie)
3
Retention & Protection
Weeks 5-6- → Week 5: Configure retention policies (3 years for CUI), enable immutable storage (S3 Object Lock, Azure immutability), set up backups
- → Week 6: Configure RBAC on SIEM, enable file integrity monitoring on log directories, configure SACL on Windows Security Event Log
4
Testing & Validation
Weeks 7-8- → Week 7: Test logging coverage -- verify auth, CUI access, privileged actions, and config changes all generate correct log entries
- → Week 8: Test failure scenarios -- stop logging service (verify alert), simulate disk space alert, test SOC paging, create runbooks, train SOC team
Recommended Tools
Azure Sentinel / Splunk Enterprise / Elastic Stack (SIEM)AWS CloudTrail / Azure Activity Log / GCP Cloud Audit LogsSysmon (Windows advanced logging)auditd (Linux audit framework)PagerDuty / Opsgenie (alerting)AWS S3 with Object Lock / Azure Blob with immutability (log storage)
📊 CMMC Practice Mapping
| Practice ID | Requirement | Policy Section |
|---|---|---|
| AU.L1-3.3.1 | Create audit records | 1 |
| AU.L2-3.3.2 | Ensure audit record content | 1 |
| AU.L2-3.3.3 | Alert on audit failure | 5 |
| AU.L2-3.3.4 | Review/analyze audit records | 3, 4 |
| AU.L1-3.3.5 | Alert, review, analyze audit records | 4 |
| AU.L2-3.3.6 | Allocate audit capacity | 5 |
| AU.L2-3.3.7 | Reduce/report audit events | 6, 7 |
| AU.L2-3.3.8 | Protect audit information | 2 |
| AU.L2-3.3.9 | Provide reports on-demand | 6 |
📋 Evidence Requirements
These are the artifacts a C3PAO assessor will ask for. Start collecting early.
Signed Audit Policy + SIEM Architecture Diagram
Format: PDF
Frequency: Annual review
Contents: This policy signed by CISO + CEO, plus a diagram showing log flow from sources to SIEM to storage
Tip: Include the SIEM architecture diagram showing all log sources, how they connect, and where logs are stored at each retention tier.
SIEM Dashboard Screenshot
Format: PNG/PDF
Frequency: Quarterly
Contents: Main SOC dashboard showing log sources, event volume, recent alerts
Tip: Capture the main SIEM dashboard during a normal business day. Show active log sources and that all expected sources are reporting.
Audit Configuration Screenshots
Format: PNG/PDF
Frequency: Quarterly or after changes
Contents: AWS CloudTrail enabled (all regions), Azure Diagnostic Logs, Windows audit policy (auditpol output), Linux auditd rules
Tip: For each platform, show that logging is enabled and properly configured. Include 'auditpol /get /category:*' output for Windows.
Log Retention Configuration
Format: Excel
Frequency: Quarterly
Contents: Log source, daily volume (GB), retention period, storage location, compliance status
Tip: Show that retention meets the minimums: 3 years for CUI, 1 year for auth, 2 years for privileged access.
Audit Log Sample (50 entries)
Format: CSV/JSON
Frequency: Quarterly
Contents: 50 sample log entries covering all required event types with all required fields present
Tip: Select entries covering auth, CUI access, privileged actions, and config changes. Verify each has timestamp, user, event type, source, and outcome.
Weekly Audit Review Reports
Format: PDF
Frequency: Weekly (save last 12 for audit)
Contents: Date range, reviewer name, events reviewed, anomalies found, actions taken
Tip: Even if nothing was found, document the review. Assessors want to see the process is running consistently.
SIEM Alert Metrics
Format: Excel/PDF
Frequency: Monthly
Contents: Alert name, count triggered, false positive rate, MTTD, MTTR
Tip: Show that you're tuning alerts -- false positive rates should decrease over time.
Log Failure Test Results
Format: PDF with screenshots
Frequency: Annually
Contents: Stop log source, show alert fired, restart, show logs resumed with no data loss
Tip: This is a common assessor test. Practice it before the audit.
⚠️ Common Gaps (What Assessors Flag)
1. Logging enabled but missing critical event types
Why this happens: Default logging settings are too narrow -- they capture auth events but miss CUI file access, config changes, or privileged commands.
How to close the gap: Audit your log sources against the required event list in Section 1. Enable data-level logging (AWS CloudTrail data events, Azure Diagnostic Logs). Add Sysmon on Windows for detailed process/file logging.
2. Log entries missing required fields
Why this happens: Some applications log events but without user ID, source IP, or outcome. Time zones are inconsistent across log sources.
How to close the gap: Standardize log format at the SIEM level using parsing rules. Ensure NTP is configured on all systems. Test by pulling a sample of 50 logs and verifying all required fields.
3. No log protection -- admins can delete or modify logs
Why this happens: SIEM was set up by admins who naturally have full access. No one thought to restrict their own access to logs.
How to close the gap: Implement RBAC on SIEM with separate roles. Forward logs to immutable storage (S3 Object Lock). Enable FIM on log directories.
4. Logs exist but nobody reviews them
Why this happens: Alert fatigue from too many false positives, or no assigned reviewer. Logs pile up without human analysis.
How to close the gap: Tune alert rules to reduce noise. Assign specific reviewers with scheduled time blocks. Start with weekly reviews of privileged access only, then expand.
📝 Template Customization Guide
When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:
[COMPANY NAME] Your organization's legal name
Example: Acme Defense Systems, LLC
[CISO Name] Name of your CISO or IT Director
Example: Jane Smith
[X GB/day] Your estimated daily log volume
Example: 15 GB/day
[Y% annually] Your projected log volume growth rate
Example: 20% annually
[ntp1.company.com] Your NTP server addresses
Example: ntp1.acmedefense.com
Customization Tips
- 💡 Measure your actual daily log volume before setting capacity plans -- run a 1-week test ingestion
- 💡 If you can't afford 24/7 SOC coverage, document your monitoring hours and compensating controls (e.g., automated alerts always active)
- 💡 Adjust retention periods upward if your contracts require longer retention
- 💡 If using a managed SIEM service, document the vendor's retention and protection guarantees
- 💡 Start with the minimum required event types and add more as your team matures