AU.L2-3.3.3: Review and update logged events

📖 What This Means

This control requires organizations to regularly review and update the events they log to ensure they capture the right information for security monitoring and compliance. It means that logs should be checked to confirm they are accurate, complete, and aligned with current security needs. For example, if new software is installed, logs should be updated to include events from that software. Similarly, if certain events are no longer relevant, those logs should be removed. This ensures that when auditors or security teams look at logs, they see meaningful and useful data. For instance, a company might update logs to include failed login attempts after a phishing attack, or remove outdated logs from decommissioned systems.

🎯 Why It Matters

Failing to review and update logged events can leave gaps in security monitoring, making it harder to detect and respond to incidents. For example, in the 2017 Equifax breach, inadequate log monitoring contributed to delayed detection of the attack, resulting in the exposure of 147 million records. Outdated or incomplete logs can also lead to compliance failures during audits, potentially costing organizations fines or losing contracts. The DoD emphasizes this control to ensure that CUI is protected through effective logging practices. Regular review and updates help organizations stay ahead of evolving threats and maintain accurate records for forensic analysis.

✅ How to Implement

Enable logging services (e.g., AWS CloudTrail, Azure Monitor, GCP Logging).
Configure log retention policies to meet CMMC requirements (e.g., 90 days).
Set up alerts for critical events (e.g., failed logins, unauthorized access).
Regularly review logs using cloud-native tools or SIEM integrations.
Update logging configurations when new services or applications are added.
Automate log export to a secure storage bucket for long-term retention.
Document changes to logging configurations in a change management system.

⏱️

Estimated Effort

Initial setup: 8-16 hours (Intermediate skill level). Ongoing review: 2-4 hours monthly (Basic skill level).

📋 Evidence Examples

Logging Policy

Format: PDF/DOCX

Frequency: Review annually or when changes occur.

Contents: Policy defining log types, retention periods, and review frequency.

Collection: Export from document management system.

Log Configuration Screenshots

Format: PNG/JPG

Frequency: Update when changes are made.

Contents: Screenshots of logging settings in AWS CloudTrail, Azure Monitor, or Syslog.

Collection: Take screenshots during configuration.

SIEM Reports

Format: CSV/PDF

Frequency: Weekly.

Contents: Weekly log review reports showing anomalies and actions taken.

Collection: Export from SIEM tool.

Change Management Records

Format: Spreadsheet/PDF

Frequency: Update with each change.

Contents: Documentation of changes to logging configurations.

Collection: Export from change management system.

Training Records

Format: PDF/DOCX

Frequency: Annually.

Contents: Records of staff training on log review procedures.

Collection: Export from HR system.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AU.L2-3.3.3 ("Review and update logged events"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your audit logging infrastructure, including which events are logged, the SIEM/log management platform, retention periods, log protection mechanisms, and review processes. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AU.L2-3.3.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to review and update logged events. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AU.L2-3.3.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to review and update logged events. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AU.L2-3.3.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all systems generating audit logs within the CUI boundary
• Document log flow from sources to centralized SIEM
• Specify log storage locations and retention tiers
• Ensure this control covers all systems within your defined CUI boundary where review and update logged events applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Audit and Accountability Policy
📄 SIEM architecture documentation
📄 Log retention configuration
📄 Evidence artifacts specific to AU.L2-3.3.3
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that required events are logged, check log completeness (all required fields present), test log protection mechanisms, and review evidence of regular log reviews.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented logging policy?

✅ YES → Proceed to Q2.

❌ NO → GAP: Create a logging policy defining log types, retention periods, and review frequency within 2 weeks.

Remediation:

Use templates from NIST or CIS as a starting point.

Question 2: Are logs reviewed weekly for anomalies?

✅ YES → Proceed to Q3.

❌ NO → GAP: Implement a weekly log review process using SIEM tools within 1 week.

Remediation:

Train staff on using SIEM tools for log analysis.

Question 3: Are logging configurations updated when new systems are deployed?

✅ YES → Proceed to Q4.

❌ NO → GAP: Add logging configuration updates to your change management process within 1 week.

Remediation:

Document changes in a change management system.

Question 4: Are logs protected from unauthorized access?

✅ YES → Proceed to Q5.

❌ NO → GAP: Implement encryption and access controls for log files within 1 week.

Remediation:

Use ACLs and encryption tools like AES-256.

Question 5: Do you have evidence of log reviews and updates?

✅ YES → Fully compliant.

❌ NO → GAP: Export and save log review reports and change records within 1 week.

Remediation:

Use SIEM and change management tools to generate evidence.

⚠️ Common Mistakes (What Auditors Flag)

1. Missing logs from critical systems.

Why this happens: Failure to enable logging on new systems or applications.

How to avoid: Include logging configuration in deployment checklists.

2. Outdated log retention policies.

Why this happens: Not updating policies to reflect changes in regulations or business needs.

How to avoid: Review retention policies annually or when regulations change.

3. Inconsistent log formats.

Why this happens: Using different logging tools without standardization.

How to avoid: Standardize log formats across systems using SIEM tools.

4. Unauthorized access to logs.

Why this happens: Lack of encryption or access controls.

How to avoid: Implement encryption and ACLs for log files.

5. No evidence of log reviews.

Why this happens: Failure to document review processes.

How to avoid: Export and save SIEM reports weekly.

📚 Parent Policy

This practice is governed by the Audit and Accountability Policy

View AU Policy →

📚 Related Controls

AU.L2-3.1.1 AU.L2-3.1.2 AU.L2-3.3.1 AU.L2-3.3.2