Skip to main content
NetStable
Level 2 AU.L2-3.3.6

Provide audit record reduction and report generation to support on-demand analysis and reporting

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to have tools and processes in place to filter and summarize audit logs into reports that can be quickly analyzed. Essentially, it means being able to sift through large volumes of log data to find relevant information efficiently. For example, if a security incident occurs, you should be able to generate a report showing all relevant log entries without manually searching through thousands of lines. This is crucial for timely incident response and ongoing monitoring. Real-world examples include using a Security Information and Event Management (SIEM) tool to generate a report of failed login attempts or exporting logs to a spreadsheet for further analysis.

🎯 Why It Matters

Without the ability to reduce and report on audit logs, organizations risk missing critical security events buried in large volumes of data. This can lead to delayed detection of breaches, increased damage, and regulatory penalties. For instance, in the 2017 Equifax breach, failure to analyze logs promptly contributed to the breach going unnoticed for months, affecting 147 million people. The DoD emphasizes this control to ensure defense contractors can quickly identify and respond to threats involving Controlled Unclassified Information (CUI). The potential impact includes financial losses, reputational damage, and loss of contracts.

How to Implement

  1. Enable logging features in your cloud platform (e.g., AWS CloudTrail, Azure Monitor, GCP Audit Logs).
  2. Configure log aggregation using cloud-native tools like AWS CloudWatch Logs or Azure Log Analytics.
  3. Set up automated report generation using tools like Splunk Cloud or Datadog.
  4. Define filters and queries to reduce logs to relevant events (e.g., failed logins, unauthorized access attempts).
  5. Schedule regular report generation and distribution to security teams.
  6. Ensure logs are stored securely with proper access controls.
  7. Test report generation tools to confirm they meet CMMC requirements.
⏱️
Estimated Effort
Implementation typically takes 2-4 weeks, requiring intermediate-level skills in logging tools and security operations.

📋 Evidence Examples

SIEM Configuration Documentation

Format: PDF/DOCX
Frequency: Update annually or when changes occur.
Contents: Details of SIEM setup, log sources, and report configurations.
Collection: Export from SIEM tool or document manually.

Sample Audit Report

Format: CSV/PDF
Frequency: Generate weekly or on-demand.
Contents: Filtered log entries showing specific events (e.g., failed logins).
Collection: Generate from SIEM or logging tool.

Log Reduction Procedure

Format: PDF/DOCX
Frequency: Review annually.
Contents: Step-by-step process for reducing logs and generating reports.
Collection: Document manually.

Training Records

Format: PDF/DOCX
Frequency: Update quarterly.
Contents: Records of staff training on log reduction and reporting tools.
Collection: Export from training management system.

Test Results

Format: PDF/DOCX
Frequency: Test semi-annually.
Contents: Results of testing log reduction and report generation processes.
Collection: Document manually.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AU.L2-3.3.6 ("Provide audit record reduction and report generation to support on-demand analysis and reporting"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your audit logging infrastructure, including which events are logged, the SIEM/log management platform, retention periods, log protection mechanisms, and review processes. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AU.L2-3.3.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to provide audit record reduction and report generation to support on-demand analys.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AU.L2-3.3.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to provide audit record reduction and report generation to support on-demand analys.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AU.L2-3.3.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all systems generating audit logs within the CUI boundary
  • Document log flow from sources to centralized SIEM
  • Specify log storage locations and retention tiers
  • Ensure this control covers all systems within your defined CUI boundary where provide audit record reduction and report generation to support on-demand analysis and reporting applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Audit and Accountability Policy
  • 📄 SIEM architecture documentation
  • 📄 Log retention configuration
  • 📄 Evidence artifacts specific to AU.L2-3.3.6
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that required events are logged, check log completeness (all required fields present), test log protection mechanisms, and review evidence of regular log reviews.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a centralized logging solution in place?

✅ YES → Proceed to Q2
❌ NO → GAP: Implement a SIEM or logging tool within 30 days.
Remediation:
Evaluate and deploy a SIEM tool like Splunk or ELK Stack.

Question 2: Are logs being forwarded to the centralized solution?

✅ YES → Proceed to Q3
❌ NO → GAP: Configure log forwarding from all systems within 14 days.
Remediation:
Set up log forwarding using syslog or native integrations.

Question 3: Can you generate reports on-demand?

✅ YES → Proceed to Q4
❌ NO → GAP: Configure report generation tools within 14 days.
Remediation:
Use SIEM dashboards or scripts to automate reporting.

Question 4: Is log reduction being performed regularly?

✅ YES → Proceed to Q5
❌ NO → GAP: Establish a log reduction procedure within 7 days.
Remediation:
Define filters and queries for common security events.

Question 5: Have you tested the log reduction and reporting process?

✅ YES → Compliance confirmed.
❌ NO → GAP: Test the process and document results within 7 days.
Remediation:
Conduct a test and document findings.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete log collection

Why this happens: Not all systems are configured to forward logs.
How to avoid: Verify log forwarding from all critical systems.

2. No automated reporting

Why this happens: Reliance on manual processes.
How to avoid: Automate report generation using SIEM tools.

3. Poor log storage security

Why this happens: Logs stored without encryption or access controls.
How to avoid: Secure logs with encryption and restrict access.

4. Lack of training

Why this happens: Staff unfamiliar with log reduction tools.
How to avoid: Provide training on SIEM and reporting tools.

5. Untested processes

Why this happens: Failure to validate log reduction and reporting.
How to avoid: Regularly test and document the process.

📚 Parent Policy

This practice is governed by the Audit and Accountability Policy

View AU Policy →

📚 Related Controls

AU.L2-3.3.1 - Create and retain system audit logs AU.L2-3.3.2 - Review and analyze audit logs AU.L2-3.3.3 - Protect audit information
Previous
AU.L2-3.3.5
Back to AU
Next
AU.L2-3.3.7