AU.L2-3.3.1 · NIST SP 800-171 3.3.1

System Auditing

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

5 points if not metMust be fully met, cannot POA&M6 assessment objectives

What an assessor scores, the objectives

AU.L2-3.3.1 is met only when every one of these 6 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified
  • b.the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined
  • c.audit records are created (generated)
  • d.audit records, once created, contain the defined content
  • e.retention requirements for audit records are defined
  • f.audit records are retained as defined

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AU.L2-3.3.1, an assessor uses these:

Examine

Audit and accountability policy; procedures addressing auditable events; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing control of audit records; procedures addressing audit record generation; system audit logs and records; system auditable events; system incident reports; other relevant documents or records

Interview

Personnel with audit and accountability responsibilities; personnel with information security responsibilities; personnel with audit review, analysis and reporting responsibilities; system or network administrators

Test

Mechanisms implementing system audit logging

What it means, in context

An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third -party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, trans action-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or failure indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. NIST SP 800-92 provides guidance on security log management.

OSAs must ensure that all applicable systems create and retain audit logs that contain enough information to identify and investigate potentially unlawful or unauthorized system activity. OSAs must define the audit logs it needs to collect as well as the specific events to capture within the selected logs. Captured audit records are checked to verify that they contain the required events. In defining the audit log retention period, OSAs must ensure that logs are retained for a sufficiently long period to allow for the investigation of a security event. The retention period must take into account the delay of weeks or months that can occur between an initial compromise and the discovery of attacker activity. Example You set up audit logging capability for your company. You determine that all systems that contain CUI must have extra detail in the audit logs . Because of this, you configure thes e systems to log the following information for all user actions [b,c]: • time stamps; • source and destination addresses; • user or process identifiers; • event descriptions; • success or fail indications; and • filenames. Potential Assessment Considerations • Are audit log retention requirements appropriate to the system and its associated level of risk [e]?

What passing evidence looks like

The defined event list (what you log and why), the audit configuration screenshots showing those events are captured, a sample log excerpt, and the retention setting.

Common ways contractors fail AU.L2-3.3.1

  • !Objective order matters: define the event types FIRST (sign ins, admin actions, file access on CUI stores), then show the config captures exactly those. A log screenshot alone answers half the requirement.
  • !Retention is part of it. Know your audit log retention (default unified audit log retention is limited) and state the number.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AU.L2-3.3.1, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AU.L2-3.3.1 questions, answered

How many points is CMMC requirement AU.L2-3.3.1 worth?+

AU.L2-3.3.1 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AU.L2-3.3.1 be placed on a POA&M?+

No. AU.L2-3.3.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AU.L2-3.3.1 belong to?+

AU.L2-3.3.1 is in the Audit & Accountability (AU) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.3.1