AU.L2-3.3.2 · NIST SP 800-171 3.3.2

User Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

3 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

AU.L2-3.3.2 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.the content of the audit records needed to support the ability to uniquely trace users to their actions is defined
  • b.audit records, once created, contain the defined content

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AU.L2-3.3.2, an assessor uses these:

Examine

Audit and accountability policy; procedures addressing audit records and event types; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing audit record generation; procedures addressing audit review, analysis, and reporting; reports of audit findings; system audit logs and records; system events; system incident reports; other relevant documents or records

Interview

Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators

Test

Mechanisms implementing system audit logging

What it means, in context

This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of VoIP.

Capturing the necessary information in audit logs ensures that you can trace actions to a specific user. This may include capturing user IDs, so urce and destination addresses, and time stamps. Logging from networks, servers, clients, and applications should be considered in ensuring accountability. This requirement, AU.L2-3.3.2, which ensures logging and traceability of user actions, supports the control of non -privileged users required by AC.L2-3.1.7 as well as many other auditing, configuration management, incident response, and situation awareness requirements. Example Y ou manage systems for a company that stores, processes, and transmits CUI. You want to ensure that you can trace all remote access sessions to a specific user. You configure the VPN device to capture the following information for all remote access connections : source and destination IP address, user ID, machine name, time stamp, and user actions during the remote session [b]. Potential Assessment Considerations • Are users uniquely traced and held responsible for unauthorized actions [a]? • Does the system protect against an individual denying having performed an action (non- repudiation) [b]?

What passing evidence looks like

Proof every logged action traces to one person: log entries showing individual usernames, and no shared accounts on CUI systems (or documented compensating attribution).

Common ways contractors fail AU.L2-3.3.2

  • !One shared login on a CUI machine breaks traceability for every action taken on it. This 3 point requirement is the reason shared accounts have to go.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AU.L2-3.3.2, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AU.L2-3.3.2 questions, answered

How many points is CMMC requirement AU.L2-3.3.2 worth?+

AU.L2-3.3.2 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.

Can AU.L2-3.3.2 be placed on a POA&M?+

No. AU.L2-3.3.2 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AU.L2-3.3.2 belong to?+

AU.L2-3.3.2 is in the Audit & Accountability (AU) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.3.2