Event Review
Review and update logged events.
What an assessor scores, the objectives
AU.L2-3.3.3 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.a process for determining when to review logged events is defined
- b.event types being logged are reviewed in accordance with the defined review process
- c.event types being logged are updated based on the review
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AU.L2-3.3.3, an assessor uses these:
Audit and accountability policy; procedures addressing audit records and event types; system security plan; list of organization- defined event types to be logged; reviewed and updated records of logged event types; system audit logs and records; system incident reports; other relevant documents or records
Personnel with audit and accountability responsibilities; personnel with information security responsibilities
Mechanisms supporting review and update of logged event types
What it means, in context
The intent of this requirement is to periodically re- evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. FURTHER D ISCUSSION This requirement is focused on the configuration of the auditing system, not the review of the audit records produced by the selected events . The review of the audit logs is covere d under AU.L2-3.3.5 and AU.L2-3.3.6. Example You are in charge of IT operations for a company that processes CUI and are responsible for identifying and documenting which events are relevant to the security of your company’s systems. Your company has decided that this list of events should be updated annually or when new security threats or events have been identified, which may require additional events to be logged and reviewed [a]. The list of events you are capturing in your logs started as the list of recommended events given by the manufacturers of your operating systems and devices, but it has grown from experience. Your company experiences a security incident, and a forensics review shows the logs appear to have been deleted by a remote user . You notice that remote sessions are not currently being logged [b]. You update the list of events to include logging all VPN sessions [c]. Potential Assessment Considerations • Do documented processes include methods for determining when to review logged event types (i.e., regular frequency, after incidents, after major system changes) [a]? • Do documented processes include methods for reviewing event types being logged (i.e., based on specific threat, use case, retention capacity, current utilization, and/or newly added system component or functionality) [b]?
What passing evidence looks like
A dated record of an actual log review (who looked, when, what they checked, what they found) plus the review cadence written in the log policy.
Common ways contractors fail AU.L2-3.3.3
- !This is the requirement that fails when logging is on but nobody looks. A recurring 30 minute monthly review with a two line record each time is enough, but it must have happened at least once before assessment.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AU.L2-3.3.3, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AU.L2-3.3.3 questions, answered
How many points is CMMC requirement AU.L2-3.3.3 worth?+
AU.L2-3.3.3 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can AU.L2-3.3.3 be placed on a POA&M?+
Yes. A gap on AU.L2-3.3.3 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does AU.L2-3.3.3 belong to?+
AU.L2-3.3.3 is in the Audit & Accountability (AU) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.3.3