AU.L2-3.3.6 · NIST SP 800-171 3.3.6

Reduction & Reporting

Provide audit record reduction and report generation to support on- demand analysis and reporting.

1 point if not metPOA&M eligible2 assessment objectives

What an assessor scores, the objectives

AU.L2-3.3.6 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.an audit record reduction capability that supports on-demand analysis is provided
  • b.a report generation capability that supports on-demand reporting is provided

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AU.L2-3.3.6, an assessor uses these:

Examine

Audit and accountability policy; procedures addressing audit record reduction and report generation; system design documentation; system security plan; system configuration settings and associated documentation; audit record reduction, review, analy sis, and reporting tools; system audit logs and records; other relevant documents or records

Interview

Personnel with audit record reduction and report generation responsibilities; personnel with information security responsibilities

Test

Audit record reduction and report generation capability

What it means, in context

Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts . Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities . Audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records . The report generation capability provided by the system can help generate customizable reports . Time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient.

Raw audit log data is difficult to review, analyze, and report because of the volume of data. Audit record reduction is an automated process that interprets raw audit log data and extracts meaningful and relevant information without altering the original logs. An example of log reduction for files to be analyzed would be the removal of details associated with nightly backups. Report generation on reduced log information allows you to create succinct customized reports without the need to burden the reader with unimportant information. In addition, the security -relevant audit information must be made available to personnel on demand for immediate review, analysis, reporting, and event investigation support. Performing audit log reduction and providing on-demand reports may allow the analyst to take mitigating action before an adversary completes its malicious actions. Example You are in charge of IT operations in a company that processes CUI. You are responsible for providing audit record reduction and report generation capability. To support this function, you deploy an open-source solution that will collect and analyze data for signs of anomalies. The solution queries your central log repository to extract relevant data and provide you with a concise and comprehensive view for further analysis to identify potentially malicious activity [a]. In addition to creating on- demand data sets for analysis, you create customized reports explaining the contents of the data set [b]. Potential Assessment Considerations • Does the system support on-demand audit review, analysis, and reporting requirements and after-the-fact security investigations [b]?

What passing evidence looks like

One produced report from your logs (a filtered export, a saved search, a dashboard) showing you can reduce raw records into something reviewable on demand.

Common ways contractors fail AU.L2-3.3.6

  • !Audit reduction sounds enterprise but a saved filtered search that produces the monthly review view IS the capability. Name it and show its output.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AU.L2-3.3.6, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AU.L2-3.3.6 questions, answered

How many points is CMMC requirement AU.L2-3.3.6 worth?+

AU.L2-3.3.6 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AU.L2-3.3.6 be placed on a POA&M?+

Yes. A gap on AU.L2-3.3.6 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does AU.L2-3.3.6 belong to?+

AU.L2-3.3.6 is in the Audit & Accountability (AU) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.3.6