Authoritative Time Source
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
What an assessor scores, the objectives
AU.L2-3.3.7 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.internal system clocks are used to generate time stamps for audit records
- b.an authoritative source with which to compare and synchronize internal system clocks is specified
- c.internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AU.L2-3.3.7, an assessor uses these:
Audit and accountability policy; procedures addressing time stamp generation; system design documentation; system security plan; system configuration settings and associ ated documentation; system audit logs and records; other relevant documents or records
Personnel with information security responsibilities; system or network administrators; system developers
Mechanisms implementing time stamp generation; mechanisms implementing internal information system clock synchronization
What it means, in context
Internal system clocks are used to generate time stamps, which include date and time. Time is e xpressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. This requirement provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.
Each system must synchronize its time with a central time server to ensure that all systems are recording audit logs using the same time source. Reviewing audit logs from multiple systems can be a difficult task if time is not synchronized. Systems can be synchronized to a network device or directory service or configured manually. Example You are setting up several new computers on your company’s network, which contains CUI. You update the time settings on each machine to use the same authoritative time server on the internet [b,c]. When you review audit logs, all your machines will have synchronized time, which aids in any potential security investigations. Potential Assessment Considerations • Can the records’ time stamps map to Coordinated Universal Time (UTC), compare system clocks with authoritative Network Time Protocol (NTP) servers, and synchronize system clocks when the time difference is greater than 1 second [c]? • Does the system synchronize internal system clocks on a defined frequency [c]?
What passing evidence looks like
The time source note: what your systems sync to, and a screenshot showing synchronization is on so log timestamps line up.
Common ways contractors fail AU.L2-3.3.7
- !Cloud services timestamp on Microsoft or Google infrastructure, that half is inherited and you can say so. Your LOCAL machines and firewall still need NTP stated and on.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AU.L2-3.3.7, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AU.L2-3.3.7 questions, answered
How many points is CMMC requirement AU.L2-3.3.7 worth?+
AU.L2-3.3.7 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can AU.L2-3.3.7 be placed on a POA&M?+
Yes. A gap on AU.L2-3.3.7 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does AU.L2-3.3.7 belong to?+
AU.L2-3.3.7 is in the Audit & Accountability (AU) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.3.7