Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: AU

Level Introduced: 2

Review audit logs.

CMMC Clarification:
You should ensure that your organization reviews its audit logs. Logs should be checked regularly, organizations with small environments may be able to do this manually. The process of reviewing audit logs varies by organization. The intent of this practice is to become familiar with the logs being automatically created on the systems present in your organization and identify key events in the logs that might indicate malicious activity. Larger organizations may need automation to complete this task with success.

You are the administrator for a company with a small IT environment. You know the importance of reviewing audit logs. Every week you log on to the Windows server as an admin user, open the Event Viewer and check for signs that the log files have been altered: Windows event ID 104 – Event Log was Cleared, event ID 1102 – Audit Log was Cleared), event ID 4719 – System audit policy was changed. Look for login and new user created events: Windows event IDs 4624 (failure) and 4625 (success)) and event IDs 4728, 4732 and 4756 – User added to Privileged Group.

Reviewing audit logs is a common control in information security. Organizations have the flexibility to determine which logs and specific events to review. The level of audit log review should be determined based on a risk assessment or similar activity.

Source: CMMC v1.02



The organization:
    a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
    b. Reports findings to [Assignment: organization-defined personnel or roles].

Supplemental Guidance:
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02