Level 5 CMMC - CMMC Practices

AU.3.045  

Reference: CMMC 1.02

Family: AU

Level Introduced: 3

Practice:
Review and update logged events.

CMMC Clarification:
Organizations should periodically review logged events that identify possible security incidents, and the organization should update the list of events that need to be logged as necessary. Non-security events that should have logging requirements reviewed include 1) logging all installed software on endpoints to identify license irregularities or 2) logging connections to a VPN server or load balancer to manage capacity and quality of service.

Example
You are in charge of IT operations for your organization. You are responsible for identifying and documenting which events are relevant to the security of your organization’s systems. Your organization has decided that this list of security revelant events should be updated annually or when a new security threats or events have been identified requiring additional events to be logged and reviewed.

You perform your annual review of events to log. The list includes events your organization reviewed and determined to be important for security. This list started as the list of recommended events given by the manufacturers of your operating systems / devices but has grown from experience operating the security of your environment and learned additional best practices from security training and knowledge sharing with peers.

There is a security incident at your organization. Working with the security officer, a forensics review shows the logs appears to have been deleted by a remote user, and you notice that remote sessions are not currently logged. You update the list of events to include all VPN sessions.

3.3.3

Review and update logged events.

Discussion:
The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.

Source: NIST Special Publication 800-171 Rev. 2

AU-2 (3)

AUDIT EVENTS | REVIEWS AND UPDATES

Description:
The organization reviews and updates the audited events [Assignment: organization-defined frequency].

Supplemental Guidance:
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02