Back to Control Explorer



Control Acronym



Audit And Accountability

CMMC Level


800-171 Control #


CMMC Description

Review and update logged events.

CMMC Clarification

Organizations should periodically review logged events that identify possible security incidents, and the organization should update the list of events that need to be logged as necessary. Non-security events that should have logging requirements reviewed include 1) logging all installed software on endpoints to identify license irregularities or 2) logging connections to a VPN server or load balancer to manage capacity and quality of service. Example You are in charge of IT operations for your organization. You are responsible for identifying and documenting which events are relevant to the security of your organization’s systems. Your organization has decided that this list of security revelant events should be updated annually or when a new security threats or events have been identified requiring additional events to be logged and reviewed. You perform your annual review of events to log. The list includes events your organization reviewed and determined to be important for security. This list started as the list of recommended events given by the manufacturers of your operating systems / devices but has grown from experience operating the security of your environment and learned additional best practices from security training and knowledge sharing with peers. There is a security incident at your organization. Working with the security officer, a forensics review shows the logs appears to have been deleted by a remote user, and you notice that remote sessions are not currently logged. You update the list of events to include all VPN sessions.

800-171 Description

Review and update logged events.

800-171 Discussion

The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.

Other Source Discussion


CIS Control References

CIS Controls v7.1 6.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-2(3)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.3.3

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AU.3.045.[a] a process for determining when to review logged events is defined;

Assessment Sub-Criteria 2

AU.3.045.[b] event types being logged are reviewed in accordance with the defined review process; and

Assessment Sub-Criteria 3

AU.3.045.[c] event types being logged are updated based on the review.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15