AU.3.049

Control Acronym

AU

Family

Audit And Accountability

CMMC Level

3

800-171 Control #

3.3.8

CMMC Description

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

CMMC Clarification

Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events this information needs to be protected. This protection starts with ensuring proper configuration of logging to ensure proper space for the needed log retention. The logs must also be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools. Example You are in charge of IT operations in your organization. Your responsibilities include protecting audit information and audit logging tools. You protect the audit information by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators. Centralized audit information is protected from deletion or alteration and only approved individuals can view the information in the audit tool. The central audit information server is backed up daily with those backups being encrypted and sent offsite where they are physically secured by a third-party.

800-171 Description

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

800-171 Discussion

Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-6(7), AU-9

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.3.8

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

CERT RMM v1.2 MON:SG2.SP3

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AU.3.049.[a] audit information is protected from unauthorized access;

Assessment Sub-Criteria 2

AU.3.049.[b] audit information is protected from unauthorized modification;

Assessment Sub-Criteria 3

AU.3.049.[c] audit information is protected from unauthorized deletion;

Assessment Sub-Criteria 4

AU.3.049.[d] audit logging tools are protected from unauthorized access;

Assessment Sub-Criteria 5

AU.3.049.[e] audit logging tools are protected from unauthorized modification; and

Assessment Sub-Criteria 6

AU.3.049.[f] audit logging tools are protected from unauthorized deletion.

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15