Back to Control Explorer



Control Acronym



Audit And Accountability

CMMC Level


800-171 Control #


CMMC Description

Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.

CMMC Clarification

Speed of response can be critical in stopping a cyber attack and limiting exposure to the attack. The speed of response is improved when log source platforms automatically and immediately identify indicators for which immediate action is required and authorized to be taken automatically. Some logging platforms will not support automated analysis and action. In those cases, the immediate analysis occurs at the centralized log collection server (see practice AU.3.048). The analysis would look for specific log entry text or data element values in cases where there is certainty that an action should and can occur immediately, as defined by the organization. Actions may range from notifications to blocks. The actions must be automatic but need not be comprehensive in stopping the threat. Example Upon seeing a specific text string in a log on the corporate CUI database server indicating that a large query had been requested, an alert is generated to notify the security operations center (SOC) of the log event. The SOC processes the alert automatically and a full report is generated and a window pops up for the SOC member responsible for the CUI database as well as the overall SOC lead. In a more clear and critical case, where evidence of compromise is conclusive and decisive and response is already authorized by senior management, the action may be to cut off the server from some connected systems or to even shut down the server to prevent further exposure or data exfiltration. The clear evidence may have been provided by external shared indicators of a cyber incident at a peer organization for which early warning signs have been identified.

800-171 Description

800-171 Discussion


Other Source Discussion

Adversary activity typically leaves indications in audit logs. Patterns and signatures from previously seen adversary activity or malicious software are shared and can be used in automated analysis. Organizations can define thresholds for the level and definition of suspicious activity on which to take an action. The automated activity can be distributed or centralized.

CIS Control References

CIS Controls v7.1 6.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SI-4(2)

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15