CMMC AU.3.045 - Review Logged Events

CMMC AU.3.045 - Review Logged Events

Requirement text: AU.3.045: Review and update logged events.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Periodically re-evaluate which events are logged and which events should be added,
modified, or deleted. The event types that are logged by organizations may change over time.
Reviewing and updating the set of logged event types periodically is necessary to ensure that
the current set remains necessary and sufficient.

CMMC CLARIFICATION
Organizations should periodically review logged events that identify possible security
incidents, and the organization should update the list of events that need to be logged as
necessary. Non-security events that should have logging requirements reviewed include 1)
logging all installed software on endpoints to identify license irregularities or 2) logging
connections to a VPN server or load balancer to manage capacity and quality of service.

Example
You are in charge of IT operations for your organization. You are responsible for identifying
and documenting which events are relevant to the security of your organization’s systems.
Your organization has decided that this list of security relevant events should be updated
annually or when a new security threats or events have been identified requiring additional
events to be logged and reviewed.

You perform your annual review of events to log. The list includes events your organization
reviewed and determined to be important for security. This list started as the list of
recommended events given by the manufacturers of your operating systems / devices but
has grown from experience operating the security of your environment and learned
additional best practices from security training and knowledge sharing with peers.

There is a security incident at your organization. Working with the security officer, a
forensics review shows the logs appears to have been deleted by a remote user, and you
notice that remote sessions are not currently logged. You update the list of events to include
all VPN sessions.

References
• NIST SP 800-171 Rev 1 3.3.3
• CIS Controls v7.1 6.7
• CERT RMM v1.2 IMC:SG2.SP2
• NIST SP 800-53 Rev 4 AU-2(3)

    • Related Articles

    • CMMC AU.2.044 - Review Audit Logs

      Requirement text: AU.2.044: Review audit logs. DISCUSSION FROM SOURCE: CMMC Reviewing audit logs is a common control in information security. Organizations have the flexibility to determine which logs and specific events to review. The level of audit ...

    • CMMC AU.4.054 - Review Audit Activity

      Requirement text: AU.4.054: Review audit information for broad activity in addition to per-machine activity. DISCUSSION FROM SOURCE: CMMC The full scope of adversary activity may not be apparent from analyzing a single machine. A broad perspective is ...

    • CMMC AU.3.051 - Correlate Audit Records

      Requirement text: AU.3.051: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 ...

    • CMMC AU.2.043 - Synchronize System Clocks

      Requirement text: AU.2.043: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Internal system ...

    • CMMC IR.2.093 - Detect and Report Events

      Requirement text: IR.2.093: Detect and report events. DISCUSSION FROM SOURCE: CERT RMM V1.2 The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events ...