CMMC AU.3.049 - Protect Audit Information and Tools

CMMC AU.3.049 - Protect Audit Information and Tools

Requirement text: AU.3.049: Protect audit information and audit logging tools from unauthorized
access, modification, and deletion.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Audit information includes all information (e.g., audit records, audit log settings, and audit
reports) needed to successfully audit system activity. Audit logging tools are those programs
and devices used to conduct audit and logging activities. This requirement focuses on the
technical protection of audit information and limits the ability to access and execute audit
logging tools to authorized individuals. Physical protection of audit information is addressed
by media protection and physical and environmental protection requirements.

CMMC CLARIFICATION
Audit information is a critical record of what events occurred, the source of the events, and
the outcomes of the events; this information needs to be protected. This protection starts
with ensuring proper configuration of logging to ensure proper space for the needed log
retention. The logs must also be properly secured so that the information may not be
modified or deleted, either intentionally or unintentionally. Only those with a legitimate
need-to-know should have access to audit information, whether that information is being
accessed directly from logs or from audit tools.

Example
You are in charge of IT operations in your organization. Your responsibilities include
protecting audit information and audit logging tools. You protect the audit information by
having audit log events forwarded to a central server and by restricting the local audit logs
to only be viewable by the system administrators. Centralized audit information is protected
from deletion or alteration and only approved individuals can view the information in the
audit tool. The central audit information server is backed up daily with those backups being
encrypted and sent offsite where they are physically secured by a third-party.

References
• NIST SP 800-171 Rev 1 3.3.8
• CERT RMM v1.2 MON:SG2.SP3
• NIST SP 800-53 Rev 4 AU-6(7), AU-9

    • Related Articles

    • Audit and Accountability: SP 800-171 Security Family 3.3

      An audit is an independent review and examination of records and activities to assess the adequacy of system requirements and ensure compliance with established policies and operational procedures. An audit trail is a record of individuals who have ...

    • CMMC AU.3.048 - Centralize Audit Information

      Requirement text: AU.3.048: Collect audit information (e.g., logs) into one or more central repositories. DISCUSSION FROM SOURCE: CMMC Aggregate and store audit logs in a central location. Central repositories enable analysis by storing audit record ...

    • CMMC SI.1.211 – Protect Information Systems from Malicious Code

      Requirement text: SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Designated locations include system entry and exit points which ...

    • CMMC AU.2.042 - Retain System Audit Logs

      Requirement text: AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC AU.2.044 - Review Audit Logs

      Requirement text: AU.2.044: Review audit logs. DISCUSSION FROM SOURCE: CMMC Reviewing audit logs is a common control in information security. Organizations have the flexibility to determine which logs and specific events to review. The level of audit ...