Requirement text: AU.5.055: Identify assets not reporting audit logs and assure appropriate
organizationally defined systems are logging.
DISCUSSION FROM SOURCE: CMMC
Practice AU.2.042 required the creation and retention of audit logs. Audit logs are essential
to cybersecurity awareness and incident response. This practice requires organizations to
proactively determine if any assets that should be creating audit logs are not generating the
required logs.
CMMC CLARIFICATION
Robust audit logging is critical in defending against cyber attacks and preventing future
attacks since logs are a common starting point for incident response and a core element in
post-attack cyber forensics. A cyber attacker may try to disrupt logging at the start of an
attack, making the absence of audit logging an initial indicator of a potential attack. Even if
the audit logging failure occurred from benign causes, restoring the logging is needed to
maintain a secure posture.
Identifying assets that are reporting logs and comparing against the inventory of assets
expected to provide audit logs provides the set of assets for which audit remediation is
needed. It is important that the logging requirements for each asset, which may include
many logs to be collected, are documented and compared to the set of received logs. Any
discrepancies will start an investigation and remediation process.
Example
You are working your shift in the security operations center (SOC) when one of your hourly
scanning scripts indicates that a data server is not providing logs to the central log
collection server. The data server is on the list of assets for which a log is required. You
send a notification to the administrator for the server to investigate and turn logging on,
and copy the company threat hunting team as well.
References
• CMMC
• CIS Controls v7.1 6.2
• NIST SP 800-53 Rev 4 AU-12