NIST 800-171 Audit Logging Compliance Guide
All 9 Audit & Accountability controls (AU-3.3.1 through AU-3.3.9) with implementation guidance, common assessment gaps, and evidence checklists for CMMC Level 2.
Key Takeaways
- All 9 AU-3.3 controls are required for CMMC Level 2 — there is no partial credit for audit logging.
- Policy + technical + review evidence — assessors want all three for every control, not just the SIEM output.
- Retention convention: 90 days active + 1 year archived — document the decision in your SSP.
- The 3 most-missed gaps: no log review process (3.3.3), editable logs (3.3.8/9), clock drift (3.3.7).
The 9 Audit & Accountability controls
Each control links to a dedicated implementation page with assessment objectives, common gaps, and evidence examples. CMMC Level 2 requires all nine to be MET — no exceptions.
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions
Review and update logged events
Alert in the event of an audit logging process failure
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity
Provide audit record reduction and report generation to support on-demand analysis and reporting
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records
Protect audit information and audit logging tools from unauthorized access, modification, and deletion
Limit management of audit logging functionality to a subset of privileged users
Why audit logging gaps kill CMMC assessments
Audit & Accountability is the most failed control family in CMMC Level 2 assessments. Contractors routinely deploy SIEM tools, assume the tool satisfies the controls, and fail on the policy documentation, review cadence, or access control wrappers.
The three traps that block certification
Trap 1: "Logs exist, so we're covered"
3.3.3 (Review and update logged events) fails when nobody actually reviews the logs. Having logs is necessary but not sufficient. You need a documented review cadence, named reviewers, and evidence of the reviews happening.
Trap 2: "Admins can access everything"
3.3.8 (Protect audit information) and 3.3.9 (Limit audit management) both fail if the same accounts that generate audit events can also modify or delete them. Audit logs must be write-once or protected by separation-of-duties access controls.
Trap 3: "Timestamps are close enough"
3.3.7 (Time synchronization) fails when systems drift from authoritative time sources. Event correlation across systems requires synchronized clocks — typically via NTP to a US Government or FedRAMP-authorized time source. Document the sync source in your SSP.
Evidence assessors will request
- Written policy covering audit event definition, retention, review cadence, and access controls.
- System configuration documentation showing what events are captured on each covered system.
- Sample log exports demonstrating the events are actually captured (not just configured to capture).
- Review records — dated, signed, with findings. Monthly cadence is common; weekly is defensible.
- Access control matrix for the SIEM / log repository itself.
- Time sync attestation — NTP server chain + offset monitoring.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readinessor try our free CMMC Cost Estimator →
Frequently asked questions
Which NIST 800-171 controls cover audit logging?
Nine controls in NIST 800-171 directly cover audit logging: 3.3.1 (create and retain logs), 3.3.2 (trace user actions), 3.3.3 (review and update events), 3.3.4 (alert on audit failures), 3.3.5 (correlate processes), 3.3.6 (reduce and report), 3.3.7 (synchronize time), 3.3.8 (protect audit info), and 3.3.9 (limit management of logs). All nine are required for CMMC Level 2 certification.
How long must defense contractors retain audit logs?
NIST 800-171 does not mandate a specific retention period, but assessors and DoD contracts commonly expect 90 days of active logs plus 1 year of archived logs. Some programs require longer — ITAR-covered data and classified environments may require 3+ years. Your SSP should document the retention decision and rationale.
What are the most common audit logging gaps found in CMMC assessments?
The top three gaps: (1) logs exist but no process reviews them — 3.3.3 fails; (2) logs are stored where admins can edit them — 3.3.8 and 3.3.9 fail; (3) system clocks drift and event correlation breaks — 3.3.7 fails. Each of these is a "NOT MET" finding that blocks certification.
Can SIEM tools alone satisfy NIST 800-171 audit logging requirements?
No. A SIEM provides log aggregation and alerting, which helps with 3.3.1, 3.3.4, 3.3.5, and 3.3.6 — but the tool alone does not satisfy policy requirements (documented procedures), 3.3.7 time synchronization (NTP is separate infrastructure), or 3.3.8/3.3.9 access controls on the SIEM itself. Plan for policy documentation plus technical controls.
Do FedRAMP-authorized cloud providers handle audit logging for me?
Partially. FedRAMP providers deliver logging infrastructure (AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs) and satisfy provider-side controls. But contractors remain responsible for configuration, retention policy, review processes, and integration with their on-premise systems. This is a shared responsibility under the FedRAMP / CMMC overlap.
Track NIST 800-171 audit logging regulatory updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. 14-day free trial.
Start Free — 14 DaysRelated resources
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readinessor try our free CMMC Cost Estimator →