CMMC Requirement AU.L2-3.3.8 – Audit Protection: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST Special Publication provides practical guidance on developing and maintaining effective log management practices. This policy from SANS helps identify requirements that must be met by a system to generate logs. This SANS whitepaper offers common elements to success for log management, in order to prepare for regulatory compliance audits. Learn how to conduct security log management that provides visibility into IT infrastructure activities and traffic, improves troubleshooting and prevents service disruptions. Audit logs are your evidence, your insurance policy, and your best friend during a CMMC assessment—but only if they’re secure. This video shows you exactly how to protect them and comply with CMMC Control AU.L2-3.3.8.
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.
Further Discussion
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. The logs must be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools.