CMMC Practice AU.L2-3.3.3 – Event Review: Review and update logged events.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article lists Security Information and Event Management (SIEM) tools that provide log analysis and correlation of events. Caveat: Open source may be sufficient for some small companies but do not provide support and may offer only a limited feature set. Most of these open source solutions offer a paid option as well. If you try it and like it, upgrading to the paid option to gain support and features is easy. This link provides a list of no or low cost log management tools. This NIST Special Publication provides practical guidance on developing and maintaining effective log management practices. This policy provides an example of events surrounding confidential or restricted information that are typically logged. While this example is for health information, the log requirements would apply to other restricted information as well. The policy includes a description of log reviews. This guideline describes the risk of inadequate logging, defines events to be logged and establishes a case for using an automated tool for log review.
Discussion [NIST SP 800-171 R2]
The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.
Further Discussion
This practice is focused on the configuration of the auditing system, not the review of the audit records produced by the selected events. The review of the audit logs is covered under AU.L2-3.3.5 and AU.L2-3.3.6.