AU.L2-3.3.4 Audit Failure Alerting

CMMC Practice AU.L2-3.3.4 – Audit Failure Alerting: Alert in the event of an audit logging process failure.

Links to Publicly Available Resources


Audit logging keeps track of activities occurring on the network, servers, user workstationsand other components of the overall system. These logs must always be available and functional. The organization’s designated security personnel (e.g., system administrator and security officer) need to be aware when the audit log process fails or becomes unavailable. Automated notifications need to be sent to the organization’s designated security personnel to immediately take appropriate action. If security personnel are unaware of the audit logging process failure, then they will be unaware of any suspicious activity occurring at that time. Your response to an audit logging process failure should account for the extent of the failure (e.g., a single component’s audit logging versus failure of the centralized logging solution), the risks involved in this loss of audit logging, and other factors (e.g., possibility an adversary could have caused the audit logging process failure).