CMMC Practice AU.L2-3.3.8 – Audit Protection: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST Special Publication provides practical guidance on developing and maintaining effective log management practices. This link from Norfolk State University serves as is an example of a log review, analysis, and reporting policy. This policy from SANS helps identify requirements that must be met by a system to generate logs. This SANS whitepaper offers common elements to success for log management, in order to prepare for regulatory compliance audits. Learn how to conduct security log management that provides visibility into IT infrastructure activities and traffic, improves troubleshooting and prevents service disruptions.
Discussion [NIST SP 800-171 R2]
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.
Further Discussion
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. The logs must be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being accessed directly from logs or from audit tools.