CMMC Practice AU.5.055: Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Robust audit logging is critical in defending against cyber attacks and preventing future attacks since logs are a common starting point for incident response and a core element in post-attack cyber forensics. A cyber attacker may try to disrupt logging at the start of an attack, making the absence of audit logging an initial indicator of a potential attack. Even if the audit logging failure occurred from benign causes, restoring the logging is needed to maintain a secure posture.
Identifying assets that are reporting logs and comparing against the inventory of assets expected to provide audit logs provides the set of assets for which audit remediation is needed. It is important that the logging requirements for each asset, which may include many logs to be collected, are documented and compared to the set of received logs. Any discrepancies will start an investigation and remediation process.