NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY
3.3.1 — Event Logging
Specify the following event types selected for logging within the system: {{ insert: param, A.03.03.01.ODP.01 }}. Review and update the event types selected for logging {{ insert: param, A.03.03.01.ODP.02 }}.
CMMC Practice Mapping
Assessment Objectives
- the following event types are specified for logging within the system: {{ insert: param, A.03.03.01.ODP.01 }}.
- the event types selected for logging are reviewed {{ insert: param, A.03.03.01.ODP.02 }}.
- the event types selected for logging are updated {{ insert: param, A.03.03.01.ODP.02 }}.
Practitioner Notes
You need to decide what events are important enough to log and then actually turn on logging for those events. At a minimum, you should be logging logins, failed logins, privilege escalation, file access to CUI, and changes to security settings.
Example 1: Configure Windows audit policies via GPO at Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration. Enable: Logon/Logoff → Audit Logon (Success/Failure), Account Management → Audit User Account Management (Success/Failure), Object Access → Audit File System (Success/Failure), and Policy Change → Audit Policy Change (Success). Document this list of auditable events in your SSP.
Example 2: In Microsoft 365, go to Compliance Center → Audit → Audit Retention Policies and ensure Unified Audit Log is enabled. Then go to Purview → Audit → Search and verify you can see events like file access, sharing changes, and admin actions. Create a custom audit retention policy that keeps logs for at least one year (the default is 90 days on E3, one year on E5).