Audit and Accountability (AU) Guide for CMMC Level 2 Compliance

Welcome to our Audit and Accountability (AU) Guide for CMMC Level 2 Compliance. This guide is tailored to support small and medium-sized enterprises (SMEs) in navigating the complexities of CMMC Level 2 audits.

In this Audit and Accountability (AU) Guide, we provide actionable insights on each control, along with practical advice and evidence requirements to streamline your compliance process. From mastering audit logging compliance to ensuring user accountability in information systems, we help you address every aspect of the audit and accountability requirements with confidence.

For personalized support and expert advice, Reach out and schedule a consultation. We're here to support your path to CMMC Level 2.0 compliance.

AU.L2-3.3.1 – SYSTEM AUDITING

“Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.”

Level Of Effort: High

Businesses must create and maintain records of system audit logs. These logs track any unauthorized or sketchy stuff going on in your system. They've got to be detailed enough to meet security standards, stored for specific amounts of time, and easy to look at when needed.

Many businesses choose to have an outside company manage these logs, to meet all of the Audit and Accountability requirements. You might think about using SEIM (Security Event and Incident Monitoring) tools alone, but they can get overwhelming. They create a lot of alerts and need someone who knows what they're doing to handle them. This can be a big task for most small and mid-sized businesses.

We recommend hiring a Managed Security Service Provider (MSSP) or a Security Operations Center (SOC) vendor. The cost is usually about $15-30 for each computer per month. They generally have a minimum number of seats they will consider.

To find a good one, you could talk to your I.T. team or a cybersecurity expert. They often have good options to suggest. 

If you like to do your research, check out this list of MSSP/SOC vendors: Gartner's Managed Security Services list.

By choosing the right help, you ensure your business is keeping an eye on security correctly.

MSSP/SOC Selection Checklist

When you're picking an MSSP or a SOC for your business, here's a checklist to help you make sure you're getting everything you need:

• Monitor Microsoft 365: Check if they can monitor Microsoft 365. If you use Microsoft 365 GCC High, ask if they can monitor that specifically.
• Provide and monitor EDR tools: See if they can offer and watch over Endpoint Detection and Response (EDR) tools like SentinelOne or Crowdstrike. This usually costs around $10-20 per computer each month.
• Monitor network traffic: Make sure they can check your network traffic for malicious or suspect behavior. 
• Server log monitoring: Ask if they can monitor logs from your servers, including Active Directory if you're using it.
• Wi-Fi log monitoring: They should be able to monitor your Wi-Fi logs. This is part of complying with AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION.
• Remote access log monitoring: See if they can monitor logs from your remote access systems, like a virtual private network (VPN) or secure access service edge (SASE). This helps with AC.L2-3.1.12 – CONTROL REMOTE ACCESS.
• Log retention: Find out if they can keep logs for up to a year. While CMMC doesn’t say you must keep logs this long, it's good to have the option.
• US-based staff: Check if they have staff in the US to review and respond to alerts.
• 24/7 monitoring: Ensure they monitor your environment all the time – 24 hours a day, every day of the year.
• Audit failure alerts: They should alert you if they stop getting logs. This meets AU.L2-3.3.4 – AUDIT FAILURE ALERTING.
• Clear onboarding process: The provider should have a clear plan for getting you started. This should include who on your team gets alerts and how they'll handle them. This complies with AU.L2-3.3.3 – EVENT REVIEW.

---

AU.L2-3.3.2 – USER ACCOUNTABILITY

“Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.”

Level Of Effort: Medium

Making sure you can track what each person does on your systems is key. This lets you hold everyone accountable for their actions, especially if there's any unauthorized or strange behavior.

Recommendations:

• Assign unique usernames: Each person should have a distinct username for computers and any software or programs.
• Discourage sharing credentials: Avoid sharing usernames and passwords. If it's necessary (like for I.T. admins or certain system management tasks), make sure:
  • You use a secure password manager for storing and sharing credentials.
  • You have ways to verify WHO is using the shared credentials. This might include tracking logins by location, computer ID, or other identifiers. A shared CCTV can be helpful. 
• Enable audit logging: Turn on audit logging in all systems. This will record actions like logins, accessing resources, and making configuration changes.

Evidence:

• Verification of unique usernames: Use a vulnerability scanner to ensure everyone has unique usernames. Check user lists from systems like Microsoft 365 or user email/software programs.
• Logs for shared credentials: Maintain logs to identify who's using shared logins. This could show information like login locations and computer IDs.
• User action audit logs: Keep records like screenshots or outputs of audit logs. These should show user actions such as login and logout events, resource access, and changes they've made.

---

AU.L2-3.3.3 – EVENT REVIEW

“Review and update audited events.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under AU.L2-3.3.1 – SYSTEM AUDITING.

What our clients say

---

AU.L2-3.3.4 – AUDIT FAILURE ALERTING

“Alert in the event of an audit process failure.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under AU.L2-3.3.1 – SYSTEM AUDITING. 

---

AU.L2-3.3.5 – AUDIT CORRELATION

“Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under AU.L2-3.3.1 – SYSTEM AUDITING. 

---

AU.L2-3.3.6 – REDUCTION & REPORTING

“Provide audit reduction and report generation to support on-demand analysis and reporting.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under AU.L2-3.3.1 – SYSTEM AUDITING. 

---

AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE

“Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.”

Level Of Effort: Low

Making sure your system clocks match a trusted, outside time source is a must. This helps keep your audit logs' timestamps accurate and in sync across all your systems. Accurate timekeeping is key for keeping track of events and spotting security issues.

Recommendations:

• Choose a reliable time server: Set up your systems to match the time with a known, trustworthy time server. Use Group Policy Objects (GPO) or Intune for this. If you're using Mac or Linux, ask your I.T. team to help set this up.
• Regularly test time sync: Make sure your system clocks stay in sync with the chosen time server. Adjust settings as needed to keep the time accurate.

Evidence:

• Screenshot of your time sync settings: Take a screenshot of the settings that show you're using a specific time server. This can be from GPO or other system configurations.
• Include your time source in your SSP: In your Security System Plan (SSP), mention the time server you're using for syncing your system clocks.

---

AU.L2-3.3.8 – AUDIT PROTECTION

“Protect audit information and audit tools from unauthorized access, modification, and deletion.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under CM.L2-3.4.9 – USER-INSTALLED SOFTWARE and AU.L2-3.3.1 – SYSTEM AUDITING.

---

AU.L2-3.3.9 – AUDIT MANAGEMENT

“Limit management of audit logging functionality to a subset of privileged users.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under CM.L2-3.4.9 – USER-INSTALLED SOFTWARE and AU.L2-3.3.1 – SYSTEM AUDITING.

What our clients say

---

Need Help With Other CMMC Controls? 

• Access Control (AC) Guide
• Awareness and Training (AT) Guide
• Configuration Management (CM) Guide
• Identification and Authentication (IA) Guide
• Incident Response (IR) Guide
• Maintenance (MA) Guide
• Media Protection (MP) Guide
• Personnel Security (PS) Guide
• Physical Protection (PE) Guide
• Risk Assessment (RA) Guide
• Security Assessment (CA) Guide
• System and Communications Protection (SC) Guide
• System and Information Integrity (SI) Guide