Got questions? Contact our team today for a free CMMC Consultation
3.3.1
Create protect, and retain system audit logs to support the detection, investigation, and reporting of unauthorized activity. Logs must be tamper-resistant, cover relevant system and user actions, and be retained for analysis and compliance.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-2: Event Logging
AU-3: Content of Audit Records
AU-3 (1): Content of Audit Records - Additional Audit Information)
AU-6: Audit Record Review, Analysis, & Reporting
AU-11: Audit Record Retention
AU-12: Audit Record Generation
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Purview Audit Premium, Sentinel integration, Defender for Endpoint log telemetry, and retention controls)
3.3.2
Ensure that the actions of individual system users are uniquely attributable to them through user authentication, session tracking, and audit logging, so that accountability can be enforced. Logs must include user IDs, timestamps, and action types.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-2: Event logging
AU-3: Content of audit records
AU-3 (1): Content of audit records (Additional audit information)
AU-6: Audit record review, analysis, & reporting
AU-11: Audit record retention
AU-12: Audit record generation
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID for user-level traceability, Purview Audit for detailed activity logging, and Defender/Sentinel for correlation and review)
3.3.3
Periodically review and assess system audit logs to ensure events are being captured correctly, detect unauthorized activity, and update logging policies and parameters in response to changing threats.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-2: Event Logging
AU-6: Audit Review, Analysis, and Reporting
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Purview Audit Premium for log review, Microsoft Sentinel for correlation, and Defender XDR for incident response context)
3.3.4
Generate alerts in the event of audit log processing failures (e.g., service interruption, storage limits reached). Alerts must notify security personnel, trigger response workflows, and preserve partial logging when possible.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-5: Response to Audit Logging Process Failures
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Sentinel for logging alerts and Defender XDR for telemetry integrity monitoring; Purview Audit Premium for log continuity assurance)
3.3.5
Correlate audit records from multiple systems and services to detect unauthorized, suspicious, or anomalous activity. Centralized audit analysis must support incident investigations and proactive response.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-6 (3): Audit Record Review, Analysis & Reporting (Correlation Across Sources)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Sentinel for multi-source correlation, Defender XDR for behavioral analysis, and Purview Audit for deep logging visibility)
3.3.6
Enable audit record reduction and on-demand report generation to support efficient security analysis, investigation, and compliance reporting. Reports must be searchable, filterable, and present meaningful summaries of relevant events.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-7: Audit Record Reduction and Report Generation
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Purview Audit Premium, Defender XDR for timeline correlation, and Sentinel for customizable security dashboards and reports)
3.3.7
Ensure internal system clocks are synchronized with an authoritative time source (e.g., NTP) to generate accurate, consistent timestamps for audit records across systems. This ensures integrity of audit trail correlation and incident timelines.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-8: Time stamps
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(leverages Azure AD time sync, Windows Time Service, and timestamp fidelity across audit logs and Defender telemetry)
3.3.8
Protect audit information and log management tools from unauthorized access, modification, and deletion. Enforce RBAC, ensure immutability of logs, and prevent tampering of audit pipelines and configurations.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-9 – Protection of Audit Information
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Purview Audit Premium with immutable storage, Sentinel for secure log aggregation, Defender XDR for endpoint telemetry integrity, and Entra ID RBAC for access protection)
3.3.9
Restrict access to manage audit logging capabilities—including log generation, configuration, and access—to a limited set of privileged users. Enforce RBAC and prevent unauthorized tampering or misconfiguration of logging mechanisms.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AU-9 (4) Protection of audit information (access by subset of privileged users)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID RBAC for audit role separation, Purview Audit Premium for secure log access, and Sentinel for scoped administrative roles)
Contact our team today
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREEconsultation