CMMC Level 2: Audit, Accountability & Risk Management

Audit logging, risk assessment, and security monitoring form the backbone of a defensible security program. These 18 practices ensure you can detect threats, investigate incidents, and continuously improve your security posture.

Audit and Accountability (AU) - 9 Practices

The Audit and Accountability domain from NIST SP 800-171 section 3.3 requires you to create, protect, and review audit logs. Without proper logging, you cannot detect breaches, investigate incidents, or demonstrate compliance.

Creating Audit Records (3.3.1 - 3.3.2)

• 3.3.1: Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity
• 3.3.2: Ensure actions of individual users can be uniquely traced to those users for accountability

What to log:

• Authentication attempts (successful and failed)
• Account management actions (creation, modification, deletion)
• Privilege escalation events
• Access to CUI files and systems
• System startup and shutdown
• Security-relevant configuration changes
• Remote access sessions

Log content should include:

• Timestamp (synchronized across systems)
• User identity
• Source IP address
• Event type and outcome (success/failure)
• Affected resource

Audit Log Review (3.3.3 - 3.3.4)

• 3.3.3: Review and update logged events
• 3.3.4: Alert in the event of an audit logging process failure

Implementation guidance:

• Review logs at least weekly for security events
• Use a SIEM (Security Information and Event Management) to aggregate and analyze logs
• Configure alerts when logging stops or disk space is low
• Document your log review process and keep records of reviews
• Adjust what you log based on threat intelligence and incidents

Audit Log Correlation (3.3.5)

3.3.5: Correlate audit record review, analysis, and reporting processes for investigation and response.

What this means: Logs from different systems should be collected centrally so you can correlate events across your environment. A login from an unusual location followed by access to CUI might only be visible when correlating authentication logs with file access logs.

Implementation example:

• Forward all logs to a central SIEM platform
• Synchronize time across all systems (NTP)
• Create correlation rules for common attack patterns
• Maintain log dashboards for security monitoring

Audit Reduction and Reporting (3.3.6)

3.3.6: Provide audit record reduction and report generation to support on-demand analysis and reporting.

Implementation: You need the ability to search, filter, and generate reports from audit data. Modern SIEM tools provide this capability. At minimum, you should be able to:

• Search logs by user, date range, event type, or keyword
• Generate reports on authentication failures, privileged actions, etc.
• Export log data for incident investigation
• Create executive summaries of security events

Time Synchronization (3.3.7)

3.3.7: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source.

Why it matters: If system clocks drift, correlating events across systems becomes impossible. During incident response, accurate timestamps are essential.

Implementation:

• Configure all systems to use NTP (Network Time Protocol)
• Use authoritative time sources (NIST, GPS, or your domain controllers)
• Monitor for time synchronization failures
• Standardize on UTC in logs to avoid timezone confusion

Audit Log Protection (3.3.8 - 3.3.9)

• 3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion
• 3.3.9: Limit management of audit logging functionality to a subset of privileged users

Why it matters: Attackers often try to delete or modify logs to cover their tracks. Protecting audit data is critical for investigation and prosecution.

Implementation:

• Forward logs to a separate, secured log server
• Use write-once storage or append-only logging
• Restrict SIEM administration to dedicated security staff
• Encrypt logs in transit and at rest
• Back up logs to offline or immutable storage
• Set log retention to at least 1 year (or as required by contracts)

Risk Assessment (RA) - 4 Practices

Risk Assessment from NIST 800-171 section 3.11 requires you to understand and manage the cybersecurity risks to your organization and the CUI you handle.

Risk Assessments (3.11.1)

3.11.1: Periodically assess the risk to organizational operations, assets, and individuals resulting from the operation of organizational systems and processing, storage, or transmission of CUI.

Implementation guidance:

• Conduct formal risk assessments at least annually
• Reassess when significant changes occur (new systems, threats, etc.)
• Document identified risks with likelihood and impact ratings
• Prioritize risks and develop mitigation plans
• Track risk acceptance decisions with management sign-off

Risk assessment framework example:

• Identify assets containing or processing CUI
• Identify threats (external attackers, insiders, natural disasters)
• Identify vulnerabilities in your systems and processes
• Calculate risk = likelihood × impact
• Determine risk response (mitigate, accept, transfer, avoid)

Vulnerability Scanning (3.11.2 - 3.11.3)

• 3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified
• 3.11.3: Remediate vulnerabilities in accordance with risk assessments

Implementation guidance:

• Conduct authenticated vulnerability scans at least monthly
• Scan after deploying new systems or major updates
• Subscribe to vulnerability notifications (NVD, vendor alerts)
• Prioritize remediation based on CVSS scores and exploitability
• Critical vulnerabilities: remediate within 15-30 days
• High vulnerabilities: remediate within 30-60 days
• Document vulnerabilities that cannot be immediately fixed in POA&M

Security Assessment (CA) - 5 Practices

The Security Assessment domain from NIST 800-171 section 3.12 requires you to assess, document, and monitor your security controls.

Security Control Assessment (3.12.1)

3.12.1: Periodically assess security controls to determine if they are effective in their application.

Implementation:

• Conduct internal control assessments at least annually
• Test controls through interviews, document review, and technical testing
• Verify policies are followed in practice, not just documented
• Use the NIST 800-171A assessment procedures as a guide
• Document findings and track remediation

Plan of Action and Milestones (3.12.2)

3.12.2: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities.

POA&M should include:

• Weakness description and affected control
• Point of contact responsible for remediation
• Resources required (budget, personnel, tools)
• Scheduled completion date
• Milestones with dates
• Status updates
• Risk accepted if not remediated

Continuous Monitoring (3.12.3)

3.12.3: Monitor security controls on an ongoing basis to ensure continued effectiveness.

Implementation:

• Automate monitoring where possible (SIEM, vulnerability scanners)
• Conduct periodic manual reviews of controls
• Monitor for configuration drift from baselines
• Track security metrics and report to management
• Reassess controls when threats or environments change

System Security Plan (3.12.4)

3.12.4: Develop, document, and periodically update system security plans that describe system boundaries, operating environments, how security requirements are implemented, and relationships with other systems.

SSP should include:

• System name, owner, and authorization boundary
• System description and purpose
• Network architecture diagrams
• Data flow diagrams showing CUI locations
• For each NIST 800-171 control: how it's implemented
• Roles and responsibilities
• Interconnections with other systems

System Security Plan Review (3.12.4 continued)

Your SSP must be kept current:

• Review and update at least annually
• Update when significant changes occur
• Version control the document
• Have management formally approve updates

Evidence for Assessment

Prepare the following for your C3PAO assessment:

• System Security Plan (SSP) - complete and current
• Plan of Action & Milestones (POA&M) - tracking all open items
• Audit logging policy and procedures
• Sample audit logs demonstrating required event capture
• Log review documentation (meeting minutes, tickets)
• SIEM dashboard screenshots
• Risk assessment reports
• Vulnerability scan reports with remediation evidence
• Security assessment results
• NTP configuration evidence

Key Takeaways

• Thorough audit logging is essential because you can't investigate what you don't log
• Protect audit logs from tampering; forward to a secured central location
• Conduct risk assessments and vulnerability scans regularly
• The SSP and POA&M are your two most important CMMC documents
• Continuous monitoring ensures controls remain effective over time

Next in the Series

Continue to CMMC Level 2: Configuration & Maintenance to learn about baseline configurations, change management, and secure maintenance practices.

Need help building your SSP and POA&M? Get early access to Pretorin and let AI generate assessment-ready documentation.