Audit & Accountability.

What gets captured, why, and keeping it under review as the system changes.

3.3.1 Log Everything. AU.L2-3.3.1 · System Auditing Turn on logging across all CUI systems. Define what to capture. Keep logs long enough to investigate. 5 pts 3.3.2 Trace Every Action. AU.L2-3.3.2 · User Accountability Every action ties back to a named person. No shared accounts. No anonymous activity. 3 pts 3.3.3 Review What You Log. AU.L2-3.3.3 · Event Review Periodically review and adjust what events you're logging as threats and systems change. 1 pts

Alerting on log failures, correlating events, and responding to what the audit reveals.

3.3.4 Alert When Logging Breaks. AU.L2-3.3.4 · Audit Failure Alerting If logging stops on any system, designated personnel are alerted immediately. 1 pts 3.3.5 Connect the Dots. AU.L2-3.3.5 · Audit Correlation Correlate logs from multiple sources to spot attack patterns that individual logs would miss. 3 pts 3.3.6 Search and Report. AU.L2-3.3.6 · Reduction & Reporting Search, filter, and generate reports from audit logs on demand — not raw files, usable answers. 1 pts

Synchronised clocks, protected log records, and tightly scoped audit-management privileges.

3.3.7 Sync the Clocks. AU.L2-3.3.7 · Authoritative Time Source All system clocks synchronized to the same authoritative time source via NTP. 1 pts 3.3.8 Tamper-Proof Logs. AU.L2-3.3.8 · Audit Protection Protect audit logs and logging tools from unauthorized access, modification, and deletion. 3 pts 3.3.9 Limit Who Manages Logs. AU.L2-3.3.9 · Audit Management Only a designated subset of privileged users can configure or manage audit logging. 1 pts