Did you know that NIST SP 800-171’s 3.3.3, Review and Update Logged Events, is a commonly and THOROUGHLY misunderstood requirement? Let’s be blunt, 3.3.3 has NOTHING to do with identifying potential events that indicate a compromise.
If your understanding of 3.3.3 is to review audit logs and look for indicators of malicious activity, you really need to watch this video…
Like all of the other As the CMMC Churns videos focusing “Understanding the Requirements,” we are taking a dive into one requirement, its related predecessor and dependent requirements, and what Certified CMMC Assessors (CCA) will be looking for when you get assessed on this requirement.
3.3.3, Review and update logged events
3.3.3 |
SECURITY REQUIREMENT Review and update logged events. |
|
|
DISCUSSION The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. |
|
ASSESSMENT OBJECTIVE Determine if: |
||
3.3.3[a] |
a process for determining when to review logged events is defined. |
|
3.3.3[b] |
event types being logged are reviewed in accordance with the defined review process. |
|
3.3.3 |
event types being logged are updated based on the review. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS |
||
Examine |
[SELECT FROM: Audit and accountability policy; procedures addressing audit records and event types; system security plan; list of organization-defined event types to be logged; reviewed and updated records of logged event types; system audit logs and records; system incident reports; other relevant documents or records]. |
|
Interview |
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities]. |
|
Test |
[SELECT FROM: Mechanisms supporting review and update of logged event types]. |
Social Contact