3.3.3, Review and update logged events

3.3.3, Review and update logged events

By Matthew Titcombe|2024-06-16T13:48:16-04:00June 16th, 2024|Categories: As the CMMC Churns, understanding the requirements|Tags: 3.3, 3.3.3, AU, audit and accountability, audit logs, audit records, cmmc, Events, NIST SP 800-171 Rev 2, NIST SP 800-171 Rev 3|

Did you know that NIST SP 800-171’s 3.3.3, Review and Update Logged Events, is a commonly and THOROUGHLY misunderstood requirement? Let’s be blunt, 3.3.3 has NOTHING to do with identifying potential events that indicate a compromise.

If your understanding of 3.3.3 is to review audit logs and look for indicators of malicious activity, you really need to watch this video…

Like all of the other As the CMMC Churns videos focusing “Understanding the Requirements,” we are taking a dive into one requirement, its related predecessor and dependent requirements, and what Certified CMMC Assessors (CCA) will be looking for when you get assessed on this requirement.

3.3.3, Review and update logged events

3.3.3	SECURITY REQUIREMENT Review and update logged events.
	DISCUSSION The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.
	ASSESSMENT OBJECTIVE Determine if:
	3.3.3[a]	a process for determining when to review logged events is defined.
	3.3.3[b]	event types being logged are reviewed in accordance with the defined review process.
	3.3.3	event types being logged are updated based on the review.
	POTENTIAL ASSESSMENT METHODS AND OBJECTS
	Examine	[SELECT FROM: Audit and accountability policy; procedures addressing audit records and event types; system security plan; list of organization-defined event types to be logged; reviewed and updated records of logged event types; system audit logs and records; system incident reports; other relevant documents or records].
	Interview	[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities].
	Test	[SELECT FROM: Mechanisms supporting review and update of logged event types].

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Related Posts

3.3.1, System Auditing

3.3.1, System Auditing

Gallery

3.3.1, System Auditing

June 11th, 2024 | 0 Comments

3.1.22, Publicly Accessible Content

3.1.22, Publicly Accessible Content

Gallery

3.1.22, Publicly Accessible Content

May 30th, 2024 | 0 Comments

Identifying Inactive Accounts via Sentinel

Identifying Inactive Accounts via Sentinel

Gallery

Identifying Inactive Accounts via Sentinel

May 28th, 2024 | 0 Comments

3.10.6 Alternate Work Sites

3.10.6 Alternate Work Sites

Gallery

3.10.6 Alternate Work Sites

April 19th, 2024

The Three Types of Evidentiary Objects

The Three Types of Evidentiary Objects

Gallery

The Three Types of Evidentiary Objects

April 8th, 2024