The Audit & Accountability domain covers 9 practices across NIST 800-171 section 3.3. The core requirement is straightforward: collect logs, protect them, review them, and make sure they're trustworthy enough to use in an investigation. Where contractors struggle is the operational side, specifically turning on the right log sources, centralizing them, and demonstrating that someone actually looks at them.
Audit logs are the evidence layer that makes every other CMMC domain defensible. When an assessor asks whether access controls are working, you prove it with logs. When a security incident occurs, you reconstruct it with logs. When someone questions whether a privileged action was authorized, you verify it with logs. A CMMC program without a functioning audit capability is like a building with security cameras that aren't recording.
Assessors will ask to see log samples, review your audit policy configuration, and probe whether anyone reviews logs on a regular basis. Organizations that treat AU as a checkbox — turning on logging but never reviewing it — will have a hard time in an assessment conversation.
Common scoping mistake: Many contractors configure logging on servers but neglect workstations. If CUI is accessed on employee laptops, those endpoints are in scope and their logs matter. Don't build a logging program around servers while workstations go unmonitored.
This practice requires creating and retaining audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The two components are collection and retention.
What to log on in-scope systems:
Retention guidance:
NIST 800-171 does not prescribe a specific retention period, but 90 days of online retention and 12 months total (online plus archive) is a widely accepted and defensible standard. Document your retention period in your audit policy and configure log storage accordingly. Logs that age out before you need them are logs that never existed.
Windows implementation: Configure Advanced Audit Policy via Group Policy (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration). Enable at minimum: Account Logon, Account Management, Logon/Logoff, Object Access (for CUI file shares), Policy Change, and Privilege Use categories.
Microsoft 365 / Entra ID: Enable Unified Audit Logging in the Microsoft 365 compliance portal. Audit log retention defaults to 90 days; Microsoft 365 E3 provides 180 days, E5 provides one year. Verify retention is set to match your documented policy.
Common mistake: Leaving Windows audit policy at defaults. Default audit settings capture almost nothing useful. After enabling Advanced Audit Policy, verify logs are actually being generated by checking Event Viewer on a sample of systems.
This practice requires that the actions of individual users can be uniquely traced back to those users. It is the accountability half of "audit and accountability." If two people share a login, you cannot determine which person performed a given action, and the entire audit trail for that account becomes unreliable.
Implementation requirements:
This practice connects directly to the IA domain. Practices 3.5.1 and 3.5.2 require identifying and authenticating users before granting system access. If authentication is done properly with individual accounts, traceability follows naturally.
Common mistake: A shared "admin" local account on servers that multiple IT staff use. Even if domain accounts are individual, any use of the shared local admin account breaks traceability for those sessions. Use LAPS (Local Administrator Password Solution) to manage unique local admin passwords per machine, and disable or rename the default Administrator account.
This practice requires reviewing and updating the list of events being logged. It is a governance practice: logging is not a "set it and forget it" configuration. As systems change, new applications are added, and the threat landscape evolves, the set of auditable events should be reviewed and updated to remain relevant.
Implementation:
Common mistake: Having no documentation of what is being logged or why. If an assessor asks "how did you decide what to log?", the answer needs to be more than "we turned on what was available." A brief justification document tied to your AU policy demonstrates intentionality.
Audit logging failures are an attacker's best friend. A sophisticated adversary will attempt to disable or overflow logs before taking high-risk actions. This practice requires alerting the appropriate personnel when the audit logging process fails, so the failure can be investigated and corrected.
Implementation approaches:
Common mistake: Having logging configured but no alerting on logging failures. An attacker who disables logging on a workstation before exfiltrating data can complete the action before anyone notices. The alert on logging failure is as important as the log itself.
This practice requires correlating audit record review, analysis, and reporting processes to support investigation and response to unusual or suspicious activity. A login failure on a workstation means little in isolation. That same failure, correlated with a spike in outbound traffic from the same IP ten minutes later, is an incident.
Implementation:
Common mistake: Forwarding logs to a central location but performing no actual correlation. Centralized storage is not correlation. Correlation requires that someone or something is actively looking across log sources for patterns that span multiple systems or time periods.
This practice requires providing audit record reduction and report generation to support on-demand analysis and reporting. Raw logs are millions of events. The capability to reduce those to relevant records and generate actionable reports is what makes logs usable during an investigation or assessment.
Implementation:
Common mistake: Logging to flat files with no query capability. Terabytes of .log files on a server satisfy 3.3.1 (barely) but do not satisfy 3.3.6. The capability to produce reports and filter records is a distinct requirement.
This practice requires providing a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. This is one of the least controversial CMMC practices to implement and one of the most damaging to ignore.
Implementation:
Common mistake: Configuring NTP on servers but not workstations. If a threat actor operates on a workstation and the workstation clock is drifted by 30 minutes, correlating workstation events with server logs during an investigation will produce misleading timelines.
This practice requires protecting audit information and audit tools from unauthorized access, modification, and deletion. An adversary who gains admin access to a system will attempt to cover their tracks by clearing or modifying logs. The audit system must be hardened against this.
Implementation:
Common mistake: Server administrators having full control over the log management system. The person whose actions are being logged should not be able to delete those logs. Separation of duties between IT administration and log management is the control.
This practice requires limiting the management of audit logging to a subset of privileged users. It is the access control companion to 3.3.8. Where 3.3.8 is about protecting audit data technically, 3.3.9 is about restricting who has the administrative rights to manage it.
Implementation:
Common mistake: Every IT admin having the ability to clear event logs. In many small organizations, the default Domain Admins group has this right, which means every admin can cover their tracks. Restrict the "Manage auditing and security log" right to a dedicated security role.
| Need | Tool / Resource | Notes |
|---|---|---|
| SIEM / log correlation | Microsoft Sentinel, Elastic SIEM, Splunk Free | Sentinel is the natural choice for Microsoft-heavy environments; includes free tier with 10 GB/day ingestion |
| Windows log centralization | Windows Event Forwarding (WEF), Azure Monitor Agent | WEF is built into Windows and free; AMA forwards to Log Analytics / Sentinel and supports structured log shipping |
| M365 audit logging | Microsoft Purview Audit (formerly Unified Audit Log) | Enable in M365 compliance portal; retention varies by license tier; search via Audit tab or PowerShell |
| Endpoint log collection | Microsoft Defender for Endpoint | MDE ingests endpoint telemetry into Defender XDR and can forward to Sentinel; covers both EDR and audit log use cases |
| Log immutability | Azure Immutable Storage, Sentinel workspace retention locks | Prevents modification or deletion of log data; important for 3.3.8 compliance |
| NTP (time sync) | Windows Time Service (W32tm), pool.ntp.org | Domain environments sync via the DC hierarchy; verify PDC Emulator syncs to external source |
| Audit policy configuration | Group Policy (Advanced Audit Policy Configuration) | Microsoft's AuditPol.exe and GPO are the native tools; reference NIST SP 800-92 for event category guidance |
Free resource: Microsoft provides the Microsoft Security Compliance Toolkit with baseline audit policy settings for Windows. These baselines configure Advanced Audit Policy to capture the events needed for CMMC compliance. Download from the Microsoft Security Compliance Toolkit page and compare against your current Group Policy configuration.
The AU domain functions as the nervous system of your CMMC compliance program. Incident Response (IR) depends on AU logs for detection and investigation. Risk Assessment (RA) uses audit data to validate that controls are functioning. Identification and Authentication (IA) relies on login audit events to demonstrate that authentication requirements are being enforced. Configuration Management (CM) depends on change audit trails to demonstrate that only authorized changes occur.
A weak AU program doesn't just fail the AU domain assessment. It undermines the evidence base for every other domain. When assessors ask you to demonstrate a control is working, your answer will almost always involve showing a log. Build the logging foundation first, and the rest of your program becomes significantly easier to evidence.
Our CMMC Level 2 Audit & Accountability Policy template covers all 9 AU practices with formal policy language, log source requirements, retention standards, review procedures, and access restrictions. Built for defense contractors who need documentation that holds up in an assessment.
Download the AU Policy Template →No spam. Just practical guidance on CMMC compliance and new resources when we publish them.