Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Understanding the Requirement
This control requires that your systems generate and retain audit records with enough detail to map each action back to a specific user account. Practically, that means defining what audit content you need (objectives: define required audit record content and ensure created records contain that content) and configuring systems to capture those fields. Typical audit fields include user IDs, timestamps, source and destination IP addresses, and the resource or command accessed. Collect logs from endpoints, servers, network devices, VPNs, and cloud services so investigations can reliably trace an event to the individual who performed it.
Technical Implementation
-
Define a standard audit record schema — document the minimum fields every log must include (e.g., unique user ID, timestamp in UTC, source IP, destination/resource, action type, and process or session identifier). Make this a central policy so all teams configure devices consistently.
-
Centralize log collection — forward logs from VPNs, firewalls, servers, workstations, cloud services, and critical applications to a central log collector or SIEM so you can correlate events across systems and perform user-centric queries.
-
Ensure user identity is authoritative — integrate authentication (AD, Azure AD, or a central IdP) with systems wherever possible so logs contain the canonical username rather than local or shared accounts. Where shared service accounts are necessary, require justification and additional controls (e.g., break-glass logging and separate accountability tagging).
-
Synchronize time and protect log integrity — implement NTP across systems so timestamps align, and secure logs in transit and at rest (TLS for forwarding, role-based access to log stores, write-once or append-only storage where feasible) to prevent tampering.
-
Set retention and review processes — keep logs long enough to support investigations (follow contract or regulatory requirements), and schedule regular reviews and automated alerts for suspicious behaviors that require follow-up. Maintain an audit trail of who reviewed or exported logs.
-
Assign responsibilities and training — involve system/network admins, security personnel, and those with audit/accountability duties to implement and test logging. Document procedures for log collection, user-mapping, and incident investigation so staff can act quickly when tracing is required.
Example in a Small or Medium Business
AcmeTech, a 120-person engineering firm, needs to ensure they can trace actions to individual users after adopting several cloud services and a remote workforce. The IT lead defines a log schema requiring username, timestamp (UTC), source IP, destination resource, and action type. They integrate the office network, VPN, cloud admin console, and critical servers with their SIEM, forwarding logs with TLS and using a central service account that tags events with the authenticated username from their Azure AD. Time is synchronized via a company NTP server so timestamps from cloud and on-prem systems align. They configure the VPN to log username, endpoint hostname, timestamp, and source IP so admins can map connections to employees. Retention is set to 90 days for high-value logs and 365 days for authentication records, with role-based access to the log store limited to security and audit staff. Monthly spot checks and a quarterly table-top exercise validate that a simulated incident can be traced from a firewall event through the SIEM to an individual user, and the procedures are updated when gaps appear.
Summary
By defining required audit content, centralizing log collection, ensuring authoritative user identities, securing timestamps and log integrity, and assigning clear responsibilities, SMBs can reliably map actions back to individual users. These combined policy and technical controls provide the traceability and accountability needed to investigate incidents, support compliance, and deter misuse of systems.
