Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.3 – Review and update logged events.
Understanding the Requirement
This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires that an organization define when and how logged events are reviewed, periodically evaluate which event types are being collected, and update the list of collected logs based on those reviews. Practically, it means documenting the logs you capture (for example: user logins, password changes, account creations, group membership changes, VPN connections), establishing a review cadence and triggers (regular schedule and incident-driven reviews), and changing what you collect when new threats, incidents, or operational needs indicate gaps or unnecessary noise.
Technical Implementation
- Create and document a log catalog: Produce a simple inventory that lists systems, log sources (workstations, servers, VPN, firewalls, cloud services), and specific event types to capture (successful/failed logins, privilege changes, account creation/deletion, software installs, security policy changes). Store this catalog with your information security policy and make it versioned.
- Define a review process and schedule: Set an annual formal review plus event-driven reviews after incidents or major changes (new services, new threat intelligence). Assign owners (e.g., IT manager, security lead) and define acceptance criteria for retaining, adding, or dropping specific event types.
- Standardize logging configurations: Use group policies, configuration management tools, or cloud-native logging settings to ensure consistent event collection. Document the baseline configuration for each class of system (workstation, server, network device, cloud workload) so reviews can compare actual logs to the baseline.
- Centralize logs and make reviews practical: Aggregate logs into a central log store or lightweight SIEM. Configure simple dashboards and automated alerts for high-priority events so reviews focus on meaningful data rather than noise. Implement sensible filtering and retention to balance forensic value and storage cost.
- Use incident feedback to update logging: After every security incident or near-miss, run a short post-incident review to determine whether additional event types would have improved detection or investigation. Update the catalog and push configuration changes for affected systems within an agreed SLA (for example, 30 days).
- Assign roles and maintain accountability: Clearly name who performs reviews (e.g., security lead), who implements logging changes (system admins), and who approves updates (CISO or owner). Track review actions in a log review register or ticketing system so you can demonstrate compliance.
Example in a Small or Medium Business
Acme Engineering is a 60-person SMB that develops subcontracted components and must protect controlled information. They maintain a central Windows domain, a VPN for remote workers, and a small cloud environment for CI/CD. After an unauthorized change to a design file went undetected, the IT manager realized workstation logs lacked software installation and process creation events. Acme created a documented log catalog that specified event IDs for Windows software installs, account management events, VPN connection logs, and cloud access events. They scheduled an annual review and immediate incident-driven reviews; the IT manager and security lead are owners, while system administrators implement changes through the domain GPO and cloud logging templates. Logs are aggregated to a low-cost cloud logging service with retention set to 90 days for workstations and 365 days for servers; dashboards flag failed privileged access attempts. After implementing the updated logging, a subsequent attempted privilege escalation was detected within hours, allowing the team to contain the issue quickly and adjust retention for related logs to support future investigations.
Summary
By documenting which events to collect, defining a repeatable review process, centralizing logs, and using incident feedback to update logging configurations, an SMB can implement AU.L2-3.3.3 in a practical, low-cost way. The policy (catalog and review schedule) provides the governance and accountability, while technical measures (standardized configurations, centralized aggregation, alerts, and retention planning) make reviews effective and sustainable. Together these steps reduce noisy data, focus attention on meaningful events, and ensure logging evolves as threats and business needs change.
