Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Understanding the Requirement
This control requires that every system that generates audit records use a consistent, authoritative time source so timestamps are accurate and comparable across devices. In practice you must specify an authoritative time server, configure systems to compare against it, and keep internal clocks synchronized so log entries from different servers, endpoints, and network devices align. This guidance aligns with the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 expectation of reliable audit timestamps for incident response and accountability.
Technical Implementation
-
Choose your authoritative time source and document it. For many SMBs the easiest authoritative source is time.nist.gov (NIST Internet Time Servers). If you operate a local time server (recommended for reduced outbound traffic and easier management), configure that server to synchronize with the NIST servers and document the local server’s hostname/IP as the authoritative source for your environment.
-
Configure Windows hosts centrally. Use Group Policy or Microsoft Endpoint Manager (Intune) to set Windows clients and servers to use your chosen NTP server. Example GPO/W32TM settings: set poll interval, set the NTP peer list to your authoritative server (or local time server), run w32tm /config /manualpeerlist:"time.nist.gov" /syncfromflags:manual /reliable:yes /update and w32tm /resync to test. Ensure domain controllers are configured correctly (they often act as time source for domain joined machines).
-
Configure Linux and network devices. On Linux, use chrony or ntpd and add a server line such as "server time.nist.gov iburst" in /etc/chrony.conf or /etc/ntp.conf and restart the service. For systemd-timesyncd, set NTP=your-server in /etc/systemd/timesyncd.conf. For routers, switches, and firewalls, configure their NTP settings (e.g., "ntp server x.x.x.x" for Cisco IOS) so they synchronize to the same authoritative source.
-
Open and secure NTP traffic. Ensure firewall rules allow outbound NTP (UDP port 123) from systems that need to reach the authoritative server. If using a local time server, restrict which internal systems can query it and harden the time server (restrict management access, keep it patched, monitor it) because it becomes a critical infrastructure point.
-
Define acceptable clock skew and monitoring. Establish a documented threshold for acceptable time drift (for example, 1–5 seconds for most SMB use cases, or tighter if required by your environment) and monitor offsets. Use simple scripts or monitoring tools (Nagios, Zabbix, Splunk, or a scheduled cron/Task Scheduler job) to check NTP offsets (ntpq -p, chronyc tracking, w32tm /query /status) and raise alerts when offsets exceed the threshold.
-
Test and validate audit timestamp consistency. After deployment, generate test logs on different systems and verify timestamps are aligned and correlate across devices. Include time sync verification in regular system audits and change-control activities so configuration drift is detected and corrected.
Example in a Small or Medium Business
Jane is the IT manager for a 75-person engineering firm. She decides to run a local time server on a hardened Linux VM to reduce dependence on internet connectivity for every endpoint. Jane configures the Linux time server to sync with time.nist.gov and documents the server as the authoritative time source in the firm's IT policy. She updates her Active Directory Group Policy to point all Windows workstations and servers to the local time server and configures chrony on a handful of Linux build servers to do the same. Network switches and the perimeter firewall are set to use the local time server as their NTP source. Jane creates a Nagios check that queries NTP offsets on critical systems daily and emails her if any system drifts more than 5 seconds. During a quarterly audit she runs a log-correlation test and confirms that log entries from the firewall, domain controller, and application server show matching timestamps, making incident tracing straightforward.
Summary
By selecting and documenting an authoritative time source, centrally configuring endpoints and network devices to synchronize with that source, and monitoring for drift, SMBs can ensure audit records contain accurate, comparable timestamps. Technical controls (NTP configuration, firewall rules, monitoring) combined with a simple policy that specifies the authoritative server and acceptable skew create a repeatable, auditable process that satisfies the AU.L2-3.3.7 requirement and makes log review and incident response reliable and efficient.
