Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.9 – Limit management of audit logging functionality to a subset of privileged users.
Understanding the Requirement
This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires that only a clearly defined subset of privileged users can manage audit logging. In practice you must identify who is allowed to configure, delete, or otherwise manage logging systems and then enforce separation of duties so system administrators who perform general admin tasks cannot alter or remove audit records. The objectives are to define the allowed subset of users and ensure that only those users can manage audit logging to prevent tampering or accidental loss of audit evidence.
Technical Implementation
- Define roles and document responsibilities: Create a written role definition that separates "System Administrator" duties (user creation, software installation, password resets) from "Audit Log Manager" duties (SIEM/syslog configuration, log retention, log integrity). Keep the list of authorized audit managers in your access-control policy and review it quarterly.
- Use role-based access controls (RBAC) and least privilege: Configure your SIEM, syslog server, and log collectors with distinct roles (e.g., Log Viewer, Log Manager, Log Config). Grant the Log Manager role only to the subset defined above; give system admins only the roles they need for their operational tasks and avoid granting them Log Manager permissions.
- Enforce privileged access controls and just-in-time elevation: Deploy a lightweight Privileged Access Management (PAM) or just-in-time (JIT) workflow for any temporary access to logging systems. Require change tickets, manager approval, and session recording when a system admin needs temporary access to the syslog/SIEM for troubleshooting.
- Harden and isolate logging infrastructure: Place your syslog server and SIEM behind separate network segments or firewalls and restrict management access to a jump host controlled by the Audit Log Manager group. Use multi-factor authentication (MFA) and IP allow-lists for management interfaces.
- Protect logs from alteration: Enable write-once/immutable storage, WORM or append-only settings where available. Configure integrity checks (hashing) and send copies of critical logs to a hardened, off-site repository to prevent a local admin from deleting all evidence.
- Monitor and alert on administrative actions: Configure alerts for log configuration changes, deletion attempts, or when new users are added to log-management roles. Retain audit trails of who changed logging configurations and review them as part of routine security operations.
Example in a Small or Medium Business
Acme Tech is a 45-person company with one full-time system administrator who maintains servers, endpoints, and the network. To meet AU.L2-3.3.9 they designate two employees—one from IT security and one from compliance—as the only Audit Log Managers and document their responsibilities. The sysadmin retains day-to-day operational roles but has no credentials for the SIEM's log-management account; instead, the sysadmin has a separate account for patching and configuration. When a firewall upgrade requires temporary access to the syslog server, the sysadmin requests time-limited access through the ticketing system, the Audit Log Manager approves, and the session is proxied through a jump server with session recording. The company stores logs in an immutable cloud bucket and configures the SIEM to forward a copy of key logs to an off-site archival service so a local deletion cannot remove all copies. Alerts are configured to notify the security lead when any change to log retention or log-forwarding settings occurs, and monthly reviews of the log-management user list are documented. These steps ensure the administrator can do their job but cannot delete or alter audit records without oversight and traceability.
Summary
By defining a limited set of Audit Log Managers, enforcing RBAC and least privilege, isolating and hardening logging infrastructure, using JIT/PAM for temporary access, protecting logs with immutable storage, and monitoring changes to logging configurations, SMBs can meet AU.L2-3.3.9. The combination of clear policy, technical controls, and documented temporary-access workflows prevents system administrators from unilaterally modifying or deleting audit logs while keeping operational efficiency intact.
