This post explains how to use a Security Information and Event Management (SIEM) system plus an auditable log retention strategy to satisfy the Compliance Framework requirement AU.L2-3.3.2 — demonstrating traceability of user actions (create, modify, delete) to individual users — and gives step-by-step, practical guidance for small businesses implementing NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 controls.
What the control requires — in practical terms
AU.L2-3.3.2 expects organizations handling CUI to record and retain logs that show who performed relevant actions on systems and data. That means each action of interest (e.g., file creation, modification, deletion, privilege changes, system configuration changes, administrative commands) must include an attributable user identity, timestamp, object identifiers, and context (source IP, process or service). The Compliance Framework doesn’t prescribe a single tool — it requires demonstrable traceability and reproducible evidence for assessors.
Designing your SIEM & log retention architecture
Inventory and scope
Start by inventorying systems that process, store, or transmit CUI: workstations, servers, VPN/remote access, identity providers (AD/IdP), cloud services (AWS CloudTrail, Azure AD/Audit Logs, GCP Audit Logs), business applications, file shares, and privileged bastions. For each source, list the events that prove user actions: Windows Security events (IDs 4688 process creation, 4663 file access, 4720 user create), Linux auditd entries (SYSCALL with open/creat/unlink, sudo events), database DDL/DML audit records, and application audit logs that include user IDs and object identifiers.
Centralized collection and normalization
Stream logs to a centralized SIEM (open-source and cost-conscious: Elastic + Wazuh/OSSEC/Graylog; cloud-managed: Azure Sentinel, Splunk Cloud, Sumo Logic). Use lightweight shippers (Filebeat, Fluentd, CloudWatch Logs agents) to forward logs over TLS. Normalize fields early (timestamp in UTC, user.id, source.ip, object.path, action) so queries and correlation rules reliably attribute actions. Ensure time sync (NTP) across all hosts; inconsistent clocks break traceability.
Retention strategy and integrity controls
Define a documented log retention policy aligned to contractual or organizational needs. For many small businesses a pragmatic baseline is: 90 days hot (fast-searchable in SIEM), 1 year warm/cold (searchable but slower), and 3+ years archived (WORM/immutable, encrypted). If contractual obligations require different windows, map those to your policy. Implement index lifecycle management (ILM) or S3 lifecycle policies to automate rollups and compression, and store archived files in immutable storage (S3 Object Lock, Azure Blob immutable storage, or vendor WORM). Always encrypt logs at rest (AES-256) and restrict access via RBAC so only authorized auditors and incident handlers can read logs.
Implementing detection and evidence generation
Create correlation and detection rules targeted at proving user action traceability: e.g., a rule that correlates a file delete event (application log) with an authenticated session token issuance (IdP log) and the originating source IP (VPN/firewall) to produce a single attribution record. Capture “before/after” context where possible — hash of file prior to deletion, previous ACL before modification, the process name and PID for system changes. For critical systems, enable session recording (sudo session logging, Windows RDP session logs, jump server keystroke capture) to augment event logs with higher-fidelity evidence.
Small-business, real-world example
Example: A 25-employee subcontractor uses Office 365, an on-prem AD, a NAS for file shares, and an AWS account. Implementation steps: 1) Enable Azure AD sign-in logs and Office 365 unified audit logging; forward them to a SIEM connector (e.g., Sentinel or Elastic Cloud). 2) Configure the NAS to send syslog to a central collector and enable file audit events for create/modify/delete. 3) Deploy Filebeat on Windows endpoints to capture Windows Security events (4663, 4688) and forward to SIEM. 4) Configure the SIEM with rules that link Office 365 user IDs, AD login events, and NAS file events so every file delete shows user.name, timestamp, source.ip, and file.path. 5) Retain 1 year searchable and archive 3 years in S3 Object Lock for assessments. This setup provides concrete evidence for an auditor: one query shows the user, time, source, and action for any CUI-affecting change.
Compliance tips, verifications, and best practices
Document and map each log source to AU.L2-3.3.2 evidence in your System Security Plan (SSP). Automate regular verification: weekly log-source health checks (are logs arriving?), monthly integrity validations (checksums, hash comparisons), quarterly retention tests (restore archived logs to confirm readability), and annual tabletop exercises showing how to produce an evidence package for a sample incident. Use namespacing or tagging in SIEM indexes to quickly export auditor-friendly reports that show chain-of-events. Maintain separation of duties: logging administrators should not be able to modify log retention settings unilaterally.
Risks of not implementing traceable logging
Without demonstrable traceability you risk failing a CMMC assessment, losing contracts that require CUI protections, and, more importantly, being unable to investigate and remediate breaches. Practically, lack of logs means you can’t answer who deleted or modified a sensitive file, how an account was misused, or whether a change was intentional — increasing dwell time, regulatory exposure, and the cost of incident response. Poor retention also jeopardizes legal and contractual obligations that may require historical evidence months or years after an event.
Summary: To satisfy AU.L2-3.3.2 under the Compliance Framework, implement a centralized SIEM architecture that collects and normalizes relevant audit data, define and enforce a documented retention policy with immutable archival, create correlation rules and session capture for high-value actions, and validate mechanisms regularly through tests and documented evidence production. For small businesses, leverage managed SIEM or open-source stacks with cloud archive to keep costs manageable while ensuring that every user action on CUI can be reliably attributed, preserved, and produced for assessors or incident responders.
