AU.L2-3.3.1 — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

What this control requires

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Source: CMMC L2 v2.13 AU.L2-3.3.1 / NIST SP 800-171 R2 3.3.1 (official control text).

Why this matters

System audit logs are the organization's security camera footage — they record who accessed what, when, and whether the action succeeded or failed. Without comprehensive, retained logs, the organization cannot detect insider threats, trace ransomware entry points, prove compliance during audits, or investigate data breaches. Attackers routinely delete logs to cover their tracks; robust logging makes that harder and ensures forensic evidence survives. This control requires logging events that matter for CUI security — failed logins, privilege escalations, file access, configuration changes — and keeping those records long enough to detect patterns and support investigations.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls