AU.L2-3.3.2 — Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

What this control requires

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Source: CMMC L2 v2.13 AU.L2-3.3.2 / NIST SP 800-171 R2 3.3.2 (official control text).

Why this matters

When a security incident occurs, organizations must know exactly who did what and when. This control requires logging every user action in a way that uniquely identifies the individual responsible—not just a shared account or generic service. Unique traceability enables forensic investigation, deters malicious insider behavior, and proves accountability during audits. Without it, you cannot distinguish between a legitimate admin and an attacker using stolen credentials, cannot hold users accountable for policy violations, and cannot reconstruct incident timelines. This control transforms logs from noise into evidence by ensuring every action ties to a real person.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls