AU.L2-3.3.5 — Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

What this control requires

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

Source: CMMC L2 v2.13 AU.L2-3.3.5 / NIST SP 800-171 R2 3.3.5 (official control text).

Why this matters

This control ensures audit logs don't just pile up unread — they must be actively reviewed, analyzed, and correlated across systems to detect coordinated attacks, insider threats, or compliance violations. Without correlation, a phishing email in one system, a failed login in another, and a suspicious file transfer in a third appear unrelated. Correlating audit processes reveals patterns that signal intrusion or policy breach, enabling swift investigation and response. This prevents adversaries from exploiting blind spots between disconnected monitoring silos.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls