AU.L2-3.3.9 — Limit management of audit logging functionality to a subset of privileged users.
What this control requires
Limit management of audit logging functionality to a subset of privileged users.
Source: CMMC L2 v2.13 AU.L2-3.3.9 / NIST SP 800-171 R2 3.3.9 (official control text).
Why this matters
This control prevents the fox from guarding the henhouse. When privileged users can modify or disable audit logs that track their own activity, they can erase evidence of malicious actions, policy violations, or security incidents. By restricting audit log management to a dedicated subset of privileged users — separate from those performing day-to-day administrative tasks — the organization creates accountability and maintains audit integrity. An attacker who compromises a domain admin account should not automatically gain the ability to delete logs showing the breach. This separation of duties is fundamental to reliable forensic investigation and insider threat detection.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AU.L2-3.3.9.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →