03.03.01 — (a) Specify the following event types selected for logging within the system: {{ insert: param, A.03.03.01.ODP.01 }}. (b) Review and update the event types selected for logging {{ insert: param, A.03.03.01.ODP.02 }}.

What this control requires

(a) Specify the following event types selected for logging within the system: {{ insert: param, A.03.03.01.ODP.01 }}. (b) Review and update the event types selected for logging {{ insert: param, A.03.03.01.ODP.02 }}.

Source: NIST SP 800-171 R3 §03.03.01 (official control text).

Why this matters

Event logging creates the forensic trail that makes security investigations possible. Without comprehensive logs of authentication attempts, privilege usage, configuration changes, and access to sensitive resources, organizations cannot detect intrusions, reconstruct attack timelines, or prove compliance during audits. This control requires organizations to deliberately select which event types to log based on their risk profile and regulatory requirements, then periodically review those selections to ensure coverage keeps pace with evolving threats. Attackers specifically target logging gaps to hide their activities, making thorough event logging a foundational detective control that supports incident response, insider threat detection, and continuous monitoring programs.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls