03.03.04 — (a) Alert organizational personnel or roles within {{ insert: param, A.03.03.04.ODP.01 }} in the event of an audit logging process failure. (b) Take the following additional actions: {{ insert: param, A.03.03.04.ODP.02 }}.

What this control requires

(a) Alert organizational personnel or roles within {{ insert: param, A.03.03.04.ODP.01 }} in the event of an audit logging process failure. (b) Take the following additional actions: {{ insert: param, A.03.03.04.ODP.02 }}.

Source: NIST SP 800-171 R3 §03.03.04 (official control text).

Why this matters

Audit logs are your forensic record of security events—if the logging process fails silently, attackers can operate undetected while you believe monitoring is active. This control ensures that when audit logging breaks (disk full, service crash, network failure to SIEM), designated personnel receive immediate alerts and predefined response actions execute automatically. Without this safeguard, a failed logging mechanism creates a blind spot that adversaries actively exploit. The control protects investigation capability, compliance evidence continuity, and incident detection by treating logging failures as security events themselves requiring urgent response.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, PDF, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls