03.03.05 — (a) Review and analyze system audit records {{ insert: param, A.03.03.05.ODP.01 }} for indications and the potential impact of inappropriate or unusual activity. (b) Report findings to organizational personnel or roles. (c) Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

What this control requires

(a) Review and analyze system audit records {{ insert: param, A.03.03.05.ODP.01 }} for indications and the potential impact of inappropriate or unusual activity. (b) Report findings to organizational personnel or roles. (c) Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

Source: NIST SP 800-171 R3 §03.03.05 (official control text).

Why this matters

Collecting audit logs is meaningless without systematic review—attackers dwell in networks for weeks precisely because no one examines the evidence already being generated. This control mandates that security personnel actively analyze log data for anomalies, correlate events across systems, and escalate findings to decision-makers. Without disciplined review cadences, unusual login patterns, privilege escalations, or data exfiltration attempts remain invisible until damage is done. Effective log analysis transforms raw telemetry into actionable intelligence, enabling rapid incident response and demonstrating due diligence to assessors. Organizations that treat log review as a check-the-box activity rather than an operational priority consistently fail to detect breaches in time to limit impact.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls