03.08.06 —
What this control requires
Source: NIST SP 800-171 R3 §03.08.06 (official control text).
Why this matters
Audit logs are only useful if someone reviews them. This control requires organizations to actively analyze security event logs for anomalies, suspicious patterns, and indicators of compromise. Without regular review, malicious activity can persist undetected for months. Threat actors rely on organizations collecting logs but never reading them. This control closes that gap by mandating systematic examination of audit records to identify unauthorized access attempts, privilege escalations, data exfiltration, malware activity, and policy violations. Regular log review transforms passive data collection into active threat detection, enabling early incident response before breaches escalate.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.08.06.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →