The Audit and Accountability domain discusses the essentialness of system auditing, user accountability, audit management, and reporting. We will dive into these topics to get a better understanding of the requirements of this domain.

CMMC Audit and Accountability Domain

This is the fourth in a 15-part blog series where we'll discuss each domain in Cybersecurity Maturity Model Certification (CMMC). In addition, this blog will explore the CMMC audit and Accountability (AU) domain.  

The Audit and Accountability domain discusses the essentialness of system auditing, user accountability, audit management, and reporting. We will dive into these topics to get a better understanding of the requirements of this domain.  

We will be exploring Audit and Accountability in the following manner:    

  • What are Audit and Accountability?
  • How do you enforce Audit and Accountability in your organization?

What are Audit and Accountability?    

Within the Audit and Accountability domain, there are two core focus areas: auditing and accountability.

  • Auditing will focus on system audit logs, audit record reviews, and audit protection.
  • Accountability focuses on user accountability, event review, and management.  

For CMMC 2.0, there are no practices in CMMC Level 1 for the Audit and Accountability domain. However, there are 9 total practices for CMMC Level 2 for the AU domain. For CMMC Level 3, the AU practices are yet to be determined.

Core topics within AU

System Auditing

There are a variety of actions taken within a system every day. Therefore, creating and retaining system audit logs and records for any important action, access, or information change is essential for your organization and its security. This allows for proper monitoring and analysis of events and the ability to investigate unlawful or unauthorized system activity. An event can be defined as any observable occurrence within a system, no matter how small it might be. Organizations are allowed to identify event types for logging purposes, but events that are significant and relevant to the security of systems must be audited.  

User Accountability  

System auditing is not enough to determine certain events, such as user-specific actions. Whether the user is authorized or not, their access and activity should be monitored. It is your organization's responsibility to ensure that the actions of individuals accessing systems can be uniquely traced to the specific user and that accountability can be established. This requirement focuses on the specifics of an audit log, and your organization must consider logging account usage, remote access, wireless connectivity, physical access, and more to ensure accountability. You can start by capturing user IDs, source and destination addresses, and time stamps.  

Event Review  

A part of system auditing and logging is periodically reviewing and updating your organization's events and changing the list of events you log as needed. It is quite possible that the events you log can change over time, and some things you log may no longer be needed. Therefore, it is important to update this process to allow your audit reports to be specific, remove information that may no longer be needed, and include information that has not been added to the event logs. In addition, the review process should be continuous, and your organization can determine the time between each review.  

Audit Failure Alerting  

Alongside reviewing logs, reviewing the auditing process is another thing to consider. Your auditing process and mechanism should be set up to alert your organization in the event of an audit logging process failure. This ensures that the process is not compromised and those important events that need to be logged are not missed. Failures can include software and hardware errors, audit record capturing failures, or audit record storage capacity being exceeded. This process should be applied to all your auditing processes within your organization.  

Audit Correlation, Reduction & Reporting  

As a part of your auditing process, you must correlate audit record review, analysis, and reporting processes to ensure that they work collectively. This will be an important part of investigations in response to indications of unlawful, unauthorized, or suspicious activity. If each system does not work together, it can lead to flaws in this process, which your organization needs to avoid. Furthermore, your organization should provide audit record reduction and report generation, which will support on-demand analysis. Audit record reduction is a process that manipulates the information you have collected in an audit and then organizes it in a way that is easy to understand and meaningful to analysts. Report generation works in hand with this, allowing for creating a customizable report. The needs of each organization will differ, so you can determine how these are set up for your organization.  

Authoritative Time Source  

Any audit log or record is incomplete without a time stamp to verify it. That being said, your system must be capable of comparing and synchronizing internal system clocks with an "authoritative" time source. What does that mean? Each of your systems might use different time granularities or be across different time zones, so you must synchronize your systems with a central time server to ensure that all systems record activity for audit logs with the same time source. This makes logging more efficient and easier to understand when it comes time to review them.  

Audit Protection & Audit Management  

Just as audit logs and records identify activity across all systems (both authorized and unauthorized), the audit logs also need to be protected against unauthorized access. This requirement will focus on protecting any information that is recorded within an audit, and your organization must limit the ability to access and execute audit logging tools to only those authorized within your organization. Again, this includes both physical and technical protection.  

How do you enforce Audit and Accountability in your organization?    

This domain covers various important topics, including system audit logging, user accountability, and audit management and protection. Meeting the requirements of this domain will require a step-by-step process that builds up to efficient management of auditing within your organization.  

For CMMC Level 1, your organization is not mandated to implement practices in this domain. For CMMC Level 2, your organization must look further into each of the nine practices required and provide proper implementation and documentation.

Where to start or what to look for:  

  • Audit and Accountability Policy  
  • System Design Documentation  
  • System Audit Logs and Records
  • System Auditable Events
  • System Incident Reports
  • System Security Plan (SSP)
  • List of Organization-Defined Event Types  


InterSec is one of the leading Cybersecurity company. Having years of experience working with top companies, we have a mature team and processes.

Contact us today for a free consultation for your security needs.
Contact Us