NIST SP 800-171 Rev 2 practice 3.3.1 requires organizations to create and retain system audit logs and records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. This involves two inseparable components: first, specifying which event types must be logged and what content each record must contain; and second, technically generating those records on all in-scope systems and retaining them for a defined period. The practice applies to all systems that process, store, or transmit Controlled Unclassified Information (CUI) and to the infrastructure supporting those systems. Covered event types typically include logon and logoff events, privilege escalation, object access, configuration changes, and account management actions. Audit records must include sufficient detail — such as timestamps, user identity, event type, and outcome — to reconstruct activity during an investigation.
Where it stops · what it isn't
- —This practice does not require real-time review or alerting of audit records — that is addressed by AU-L2-3.3.2 and AU-L2-3.3.5.
- —This practice does not cover protection of audit records from unauthorized access or modification — that is addressed by AU-L2-3.3.8.
- —This practice does not mandate specific retention periods beyond defining and meeting self-imposed retention requirements; however, DoD contractual requirements may impose minimums.
- —This practice does not govern the reduction or reporting of audit data — those functions are addressed by AU-L2-3.3.4.
- —This practice does not extend to physical access logs or personnel records; it is scoped to information system audit logs.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.