NIST SP 800-171 Rev 2 §3.3.2 requires organizations to ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. This means the organization must first define what content must appear in audit records to enable that traceability — typically including user identity, timestamp, event type, object acted upon, and outcome. Once that content standard is defined, the audit records that are actually generated must contain all of that defined content without exception. The practice bridges the gap between policy specification and operational log output, ensuring that forensic investigators and auditors can reconstruct exactly who did what, when, and on which resource. CMMC assessment evaluates both the existence of the content definition and the conformance of live audit records to that definition.
Where it stops · what it isn't
- —This practice does not specify which events must be logged — that is covered by AU-L2-3.3.1 (event selection and logging enablement).
- —This practice does not address audit log protection, retention duration, or storage capacity — those are handled by separate AU practices.
- —This practice does not govern the review or analysis of audit logs — log review requirements fall under AU-L2-3.3.4 and AU-L2-3.3.5.
- —This practice does not define authentication strength requirements for establishing the user identity that appears in logs — that is covered by IA-L2-3.5.1 and related IA practices.
- —This practice does not require real-time alerting on audit events — alerting is addressed under AU-L2-3.3.5 and SI domain practices.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.