comp-au-3.3.3

Review and Update Audited Events (AU-L2-3.3.3)

cmmc · framework · Production-ready

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Review and Update Audited Events (AU-L2-3.3.3)

CMMC Level 2 practice AU-L2-3.3.3 implements NIST SP 800-171 Rev 2 requirement 3.3.3, which mandates that organizations review and update logged events on a defined schedule or when triggering conditions occur. The practice requires three distinct capabilities: a documented process that specifies when and how event-type reviews are conducted, actual execution of those reviews against the currently configured log sources, and documented updates to the audit configuration when the review reveals gaps or obsolete entries. The goal is to prevent audit coverage from becoming stale — ensuring that as the system environment, threat landscape, and business processes evolve, the events being captured remain meaningful and sufficient to detect and investigate incidents. NIST SP 800-171 Section 3.3 grounds this requirement in the broader principle that audit records must support monitoring, analysis, investigation, and reporting of inappropriate activity. This practice operationalizes that principle by treating the audit event catalog as a living configuration rather than a set-and-forget parameter.

Where it stops · what it isn't

—This practice does NOT govern the actual collection or storage of audit logs — that is covered by AU-L2-3.3.1 (Create and Retain Audit Logs).
—This practice does NOT require real-time or continuous review of individual log entries; it addresses periodic review of the categories of events being captured, not the log content itself.
—This practice does NOT define specific mandatory event types to log; the selection of event types is context-dependent and organization-determined, subject to the review process established here.
—This practice does NOT cover the protection or retention of audit records, which is addressed separately in AU-L2-3.3.2.
—This practice does NOT address the analysis of log content for anomalies or security incidents, which falls under AU-L2-3.3.5 and the Incident Response domain.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

REQUIRES

comp-au-3.3.1

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.