Audit and Accountability 3.3.9 (3.3.9)

Who currently has the ability to modify audit logging settings in your systems?

How many people have administrative access that includes audit management capabilities?

What does it mean to 'limit management of audit logging functionality' and what functions does this include?

Audit logging management includes any function that can configure, modify, enable, disable, or delete audit settings or audit logs themselves. This includes changing what events are audited, modifying audit log retention settings, disabling audit logging, deleting audit logs, changing audit log storage locations, and modifying audit policies. The control requires that only a small, defined group of privileged users can perform these functions, not all system administrators.

How many users should have audit management privileges?

There is no specific number mandated, but the control requires 'a subset of privileged users,' meaning fewer users than the total number of privileged users. Best practice is to limit audit management to the minimum number needed for operational requirements, typically 2-3 individuals to ensure coverage while maintaining restriction. The key is that audit management is more restricted than general administrative access.

Can the same person be both a system administrator and an audit administrator?

While not ideal, this may be necessary in small organizations with limited staff. If the same person must perform both roles, implement compensating controls such as increased monitoring of their activities, dual control procedures requiring approval for audit changes, use of privileged access management to record sessions, or third-party review of audit logs. Document the business justification and compensating controls in your SSP.

How is this control verified during a CMMC assessment?

Assessors will request a list of all users with audit management privileges and compare it to the total list of privileged users to verify it is a subset. They will examine system configurations, role definitions, and access control settings to confirm technical restrictions are in place. Assessors will test whether general administrators can modify audit settings and verify that audit management activities are logged. They will also review documentation showing periodic access reviews and business justifications for audit management access.

Does this control apply to cloud services where we cannot manage audit logging?

If you are using a FedRAMP authorized cloud service where the provider manages audit logging and you have no access to audit management functions, you can inherit satisfaction of this control from the provider's authorization. Document this inheritance in your SSP and maintain evidence of the provider's FedRAMP status. However, if you have any ability to configure audit settings in the cloud service (such as enabling/disabling logs or changing retention), those functions must be restricted per this control.

What is the difference between this control and AC.L2-3.1.5 (separation of duties)?

AC.L2-3.1.5 addresses separation of duties broadly across all security-relevant functions, while AU.L2-3.3.9 specifically focuses on separating audit management from other privileged functions. This control implements separation of duties specifically for audit logging to prevent individuals from disabling or modifying the audit trail of their own activities. Both controls work together, with 3.3.9 providing specific requirements for the audit domain that support the broader separation of duties principle in 3.1.5.