CMMC Practice Requirement:

Review and update logged events.

CMMC Requirement Explanation:

By maintaining a list of security logs you want to collect you can optimize your audit logging program. You save storage space and can reduce log fatigue for security personnel who need to review the logs. You should update your list to reflect the threats and incidents you encounter in your company. Updating your list of collected logs is a good idea after a security incident as collecting more logs may have helped identify the incident earlier.

Example CMMC Implementation:

Document the list of security related logs that your organization should capture. Examples include user logins, password changes, group membership changes, and account creations. What you collect may change for each system. For a VPN you may also want to collect information on the users who connect to your system. Periodically (e.g. annually) review this list to determine if you are collecting the correct logs to identify security incidents. You may also identify logs that you do not need to collect. You may decide to omit these to prioritize storage for more important logs.

Scenario(s):

- Scenario 1:

You found unauthorized software on a user's workstation. The user has denied installing. You review the system logs and can't find any logs indicating who installed the software. To prevent this from occurring in the future you update the logs your workstations collect to include Windows event IDs for software installation.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance