Skip to main content

AU.L2-3.3.1Create and retain system audit logs

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Verbatim NIST SP 800-171 Rev 2 requirement text (3.3.1).

SPRS weight: 5 ptsNot POA&M-eligible — must fix before assessment6 assessment objectives

How it's scored

5 points deducted from your SPRS score if unmet.

An open gap here is not POA&M-eligible (only 1-point requirements qualify under 32 CFR 170.21, with one narrow exception at SC.L2-3.13.11): it must be fully implemented before a Level 2 assessment can certify.

What an assessor checks: the 6 assessment objectives

NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks AU.L2-3.3.1 MET only when every applicable objective is satisfied — and examines evidence, not assertions.

ObjectiveDetermination statement
3.3.1[a]audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.
3.3.1[b]the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.
3.3.1[c]audit records are created (generated).
3.3.1[d]audit records, once created, contain the defined content.
3.3.1[e]retention requirements for audit records are defined.
3.3.1[f]audit records are retained as defined.

Where do you stand on AU.L2-3.3.1?

The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.

Get your free Muster Score →

Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.