NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY
3.3.5 — Audit Record Review, Analysis, and Reporting
Review and analyze system audit records {{ insert: param, A.03.03.05.ODP.01 }} for indications and the potential impact of inappropriate or unusual activity. Report findings to organizational personnel or roles. Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- system audit records are reviewed and analyzed {{ insert: param, A.03.03.05.ODP.01 }} for indications and the potential impact of inappropriate or unusual activity.
- findings are reported to organizational personnel or roles.
- audit records across different repositories are analyzed to gain organization-wide situational awareness.
- audit records across different repositories are correlated to gain organization-wide situational awareness.
Practitioner Notes
Collecting logs is useless if nobody looks at them. You need a regular schedule for reviewing audit logs and someone assigned to flag anything unusual — unexpected admin logins, after-hours activity, or repeated failed access attempts.
Example 1: In Microsoft Sentinel, create a Workbook under Threat Management → Workbooks → Create that summarizes key security events: failed logons, account lockouts, privilege escalations, and file access to CUI shares. Assign a team member to review this dashboard weekly and document their findings in a log review checklist with their name, date, and any anomalies found.
Example 2: If you don't have a SIEM, you can still meet this requirement. Export Windows Security Event Logs weekly using Event Viewer → Security → Save All Events As (or use PowerShell: Get-WinEvent -LogName Security -MaxEvents 1000 | Export-Csv). Have your IT lead review the export for Event IDs like 4625 (failed logon), 4720 (account created), and 4732 (user added to admin group). Document the review and any actions taken.