NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY
3.3.7 — Time Stamps
Use internal system clocks to generate time stamps for audit records. Record time stamps for audit records that meet {{ insert: param, A.03.03.07.ODP.01 }} and that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- internal system clocks are used to generate time stamps for audit records.
- time stamps are recorded for audit records that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp.
- time stamps are recorded for audit records that meet {{ insert: param, A.03.03.07.ODP.01 }}.
Practitioner Notes
If the clocks on your systems aren't synced, your logs will have inconsistent timestamps and you won't be able to piece together what happened in what order during an investigation. Every system needs to agree on the time.
Example 1: Configure your domain controller as the authoritative time source by running w32tm /config /manualpeerlist:"time.nist.gov" /syncfromflags:manual /reliable:yes /update on your PDC Emulator. All domain-joined machines will automatically sync from the DC. Verify sync status with w32tm /query /status.
Example 2: For non-domain devices (Linux servers, network appliances, firewalls), configure NTP to point to your internal domain controller or directly to a trusted external source like time.nist.gov. On a Linux system, edit /etc/chrony/chrony.conf and set server time.nist.gov iburst. On your Palo Alto firewall, go to Device → Setup → Services → NTP and enter your NTP server address. Verify all devices are within 1 second of each other.