NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(4)Automated Audit Actions

Automatically audit account creation, modification, enabling, disabling, and removal actions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Account management audit records are defined in accordance with AU-02 and reviewed, analyzed, and reported in accordance with AU-06.

Practitioner Notes

Every time an account is created, modified, disabled, or removed, the system should automatically log that action. You need a paper trail that shows who did what to which account, and when.

Example 1: Enable Active Directory audit logging via GPO at Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. Turn on Audit User Account Management for Success and Failure. Forward these events (4720, 4722, 4725, 4726) to your SIEM.

Example 2: In M365, go to Microsoft Purview Compliance Portal → Audit and verify that Unified Audit Logging is turned on. Search for UserAccountCreated, UserAccountDeleted, and UserAccountUpdated events. Set up an alert policy to notify your security team whenever a new admin account is created.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management