Audit log management is the whole lifecycle of your security records — deciding what to capture, keeping the detail useful, protecting the records from tampering, retaining them for a period you define, reviewing them on a named schedule, and acting on what you find. Turning logging on is one step out of six, and it's the only one most small shops complete. The Audit & Accountability (AU) family grades the rest. The good news: none of the missing steps require a bigger budget. They require a decision, a name, and a calendar.
If you want to find the soft spot in a small contractor's CMMC posture, ask one question: who read the logs last week? The logs exist. They almost always exist. Windows is writing them, the firewall is writing them, Microsoft 365 is writing them. What doesn't exist is anyone who has ever opened them, a rule for how long they stick around, or anything stopping an intruder from deleting the record of their own visit.
That gap is the entire subject of this article. It's also one of the quietest ways a self-assessment goes from "we're in good shape" to a finding — because "we have logging" feels like a finished control right up until someone asks you to prove it operates. Below is the AU family in plain language, the three places it usually breaks, and how to close each one without buying anything you don't already own.
These get used interchangeably and they are not the same thing. Logging is a machine writing down events. It happens by default on nearly everything you own, and it required no decision from you. Audit log management is the set of deliberate choices wrapped around those records: which events matter, how long they live, who can touch them, who reads them, and what happens next.
The distinction matters because the controls are written against the second thing. An assessor isn't impressed that your server produces logs — servers do that on their own. What's being graded is whether a human made decisions about those logs and whether the decisions are real. That's why this control family frustrates people: the technical part is free and already done, and the part that's actually scored is organizational.
Strip out the reference-document language and the requirements land on six plain jobs. You need all six. Doing the first one very well does not compensate for skipping the sixth.
Look at the tags on the right. The first two jobs happen whether you participate or not — your systems do them by default. The bottom four require somebody to make a call, and they're where nearly every finding in this family comes from. If you only have an afternoon, spend it on jobs four through six.
There's no official checklist to copy, and that's on purpose — you define your event set based on your environment and then defend the choice. That freedom trips people up, so here's a baseline that holds up for a typical small contractor.
Write your list into the audit policy. The list isn't the deliverable — the fact that a person chose it, for stated reasons, is the deliverable. An assessor reading a defined event set sees a program. An assessor reading vendor defaults sees an accident that happens to be running.
The requirement is that you keep records long enough to support an after-the-fact investigation, and that you define the period yourself. People stall here waiting to be told a number. Nobody's going to tell you one.
A standard that works for most small shops: 90 days immediately searchable, plus a year in cheaper cold storage. The reasoning is practical — most incidents get discovered weeks or months after the initial compromise, so a 30-day window means the interesting part is already gone by the time you know to look. A year of cold storage costs very little and covers the realistic detection lag. Ninety days hot keeps the investigation fast without enterprise pricing.
Here's the principle in one line: a log that lives only on the machine that made it is not evidence. If an attacker owns that box, they own its history — they can edit the record, wipe it, or simply switch logging off and carry on. Everything you thought you had is now a story told by the suspect.
Getting logs off the originating system onto a separate collector fixes most of this at a stroke. Now covering tracks requires compromising two systems instead of one, and the second one exists for no purpose except holding records. That's not a product recommendation — a forwarded syslog to a hardened box counts. The architecture is what matters, not the brand.
Beyond that, restrict access to audit records and audit tooling to the few people who genuinely need it, and separate the duty where you can, so that the person whose activity is being recorded isn't the same person who can quietly delete the recording.
This is the job that fails, so it deserves its own treatment. The requirement is that records get reviewed and that findings get acted on. The cadence is yours to set.
What matters is not frequency. It's that the cadence is named, assigned, realistic, and evidenced. A weekly review that genuinely happens fifty-two times a year and leaves a trail is a strong control. A daily review you wrote into policy and performed twice is a finding and a credibility problem, because now the assessor knows your documentation describes an aspiration rather than an operation.
| What you say | How it grades | Why |
|---|---|---|
| "We retain logs for a year." | Not enough | Retention is one job of six. Says nothing about review, protection, or response. |
| "Our SIEM monitors everything." | Not enough | A tool is not a control. Who reads the alerts, on what schedule, and what happened last time one fired? |
| "The owner reviews alerts every Monday and records it." | Gradeable | Named person, defined cadence, leaves evidence. This is what the control is asking for. |
| "Logs forward to a collector the admin account can't delete from." | Gradeable | Concrete protection measure, honest about the small-shop constraint, verifiable. |
Read the difference between rows two and three. Same company, same tool, same logs. The only change is that a human being's name got attached to a repeating calendar entry. That's frequently the entire distance between a gap and a met control — and it costs nothing.
Doing the review by hand across a dozen sources is where a small team realistically breaks down, and that's the honest case for tooling. If you're at the point where the cadence keeps slipping because the work is too manual, the fix is a collector that correlates and alerts rather than more discipline. We covered which platform fits a small shop, and why enterprise SIEMs bury two-person teams, in Best SIEM & Logging for CMMC.
Assessors grade whether a control operates. Operating leaves a paper trail, and the trail is the deliverable. Here's what to have ready.
Want to see where the AU family sits against the other 109 controls before you touch anything? The free SPRS score estimator gives you a baseline in a couple of minutes. If logging is the family you're weakest in, you're in good company — and it's one of the cheaper ones to fix, because the fix is mostly decisions.
Every gap above closes with a document: an audit & accountability policy defining your event set and retention, a System Security Plan describing what you log and who reviews it, and the review artifacts an assessor grades. The CMMC Level 2 DIY Compliance Kit ships all 20 required policies, a full SSP, an SPRS scorer, and the evidence checklist — editable, built for a small shop doing this itself.
It's the whole lifecycle of your security records, not just switching logging on: deciding which events you capture, making sure each record holds enough detail, keeping system clocks in agreement, protecting logs from tampering, retaining them for a period you define and defend, reviewing them on a schedule, and acting when a review turns something up. The Audit & Accountability family asks for all of it. Most small shops do the first step and none of the rest, which is why it's such a common gap.
There's no government list to copy — you define the event set for your environment and justify it. A defensible baseline for a small contractor captures logons and logoffs including failures, privileged account use, account creation and permission changes, access to systems holding CUI, security configuration changes, and audit logging being started, stopped, or cleared. That last one matters more than people expect, because disabling logging is exactly what an intruder does first. Put your list in the audit policy so the assessor sees a decision, not an accident.
Long enough to support an after-the-fact investigation — and you set the number in policy. A common small-shop standard is 90 days immediately searchable plus a year in cheaper cold storage, which covers the realistic lag between compromise and discovery without enterprise pricing. The figure is your call. What gets graded is that you defined a period, had a reason, and actually keep logs that long. A policy claiming a year against a tool overwriting at 30 days is worse than none — you've documented your own gap.
Get the logs off the machine that generates them and limit who can touch them. Records living only on the workstation that produced them can be edited or wiped by anyone who compromises that box. Forwarding to a separate collector means an intruder has to compromise two systems to cover their tracks. Then restrict access to audit records and tooling to those who genuinely need it, and separate the duty where you can. In a two-person shop perfect separation may be impossible — document the compensating measure honestly rather than claiming a separation you don't have.
The requirement is that review happens and findings get acted on — the cadence is yours to set and defend. What matters far more than frequency is that it's named, assigned to a specific person, realistic, and evidenced. A weekly review that genuinely happens every week and leaves a record beats a daily review you wrote down and never performed. An assessor will ask who reviews, how often, and what happened last time something turned up. Nobody, never, and nothing means the control isn't met — no matter how many logs you're storing.
Assessors grade whether the control operates, and operating leaves a trail. Expect to show the written audit policy defining your event set and retention, proof logging is enabled on the systems in scope, log samples demonstrating the required detail, a record of reviews performed with dates and reviewer names, and documentation of what you did when something surfaced. Collect it as you go — evidence reconstructed the week before an assessment tends to look exactly like what it is.