AU β Audit & Accountability Domain Notes
CMMC Domain: AU (Audit & Accountability)
NIST 800-171 Family: 3.3.x
General Notes
SIEM is Central
- SIEM (Security Information and Event Management) is the primary mechanism for satisfying most AU controls
- Outsourced SIEM with a Shared Responsibility Matrix works β document what logs go where
- Key: SIEM vendor must produce a Shared Responsibility Matrix clearly defining who's responsible for what
SIEM Options Mentioned by Community
- Microsoft Sentinel β used by Kieri client (GCC High environment)
- NeQter SIEM β community thread, experience sought (2026-01-21)
- Outsourced/MSSP SIEM β at least one large org used this (1,000 employee org)
- Source: https://old.reddit.com/r/CMMC/comments/1ova7nt/ (2026-01-29)
Log Coverage
- Must cover all in-scope assets
- Linux hosts require separate logging configuration
- Test equipment in manufacturing/engineering scope needs to be covered (or scoped out)
- Multiple SIEM sources needed: endpoints, network gear, cloud platforms
DoD ODP for AU Controls (Rev 3 Reference)
- NIST SP 800-171 Rev. 3 Audit & Accountability β DoD ODP (Org-Defined Parameters)
- Active thread: https://old.reddit.com/r/CMMC/comments/1qegxhh/ (2026-01-16)
- Rev 3 ODPs give org more flexibility to define parameters β leverage this
AU.3.3.6 β On-Demand Audit Reports (2026-03-11 Update)
Source: https://old.reddit.com/r/CMMC/comments/1rpexgm/
Assessor ruling: "Manual CLI commands is not a systemic 'capability.' On-demand implies a ready-to-use reporting function within the system architecture, not manual forensic reconstruction."
- Implication: Ad-hoc CLI syslog queries (grep, awk, etc.) are NOT sufficient for AU.3.3.6
- Must have a real SIEM dashboard or reporting UI that produces reports on-demand without CLI intervention
- Takeaway: if you're using a SIEM, ensure it has a reporting/dashboard feature you can demo to assessors, not just a queryable backend
Related Posts
- NIST SP 800-171 Rev. 3 Audit & Accountability - DoD ODP β 2026-01-16
- Does anybody have experience with NeQter SIEM? β 2026-01-21
- SIEM provider offshore? β 2026-03-03
- Continuous Monitoring MSP status β 2026-03-06