NIST SP 800-171
Control 3.3.8
Protect Audit Information
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
What This Means in Plain English
Audit logs must be protected so that attackers or malicious insiders cannot tamper with or delete them to cover their tracks. Logs should be stored securely with restricted access and integrity protections.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Arctic Wolf SIEM storing logs in a dedicated, access-restricted environment with tamper detection
- Write-once log storage preventing modification or deletion of archived audit records
- Separate administrative accounts for SIEM management distinct from general IT admin accounts
- FortiGate forwarding logs to an off-device collector immediately upon generation
- Backup of audit logs to Veeam-protected storage with integrity verification
Assessment Guidance
Assessors will verify that audit logs are stored with restricted access, test that non-authorized users cannot modify or delete logs, check that logs are forwarded to a protected central repository, and confirm backup and integrity protection of audit data.
Common Implementation Gaps
- Audit logs stored locally on systems where admins can modify them
- No write-once or immutable log storage
- Same admin accounts used for both system administration and log management
- No backup of audit logs
- Logs not forwarded off the originating system
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AU-9 |
| HIPAA | 164.312(b) - Audit Controls |
| PCI DSS | Req 10.5 - Secure audit trails so they cannot be altered |
Need Help Implementing 3.3.8?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment