CMMC Decoded Series: Audit & Accountability (AU)

  • Home
  • :
  • Article
  • :
  • CMMC Decoded Series: Audit & Accountability (AU)
CategoriesArticle CMMC Readiness Assessment Struggling with CMMC?
byCasey Miller, Senior Cybersecurity Consultant

Audit & Accountability (AU): The Black Box Recorder for Your Business

A Midnight Mystery That Cost $50,000

It’s midnight on a Friday. The production floor is quiet, machines humming steadily as they finish a batch of critical aerospace parts. Then, without warning, the system controlling your CNC machines crashes. Everything stops. The order halts mid-process, raw material is ruined, and a shipment deadline that took weeks to prepare is suddenly in jeopardy.

On Monday morning, your IT staff digs into the system. Buried in the logs, they find something unsettling: an “administrator” account logged in at the exact moment the crash occurred. But here’s the kicker, no one admits to being online. The account wasn’t tied to a specific employee, and the logs don’t show where the login came from.

Now you’re left with a $50,000 loss, a furious customer, and more questions than answers:

  • Was it a hacker testing the waters?
  • A careless mistake by someone with too much access?
  • Or maybe a disgruntled insider flexing their power?

Without reliable audit trails, you can’t prove what happened or prevent it from happening again. The story ends not with a clear resolution, but with finger-pointing, uncertainty, and expensive downtime.

That’s why Audit & Accountability (AU) in CMMC 2.0 matters. It’s your business’s “black box recorder” –  capturing the truth about who did what, when, and how. Because when things go wrong (and they will), guessing is not a strategy.

What Meeting the Objectives Might Look Like

When an auditor reviews your business for Audit & Accountability (AU) at CMMC Level 2, they’re not expecting Hollywood-style cyber defenses. They’re looking for evidence that you can track what’s happening in your systems and hold people accountable. In practice, that usually looks like:

  • Recording key events: Logins, logouts, file access, admin changes, and system alerts are being captured automatically.

  • Knowing who did what: Each employee has their own account and password – no more “shop floor” shared logins.

  • Keeping logs safe: Audit records are stored in a way that prevents tampering or deletion.

  • Actually checking them: Someone in your business (or your IT partner) reviews logs regularly, not just when something breaks.

  • Holding onto them: Logs are retained long enough (at least 90 days) to investigate incidents if they pop up later.

That’s it. No magic. No government-grade technology. Just basic visibility and accountability – the digital version of a time clock and security camera system for your IT environment.

The Costliest Breach Is the One You Can’t Explain

Here’s the truth: Audit & Accountability isn’t about making your IT team’s life harder, it’s about protecting the business you’ve worked so hard to build.

  • Protect your contracts. A failed audit or a security incident without evidence can mean losing DoD contracts outright. The cost of poor logging is not a fine, it’s lost revenue.

  • Reduce downtime and financial loss. If something goes wrong, logs act like your incident response playbook. The faster you can find the cause, the faster you’re back online and the less you lose in wasted time, material, or productivity.

  • Strengthen your reputation. Customers and partners want to know they can trust you. Being able to show, with confidence, “here’s what happened, here’s how we fixed it” builds credibility and keeps you in the supply chain.

  • Build resilience, not just compliance. Audit trails catch problems early: a suspicious login, a file accessed at 2 a.m., or maybe an admin change that no one approved. Small anomalies like these, spotted in time, prevent major breaches later.

At the end of the day, logs are about trust – trust in your systems, trust with your partners, and trust that when things go wrong, you’ll have the evidence to put things right.

Where Most Companies Slip Up

Here’s the good news: you are not the first company to struggle with Audit & Accountability. In fact, most small businesses in the defense space hit the same roadblocks:

  • “Set it and forget it” logging. Systems create logs by default, but no one checks them until after something breaks. By then, it’s too late.

  • Shared accounts. “Shop floor” or “Admin” logins make life easier in the moment, but they erase accountability when something goes wrong.

  • Short log retention. Many systems overwrite logs after just a few days. When an incident comes to light weeks later, the trail is already gone.

  • Assuming the MSP has it covered. Outsourced IT often handles the basics, but unless it’s spelled out in your contract, they may not be actively monitoring or retaining logs for compliance.

  • Overcomplicated tools. Some companies buy expensive logging software, then never fully implement it. Complexity kills adoption.

The result? A false sense of security. Leaders think logs exist, but in practice, they’re useless when the business needs them most.

How to Start Strong (and Grow Stronger)

The best way to tackle Audit & Accountability is to start small, prove it works, and then level up. Here’s what that looks like in practice:

A Starting Point

If you’re just getting started, aim for:

  • Turn on basic logging in Microsoft 365, Windows servers, and your firewall. Most systems already have these features, you just need to enable them.

  • Stop using shared accounts. Every user gets their own login, with multi-factor authentication. No exceptions.

  • Save logs in one place. Even a basic file share or cloud storage location works, as long as logs are protected from tampering.

  • Review logs weekly. Assign someone (internal IT or your MSP) to spot-check for anything unusual.

  • Keep them at least 90 days. That’s the typical threshold auditors expect.

At this level, you can show an auditor that you’re logging, retaining, and reviewing activity.

The NEX Level (Maturity That Builds Resilience)

Once the basics are in place, take it further to actually protect your business:

  • Use a SIEM or MDR service. Tools like Blumira, Wazuh or Splunk automatically correlate logs, alert you to threats, and simplify reporting.

  • Automate log review. Instead of someone sifting through data manually, get alerts for suspicious logins, after-hours access, or failed admin attempts.

  • Tie logs to business risk. Review trends quarterly with leadership and turn raw data into decisions (e.g., “we need stricter vendor access controls”).

  • Harden accountability. Require unique credentials for vendors, contractors, and even automated processes.

  • Extend retention. Keeping logs for 6–12 months provides a stronger trail for long-running investigations and builds confidence with primes.

At this level, your logs don’t just satisfy compliance, they become a competitive advantage, proving you’re a reliable, resilient partner in the defense supply chain.

The Scorekeeper Lesson

Think back to playing sports as a kid. Whether it was basketball, baseball, or soccer, there was always someone keeping score.

What it there hadn’t been?

No scoreboard. No ref recording fouls. No book showing who scored, who assisted, who got benched.

At first, it might feel like freedom: Just play. But quickly, chaos sets in:

  • Players argue over the score.

  • Coaches can’t prove who made mistakes or improvements.

  • Fans lose confidence, because nobody knows who’s winning.

That’s what running a business without audit trails looks like.

Audit & Accountability is your scorekeeper. It tracks who did what, when, and how. It prevents disputes, resolves arguments, and creates trust in the system. Just like a scoreboard, it’s not the game itself, but without it, the game falls apart.

And here’s the kicker: keeping score doesn’t just help in the moment, it builds performance over time. Players study the stats, coaches see trends, and teams get better. In the same way, logs don’t just prove compliance to an auditor, they give your business the insights to improve security, operations, and resilience.

Takeaway: A scoreboard doesn’t win the game, but it makes winning possible. Audit & Accountability doesn’t stop attacks, but it gives you the proof, clarity, and trust to come out ahead.

Helpful Resources

Cybersecurity can feel overwhelming, especially when CMMC points you to dense NIST documents full of technical jargon. The good news? You don’t have to figure it all out on your own. There are practical, credible resources designed to help small and mid-sized businesses translate requirements into action.

Think of this as your launchpad: a curated mix of frameworks, free tools, and expert guides you can lean on to make Audit & Accountability achievable. Whether you’re just turning on basic logging or ready to take your program to the NEX Level, these resources give you the clarity and momentum to move forward with confidence. Here’s where to start:

Framework & Standards

  • DoD CMMC Resources – Official documentation from the DoD covering CMMC Model v2.0.
  • NIST SP 800-171 Rev. 2 – Full text from NIST, the source standard that CMMC maps to.
  • NIST SP 800-92 — Guide to Computer Security Log Management – Practical guidance for collecting, analyzing, and protecting audit logs.

Free Resources

  • CISA Logging Made Easy – A free resource that walks businesses through setting up basic, effective logging with step-by-step instructions.
  • OCSF (Open Cybersecurity Schema Framework) – An open standard for normalizing security log data so it’s easier to analyze and share.
  • Elastic (ELK Stack) – A free, open-source platform for collecting, storing, and searching logs at scale.
  • Wazuh – A free and open-source SIEM that combines log management, intrusion detection, and compliance reporting.

Paid Resources

  • Splunk – A leading SIEM platform for centralizing and analyzing security logs, with both on-prem and cloud options.
  • Blumira – An SMB-friendly SIEM and MDR solution designed for quick deployment and simplified compliance.
  • LogRhythm – An enterprise-grade SIEM with strong compliance features and log correlation capabilities.

CyberNEX Resources

  • CMMC Decoded: Audit & Accountability Reference Sheet – A concise one-page guide for defense contractors that outlines the AT control family, explains why it matters, highlights examples of evidence auditors might expect, provides quick-win actions to get started, and includes links to available resources.
  • CyberNEX Blog Archive – Explore all 14 CMMC control families with in-depth explainers, practical recommendations, and actionable insights tailored to defense contractors.

Take the NEXt Step

Don’t wait until the logs are gone to prove what happened.

Missing or incomplete audit trails don’t just put compliance at risk, they threaten your contracts, cash flow, and reputation in the defense supply chain. With the right logging and accountability practices in place, you gain clarity, control, and the confidence to answer tough questions when it matters most.

👉 Get clarity on your compliance gaps and a clear plan forward. Book a Discovery Session with our experts today.

Book My Discovery Session

Not ready to chat yet?
→ Learn more about our CMMC Readiness Assessments
→ Subscribe to NEX Level Newsletter

FAQs

1. What happens if I don’t have audit logs during a CMMC assessment?
At Level 2, CMMC auditors will expect to see evidence that your systems create, protect, and review logs. If you can’t produce logs, you can’t prove accountability and that usually means a failed assessment objective. In practice, this can delay certification or even cost you DoD contracts.

2. How long do I need to keep audit logs for CMMC Level 2?
Most auditors look for at least 90 days of readily available logs, with a total retention policy of 6–12 months considered best practice. The key is being able to show a consistent record that covers the time period when issues might surface, not just a few days’ worth of data.

3. Do I need a SIEM tool to pass CMMC 2.0?
Not necessarily. At Level 2, you can meet requirements with basic system logs (Windows, Microsoft 365, firewall, etc.) as long as they’re retained and reviewed. A SIEM or MDR service isn’t required, but it makes compliance easier and helps you catch problems faster, turning a checkbox into real protection.

4. Who should be responsible for reviewing logs in a small business?
CMMC doesn’t dictate a specific role, but it does expect accountability. That means assigning a named person (e.g., your IT manager, MSP partner, or security lead) to review logs on a regular schedule. What matters is not who does it, but that someone is clearly responsible and it’s documented.

5. What kinds of events should my business be logging?
At minimum, you should capture logins, logouts, failed login attempts, file access, administrative changes, and system alerts. These are the “breadcrumbs” that let you trace activity back to specific users and actions. More advanced logging (like network traffic or endpoint monitoring) can take you to the NEX Level, but the basics often cover compliance.

Authors

Tags:
Prev
CMMC Decoded Series: Incident Response Reference Sheet
CMMC Decoded Series: Incident Response Reference Sheet
Next
CMMC Decoded Series: Audit & Accountability Reference Sheet
CMMC Decoded Series: Audit & Accountability Reference Sheet