What does AU.L2-3.3.7 require for CMMC Level 2?

All systems must synchronize their clocks to a single, reliable time source so that timestamps in audit logs are consistent and accurate. This makes event correlation and forensic investigation possible.

What evidence do I need for AU.L2-3.3.7?

Evidence includes documentation of your authoritative time source (NTP server), configuration showing that systems are configured to sync to it, and logs or reports demonstrating that synchronization is working.

What's the most common failure for AU.L2-3.3.7?

Systems are not synchronized to a common time source, so events have timestamps that drift hours apart. Or you use an external time source without verifying it's reliable. Or time sync configuration exists but is never verified to be working.

AU.L2-3.3.7

AU.L2-3.3.7: Authoritative Time Source

Synchronize all system clocks to a reliable, authoritative time source so audit logs are trustworthy and events can be correlated accurately.

Updated March 30, 2026

Timestamps in audit logs are evidence. If your firewall logs an event at 2:15 PM and your endpoint logs malware execution at 2:14 PM, those are clearly related. If the firewall clock is 15 minutes fast and the endpoint is correct, you misread the sequence. Time synchronization is boring but critical. Without it, your entire audit timeline becomes suspect.

AU.L2-3.3.7 requires you to designate an authoritative time source and configure all systems to keep their clocks synchronized to it. This is typically an NTP (Network Time Protocol) server. Your choice of time source matters less than consistency and verification that synchronization is actually happening. This is the foundation for AU.L2-3.3.5 (correlation). Misaligned timestamps make correlation impossible.

Family Audit and Accountability

Practice AU.L2-3.3.7

Difficulty Easy

Key evidence NTP server documentation, system time sync configuration, synchronization status logs

What the assessor is actually evaluating

The assessor is checking three things. First: “Do you have a defined authoritative time source?” You should name it. “We use [server name/IP address]” or “We use the U.S. National Institute of Standards and Technology time server at time.nist.gov.” Either is fine as long as it’s documented.

Second: “Are your systems configured to synchronize to that source?” They’ll ask for your time synchronization configuration. This might be a GPO for Windows endpoints, NTP configuration on servers, or a network-wide NTP deployment. Document it.

Third: “How do you verify it’s working?” This is where many organizations fail. They configure time sync once and never check it again. The assessor wants evidence that you monitor or verify synchronization on an ongoing basis. This might be a quarterly check, a monitoring alert if time drift exceeds a threshold, or a log review that confirms recent synchronization.

What a realistic SSP definition looks like

Example SSP Language: AU.L2-3.3.7

"Our organization maintains time synchronization across all systems that generate audit logs. The authoritative time source is [identify the source: internal NTP server, external NTP pool, NIST server, etc.]. All systems are configured to synchronize their system clocks to this source.

Configuration and synchronization:

Windows domain-joined endpoints and servers synchronize via Active Directory domain controller, which synchronizes to the authoritative NTP source [specify details]
Network devices (firewalls, switches, routers) are configured to synchronize to [NTP server IP/hostname]
Non-domain systems and cloud-based services are configured to use [NTP server/pool]

Time synchronization status is verified [quarterly/semi-annually] by checking system time settings on a sampling of endpoints and confirming that time drift does not exceed [X minutes]. [Specify responsible party] maintains a log of these verification activities. If a system’s time drift exceeds the acceptable threshold, it is immediately resynchronized and investigated for causes.

Audit logs include timestamps with sufficient resolution [specify: to the second, to the minute] to allow accurate event correlation and investigation. All systems use the same time format [specify: UTC with timezone offset, local time with timezone indicator, etc.] for consistency across logs."

The specifics matter: the source is named, configuration method is documented, verification process is defined.

How to present your evidence

Evidence checklist

Authoritative time source documentation (NTP server address/details)
System configuration showing time sync (GPO, NTP configs, cloud settings)
Verification records from current assessment period
NTP status reports showing recent synchronization

Prepare three straightforward elements:

Time source documentation. Identify your authoritative time source. Document it. If it’s internal, provide details on the server, its configuration, and how it maintains accuracy. If it’s external (public NTP pool, NIST server), document the address and your rationale for choosing it.
System configuration showing time sync. This varies by environment but should include documentation like:
- Active Directory Group Policy Object settings for Windows domain sync
- NTP configuration files for servers (/etc/ntp.conf on Linux, for example)
- Network device configurations (firewall, switch settings)
- Cloud service time zone and NTP settings if applicable Screenshots of time settings from a few representative systems work.
Verification records. Show that you’ve checked time synchronization. This might be a log of quarterly checks, NTP status commands run on key systems showing recent synchronization, or a monitoring report showing time drift metrics over time. Include at least one verification from the current assessment period.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What's your authoritative time source?"

Name it immediately. "We use an internal NTP server at [IP]" or "We use the NIST NTP server at time.nist.gov." Then explain briefly how you chose it and why it's reliable.

Q: "How do your systems synchronize to that source? Walk me through a specific example."

Pick a system type you have (Windows domain endpoint, Linux server, firewall, etc.). Explain how it's configured. "Windows endpoints are domain-joined and synchronize via the domain controller, which synchronizes to our NTP server." Or "Our servers have ntpd running, pointing to [server]."

Q: "How do you know synchronization is working? Show me recent evidence."

Pull up your most recent verification. Run an NTP status command on a server showing recent synchronization. Or pull your quarterly verification log. "Here's our last check from [date], confirming time drift was within acceptable limits on a sample of systems."

Common failures

No defined authoritative source: You configure systems to sync but don't identify what they're syncing to. Or different systems sync to different sources, creating inconsistency. Define one authoritative source and synchronize everything to it.

Time sync configured but never verified: You set up NTP configuration months ago and never checked if it's working. Systems could have drifted significantly. Verify at least quarterly that synchronization is active and drift is acceptable.

Clear time format and resolution across logs: All audit logs use the same time format (UTC with timezone offset is preferred for clarity). Timestamp resolution is fine enough for correlation (to the second, not to the minute). This prevents ambiguity when you're trying to sequence events across systems.

Monitoring for time drift: You have an alert that fires if a system's time drifts too far from the authoritative source. When the alert fires, you investigate and resynchronize. This is proactive and prevents the problem from becoming apparent only during incident investigation.

If you use an MSSP

Your MSSP should synchronize their own systems and monitoring infrastructure to a reliable time source. If they’re collecting logs from your systems, they need to preserve your timestamps (not overwrite them) so that correlation between your logs and their analysis is accurate. Ask your MSSP how they handle timestamp preservation and time synchronization in their infrastructure.

Your MSSP’s responsibility is to maintain accurate time in their systems and preserve the timestamps from your logs. You remain responsible for ensuring your own systems are synchronized to your authoritative time source. Both must be in sync for correlation and investigation to work properly. A good MSSP documents their time source and can demonstrate that timestamps are preserved during log ingestion.

Verify MSSP time synchronization approach

Request confirmation that your MSSP has defined an authoritative time source and configured their infrastructure to use it. Ask specifically how they handle timestamps when ingesting logs from your systems. They should preserve original timestamps and only add their own metadata timestamps. In the assessment room, you can reference your MSSP's time synchronization if they're collecting logs on your behalf.

Disclaimer: This guide is educational and not official CMMC documentation. Always refer to NIST SP 800-171 and the official CMMC Assessment Guide for authoritative requirements. Individual assessment results depend on implementation details specific to your organization.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AU.L2-3.3.8: Audit Protection All Practices AU.L2-3.3.6: Audit Reduction and Report Generation →