What does AU.L2-3.3.7 require for CMMC Level 2?

All systems must synchronize their clocks to a single, reliable time source so that timestamps in audit logs are consistent and accurate. This makes event correlation and forensic investigation possible.

What evidence do I need for AU.L2-3.3.7?

Evidence includes documentation of your authoritative time source (NTP server), configuration showing that systems are configured to sync to it, and logs or reports demonstrating that synchronization is working.

What's the most common failure for AU.L2-3.3.7?

Systems are not synchronized to a common time source, so events have timestamps that drift hours apart. Or you use an external time source without verifying it's reliable. Or time sync configuration exists but is never verified to be working.

AU.L2-3.3.7

AU.L2-3.3.7: Authoritative Time Source

Synchronize all system clocks to a reliable, authoritative time source so audit logs are trustworthy and events can be correlated accurately.

Updated March 30, 2026

Timestamps in audit logs are evidence. If your firewall logs an event at 2:15 PM and your endpoint logs malware execution at 2:14 PM, those are clearly related. If the firewall clock is 15 minutes fast and the endpoint is correct, you misread the sequence. Time synchronization is boring but critical. Without it, your entire audit timeline becomes suspect.

AU.L2-3.3.7 requires you to designate an authoritative time source and configure all systems to keep their clocks synchronized to it. This is typically an NTP (Network Time Protocol) server. Your choice of time source matters less than consistency and verification that synchronization is actually happening. This is the foundation for AU.L2-3.3.5 (correlation). Misaligned timestamps make correlation impossible.

Family Audit and Accountability

Practice AU.L2-3.3.7

Difficulty Easy

Key evidence NTP server documentation, system time sync configuration, synchronization status logs

What the assessor is actually evaluating

The assessor is checking three things. First: “Do you have a defined authoritative time source?” You should name it. “We use [server name/IP address]” or “We use the U.S. National Institute of Standards and Technology time server at time.nist.gov.” Either is fine as long as it’s documented.

Second: “Are your systems configured to synchronize to that source?” They’ll ask for your time synchronization configuration. This might be a GPO for Windows endpoints, NTP configuration on servers, or a network-wide NTP deployment. Document it.

Third: “How do you verify it’s working?” This is where many organizations fail. They configure time sync once and never check it again. The assessor wants evidence that you monitor or verify synchronization on an ongoing basis. This might be a quarterly check, a monitoring alert if time drift exceeds a threshold, or a log review that confirms recent synchronization.

What a realistic SSP definition looks like

Example SSP Language: AU.L2-3.3.7

"Our organization maintains time synchronization across all systems that generate audit logs. The authoritative time source is [identify the source: internal NTP server, external NTP pool, NIST server, etc.]. All systems are configured to synchronize their system clocks to this source.

Configuration and synchronization:

Windows domain-joined endpoints and servers synchronize via Active Directory domain controller, which synchronizes to the authoritative NTP source [specify details]
Network devices (firewalls, switches, routers) are configured to synchronize to [NTP server IP/hostname]
Non-domain systems and cloud-based services are configured to use [NTP server/pool]

Time synchronization status is verified [quarterly/semi-annually] by checking system time settings on a sampling of endpoints and confirming that time drift does not exceed [X minutes]. [Specify responsible party] maintains a log of these verification activities. If a system’s time drift exceeds the acceptable threshold, it is immediately resynchronized and investigated for causes.

Audit logs include timestamps with sufficient resolution [specify: to the second, to the minute] to allow accurate event correlation and investigation. All systems use the same time format [specify: UTC with timezone offset, local time with timezone indicator, etc.] for consistency across logs."

The specifics matter: the source is named, configuration method is documented, verification process is defined.

How to present your evidence

Evidence checklist

Authoritative time source documentation (NTP server address/details)
System configuration showing time sync (GPO, NTP configs, cloud settings)
Verification records from current assessment period
NTP status reports showing recent synchronization

Prepare three straightforward elements:

Time source documentation. Identify your authoritative time source. Document it. If it’s internal, provide details on the server, its configuration, and how it maintains accuracy. If it’s external (public NTP pool, NIST server), document the address and your rationale for choosing it.
System configuration showing time sync. This varies by environment but should include documentation like:
- Active Directory Group Policy Object settings for Windows domain sync
- NTP configuration files for servers (/etc/ntp.conf on Linux, for example)
- Network device configurations (firewall, switch settings)
- Cloud service time zone and NTP settings if applicable Screenshots of time settings from a few representative systems work.
Verification records. Show that you’ve checked time synchronization. This might be a log of quarterly checks, NTP status commands run on key systems showing recent synchronization, or a monitoring report showing time drift metrics over time. Include at least one verification from the current assessment period.

Common failures

What gets flagged

No defined authoritative source. You configure systems to sync but don't identify what they're syncing to. Or different systems sync to different sources, creating inconsistency. Define one authoritative source and synchronize everything to it.

Time sync configured but never verified. You set up NTP configuration months ago and never checked if it's working. Systems could have drifted significantly. Verify at least quarterly that synchronization is active and drift is acceptable.

What makes assessors move on satisfied

Clear time format and resolution across logs. All audit logs use the same time format (UTC with timezone offset is preferred for clarity). Timestamp resolution is fine enough for correlation (to the second, not to the minute).

Monitoring for time drift. You have an alert that fires if a system's time drifts too far from the authoritative source. When the alert fires, you investigate and resynchronize.

If you use an MSSP

Your MSSP should synchronize their own systems and monitoring infrastructure to a reliable time source. If they’re collecting logs from your systems, they need to preserve your timestamps (not overwrite them) so that correlation between your logs and their analysis is accurate. Ask your MSSP how they handle timestamp preservation and time synchronization in their infrastructure.

Your MSSP’s responsibility is to maintain accurate time in their systems and preserve the timestamps from your logs. You remain responsible for ensuring your own systems are synchronized to your authoritative time source. Both must be in sync for correlation and investigation to work properly. A good MSSP documents their time source and can demonstrate that timestamps are preserved during log ingestion.

Verify MSSP time synchronization approach

Request confirmation that your MSSP has defined an authoritative time source and configured their infrastructure to use it. Ask specifically how they handle timestamps when ingesting logs from your systems. They should preserve original timestamps and only add their own metadata timestamps. In the assessment room, you can reference your MSSP's time synchronization if they're collecting logs on your behalf.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Assessor: "What's your authoritative time source?"

"We use the NIST NTP server at time.nist.gov as our authoritative source. Our domain controller syncs directly to it, and everything else syncs through the domain controller. We chose NIST because it's a government-maintained, highly reliable time source."

Assessor: "How do your systems synchronize to that source? Walk me through a specific example."

"[Pull up the GPO settings.] Our Windows endpoints are domain-joined and synchronize via Active Directory, which chains up to the domain controller. The domain controller syncs to NIST. For our firewalls and network devices, we configure NTP directly to point at the domain controller. Here's the NTP configuration on our primary firewall."

Assessor: "How do you know synchronization is working? Show me recent evidence."

"We verify quarterly. [Pull up the verification log.] Here's our last check from two months ago. We sampled 15 systems across endpoints, servers, and network devices, and confirmed time drift was under two seconds on all of them. If drift exceeds our threshold, we resync immediately and investigate the cause."

Disclaimer: This guide is educational and not official CMMC documentation. Always refer to NIST SP 800-171 and the official CMMC Assessment Guide for authoritative requirements. Individual assessment results depend on implementation details specific to your organization.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← Protecting Audit Logs from Tampering: AU.L2-3.3.8 Guide All Practices Audit Log Filtering and Reporting: AU.L2-3.3.6 Guide →