What does AU.L2-3.3.8 require for CMMC Level 2?

You must prevent unauthorized access, modification, and deletion of audit logs. Only authorized personnel should be able to read them, and only audit systems should be able to write to them.

What evidence do I need for AU.L2-3.3.8?

Evidence includes access control lists or permissions documentation showing who can read and modify logs, configuration protecting log integrity, and controls preventing deletion. Log retention settings and encryption status also support this practice.

What's the most common failure for AU.L2-3.3.8?

Audit logs are stored on a shared file server with permissive access. Too many people can delete or modify them. Or SIEM administrator credentials are stored insecurely. Or logs lack tamper-evident properties (file integrity monitoring).

AU.L2-3.3.8

AU.L2-3.3.8: Audit Protection

Protect audit logs from unauthorized access, modification, and deletion to preserve their integrity as evidence.

Updated March 30, 2026

Audit logs are evidence. If an attacker can delete or modify them, the logs lose their value. If a disgruntled employee can clear their own activity, accountability disappears. AU.L2-3.3.8 requires you to protect logs as the security assets they are.

Protection has multiple dimensions. First, access control. Only authorized security and audit personnel should be able to read logs. System administrators who can see logs should not be able to modify them. Second, tamper evidence. You should know if someone has tried to modify or delete logs. Third, retention. Logs are protected for their entire retention period. This complements AU.L2-3.3.1 (log collection). If you collect logs but don’t protect them, they’re worthless as evidence.

Family Audit and Accountability

Practice AU.L2-3.3.8

Difficulty Medium

Key evidence Access control lists, log storage security, integrity monitoring, retention configuration

What the assessor is actually evaluating

The assessor will test your log protection in three ways. First: “Who can read these logs?” They want a specific answer. “The security team” is vague. “The SIEM administrator and the security manager, with IT director approval required to grant others access” is what they want to hear.

Second: “Who can modify or delete logs?” The answer should be “No one. The SIEM system writes them, and only the SIEM has write access. Everyone else has read-only access, and audit logs specifically cannot be deleted, only archived by the SIEM after retention expires.” If a system administrator or auditor can modify or delete logs, this practice fails.

Third: “How do you know if someone has tried to modify logs?” They want evidence of tamper detection. This might be file integrity monitoring on log files, hashing of log entries, immutable log storage, or monitoring of access control changes on the log store. The specific mechanism matters less than the existence of detection.

What a realistic SSP definition looks like

Example SSP Language: AU.L2-3.3.8

"Our organization protects audit logs from unauthorized access, modification, and deletion. Audit logs are stored in [centralized storage location: SIEM platform, log aggregation server, cloud service, etc.].

Access controls:

Read access is granted only to [specify roles: security team members, audit staff, IT director] on a need-to-know basis
Write access is restricted to the automated logging systems and SIEM platform only
Delete access is completely restricted; logs are retained for [X months] and archived or deleted only through automated processes
All access to logs is logged and monitored as part of our regular audit review

Integrity protection:

Log files are protected with file integrity monitoring to detect unauthorized modifications
Logs are stored in [read-only storage / immutable storage] after a brief buffer period to prevent modification
Log entries are [cryptographically hashed / digitally signed] to detect tampering
[If applicable: Logs are replicated to a second, physically separate location to ensure availability and detect deletion attempts]

Encryption:

Logs in transit to the SIEM are encrypted using [protocol: TLS 1.2 or higher]
Logs at rest are encrypted using [algorithm: AES-256]

Retention and disposal:

Logs are retained for a minimum of [X months]
After retention expires, logs are [securely deleted / archived to long-term storage] using [deletion method]
Deletion is logged and audited"

Specificity matters. Named people, clear restrictions, and concrete protection mechanisms all demonstrate that you’ve thought this through.

How to present your evidence

Evidence checklist

Access control lists showing who can read and modify logs
File integrity monitoring configuration or immutable storage settings
Access logs showing who accessed logs and when
Encryption configuration for logs in transit and at rest

Gather four categories of evidence:

Access control documentation. A document or screenshot showing who has access to logs. This might be a SIEM user roles list, file permissions on a log directory, or a security control procedures document. Show that read access is limited and write/delete access is restricted.
Configuration protecting log integrity. If you use file integrity monitoring, provide the configuration showing which log files are protected and the monitoring rules. If you use immutable storage, document the storage configuration and retention settings. If you use log signing or hashing, show the mechanism.
Access logs or audit trails. Evidence that access to logs is itself logged. Pull a sample of who accessed logs and when over the past month. This demonstrates that you monitor access and can detect unauthorized attempts.
Encryption configuration. Document how logs are protected in transit and at rest. TLS 1.2+ for transmission and AES-256 for storage are standard. Provide configuration screenshots.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "Who can access these audit logs? Can they modify them?"

Name the specific roles with read access. Explain that write access is restricted to the SIEM only. "Only the security team and auditors have read access. No one except the SIEM system has write access. Logs are read-only after the initial collection period."

Q: "Can you delete logs? How would I know if someone tried?"

Explain your deletion prevention. "Logs are immutable after 24 hours. We monitor for any changes to access controls on the log store. File integrity monitoring alerts if any log file is modified. If someone tried to delete logs, we'd see that change in our integrity monitoring immediately." Pull up your integrity monitoring alerts as proof that the system is running.

Q: "Show me who accessed logs in the past month and what they did."

Pull your access log. Show that access attempts are recorded. Most accesses should be read-only queries from your security team. If you see unexpected access or modification attempts, explain the investigation.

Common failures

Logs stored on permissive file share: Audit logs are on a shared network drive with open read/write permissions. System administrators, help desk staff, or others can access and potentially delete them. Move logs to a dedicated, access-controlled storage location. SIEM platforms are designed specifically for this problem.

No monitoring of log access or modification: You protect logs with access controls but don't monitor whether those controls are working. No alerts if someone deletes logs. No audit trail of who accessed them. Implement access logging on the log store and monitor it.

Immutable or write-once storage: Logs can't be modified or deleted after collection. This is the strongest protection. SIEM platforms typically offer this. Once logs land in the SIEM, they stay there unchanged until retention expires and are removed by the system itself.

File integrity monitoring on logs: You have FIM running on log files or the log storage directory. The FIM generates alerts if any file is modified. This acts as tamper detection and provides forensic evidence of tampering attempts.

If you use an MSSP

Your MSSP should protect your logs with at least as much rigor as you would internally. They own the technical implementation of access controls, encryption, and integrity monitoring on your logs. Your role is to verify that their approach meets your requirements and to document the controls they’ve put in place on your behalf.

Your MSSP’s SIEM should implement access controls limiting who can see your logs. You should have a distinct user account to access your data, separate from their other customers’ data. Encryption in transit (TLS) and at rest (AES-256 or equivalent) should be standard. They should use immutable or read-only storage for logs to prevent modification. Access to logs should be logged and monitored.

Request documentation of MSSP log protection controls

Request documentation of your MSSP's access controls, log storage architecture, encryption approach, and confirmation that your logs are isolated from other customers. Ask about their integrity monitoring and how they detect unauthorized access or modification. In the assessment room, ask them to walk through their multi-layered protection approach. A good MSSP can explain their controls in detail and provide evidence they're working.

Disclaimer: This guide is educational and not official CMMC documentation. Always refer to NIST SP 800-171 and the official CMMC Assessment Guide for authoritative requirements. Individual assessment results depend on implementation details specific to your organization.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AU.L2-3.3.9: Audit Management All Practices AU.L2-3.3.7: Authoritative Time Source →