Speaker 1: Hey, everybody. It's Mike Frieder here with On-Call Compliance Solutions, and I'm back with another compliance tip of the week. This week, we're talking about CMMC Control AU.L2-3.3.1. Hello, Mr. Arigato. I am Mr. Roboto. Actually, I'm like too young for the 80s, man. Well, I grew up, you know, I was born in the 80s, so I'm not too young for the 80s. I like the 80s. Anyway, beside the point. Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. So, hey, if you're a defense contractor who's feeling overwhelmed, tired, and alone, trying to understand all of this CMMC, DFARS, and NIST SP-800-171 compliance stuff on top of an already colossal workload, well, I've got great news for you. You found your home here at On-Call Compliance Solutions, where we can help you transform into your company's on-call compliance hero. Let's jump into it. So, in CMMC Control AU.L1-3.3.1, create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Oh, boy, here we go. We're back with one of the most misunderstood controls and concepts in CMMC, and I'm going to make it all clear with one easy phrase. Are you ready? You need a SIEM solution. That's it. That's what you need to know on this one. And if you have no idea what it is, you should just hang up your YouTube phone and pick up the other phone with your left hand, and you should call us. Look, you need a SIEM solution, all right? Even if you have no idea what that is, you should just... Well, you need one, all right? So, again, either way, it's going to cost you way less time and money to put one of these in place. Well, it's the only thing you really can do to be compliant, so just call us and we'll help. But, of course, we're not going to totally leave you hanging there with my unbelievably awesome unscripted script here. That's not how we roll it on call. I will give you a little help because giving people help is what we do, and we love doing it, and we love doing it for free. We love doing it even more when you pay. And, you know, it's real talk. It pays the bills because I don't get paid to do these awesome YouTube videos, which is why the quality is so incredibly amazing. You should see how much revenue we drive off YouTube videos. Exactly. All right, I will at least tell you that a SIEM or a security information event management solution is something that ingests the log files from the computers and other devices like firewalls and turns it into useful security alerts and relevant information so that your network is always being properly watched over and you're always getting timely enough alerts that you can actually use to take action with. All right? So I always ask people, I say, hey, how is your network monitored? And when they don't really have an answer, I know they don't really have a SIEM solution, and I typically know, yuck, it's a bad situation. Anyway, let's check out what the assessors are looking for and how to make them happy. Assessment point number one, determine if audit logs needed, i.e. event types to be logged, to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. So are the logs that will enable information to flow your way, is it specified? The answer is going to be yes, right? We're going to pull system logs and firewall logs and manage switch logs and I don't know, whatever else is relevant to your environment. Maybe it's Azure government, you know, logs. And we're going to feed it all into our SIEM system, right? So the SIEM system kind of does that, but first we determine that we've installed SIEM log senders or agents or whatever it may be for your solution onto those devices. We have to define those devices. All right, point number two, determine if the content of audit records needed to support monitoring, analysis, investigation, reporting of unlawful or unauthorized system activity is defined. So are we defining what the content of those audit records is? Again, your SIEM system kind of does this for you because it's just puking out all of the logs or you're defining what the logs are that are being sent to that system. So either way, you can have it defined. Your SIEM system is what ingests it. Next, we have to determine if audit records are created, okay? Do we create audit records when the information is ingested into the SIEM system? Okay, this is built into the SIEM system, but nonetheless, I have run into clients, especially big ones, who have like cobbled together their own SIEM system out of, you know, a great example is like Elastic, right? So Elastic is a solution out there where you can really customize what goes in there. So we want to make sure that, again, there's an audit record being created as part of the process. Next point is determine if audit records once created contain the defined content, okay? So do the audit records actually contain the content defined as, well, what you're trying to audit? So again, we say, hey, look, we can look at our SIEM system. It's all kind of there. You know, it's unknown right now how deeply the assessors will really want to dive into the nitty-gritty here. Like, do they want a written policy where you've written out every kind of audit record type that you're going, like, that's extreme. I think if you've got a SIEM system, this whole control really is pretty easy to answer. Final, excuse me, final two points, right? Determine if retention requirements for audit records are defined. Most SIEM systems are going to have at least 30 days worth of records. We tell our clients, look, I think you should have at least 90 days to 93 days. Why? Because again, in DFAR 7012, the DoD has 90 days to request you pull records back so they can do a forensic investigation. That's the actual rationale there, if you will. And then the final assessment point is determine if audit records are retained as defined. So again, is there a retention policy? And then go actually sort of verify that they are in fact being retained in accordance with the policy, the policy is active, linked, et cetera. So this is probably gonna be a demonstration. You're likely going to have an assessor ask to see your SIEM system or at least the audit record example, you know, that could just be a simple over-the-shoulder surf, or again, some kind of demonstration that's actually working. So yeah, that's, you know, no problem at all, right? Only seven assessment points, any of which can fail you. I hope you get it right. Just kidding. The good news is we can help you get it right. And that's what this video is all about, helping you guys. So look, at OnCall, we work with defense contractors just like you who have had this DFARS, NIST, ITAR, and CMMC compliance stuff dropped in their laps like a seagull on a sunny day. And we teach you how to level up and be a proper OnCall compliance hero for your company, eliminating gaps, gray areas, and getting this solved all while showing you how to leverage compliance as your secret weapon to land more defense work with higher profit margins. That's what becoming an OnCall compliance hero can do for you. If you're looking for more help getting compliant, our compliance experts are always on call for you. Visit cmmccompliancesecrets.com or check out the bio below for links to get help right now. If you love the content we're putting out here for you, help us out with a big thumbs up on that like button or even better. Here it comes. Here it comes. Get your finger ready. Here it is. Ah, smash that subscribe button, baby, to get the latest compliance content as soon as our compliance heroes roll it out. Until the next compliance tip, my friends, stay safe and secure out there. Hit us in the comments below to let us know what you'd like to know more about when it comes to information security and compliance, and I'll see you on the next one.