NIST 800-171 R-3.3.1
Create and Retain Audit Logs
Official citation: 3.3.1
Class: core · Severity: high
Statement of the obligation — verify against source
3.3.1
What it means
Create and keep system audit logs in enough detail to monitor, analyze, investigate, and report unlawful or unauthorized activity. Decide which event types matter to security — such as password changes, failed logons, administrative-privilege use, or third-party credential use — and record useful details like timestamps, source and destination addresses, user or process IDs, event descriptions, and success/failure. Balance logging against system performance, and review the logs as often as needed to support risk-based decisions.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.