>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.3.7Audit and Accountability - Derived

Derived Requirement

>Control Description

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records

>Discussion

Internal system clocks are used to generate time stamps, which include date and time. Time is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds.

Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. This requirement provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

See [IETF 5905].

>Cross-Framework Mappings

CMMC

AU.L2-3.3.7
Compare

SCF

MON-07.1
Compare
SEA-20
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address audit and accountability - derived for CUI systems?
  • Who is accountable for implementing and maintaining audit and accountability - derived controls?
  • How frequently are audit and accountability - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with audit and accountability - derived requirements?
  • How are exceptions to audit and accountability - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce audit and accountability - derived in your CUI environment?
  • How are audit and accountability - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support audit and accountability - derived compliance?
  • How do you validate that audit and accountability - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary audit and accountability - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves audit and accountability - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how audit and accountability - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing audit and accountability - derived compliance?
  • Can you show evidence of a recent review or assessment of audit and accountability - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate audit and accountability - derived compliance?

Ask AI

Configure your API key to use AI features.