Compliance Guide — NIST SP 800-171 Rev 2
NIST 800-171 Employee Monitoring Requirements: AU and AC Control Family Compliance Guide
NIST SP 800-171 employee monitoring requirements are the set of technical controls that DoD contractors must implement to protect Controlled Unclassified Information (CUI) under DFARS 252.204-7012. The Audit and Accountability (AU) control family — nine controls in total — directly mandates user activity logging, individual user traceability, log review procedures, and audit record protection. This guide maps each AU and relevant AC control to specific implementation steps, documents the SPRS scoring implications of each control, and explains the flow-down obligation to subcontractors. It also covers the relationship between NIST 800-171 compliance and CMMC 2.0 Level 2 certification.
7-day free trial. No credit card required.
What Is NIST SP 800-171 and Why Does It Require Employee Monitoring?
NIST SP 800-171 is a cybersecurity publication from the National Institute of Standards and Technology that defines 110 security controls protecting Controlled Unclassified Information (CUI) in non-federal information systems. The publication, formally titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," applies to every organization that handles CUI under contracts with the federal government, but its impact is felt most acutely in the DoD industrial base.
The requirement to comply with NIST SP 800-171 flows directly from DFARS 252.204-7012, a contract clause that the Department of Defense began including in all covered acquisitions after December 31, 2017. When a defense contractor agrees to DFARS 252.204-7012, that organization commits to implementing all 110 controls defined in NIST SP 800-171 Rev 2. Non-compliance carries serious consequences: contract termination, debarment from future awards, and civil liability under the False Claims Act when contractors misrepresent their compliance posture.
So why does NIST SP 800-171 require employee monitoring? The answer lies in CUI itself. Controlled Unclassified Information includes technical drawings, export-controlled research, procurement data, defense manufacturing specifications, and hundreds of other categories that adversaries actively target. The 2020 SolarWinds breach, the 2021 Hafnium Exchange exploits, and multiple ransomware incidents against defense suppliers demonstrated that insider threat and external actors using stolen credentials represent the primary CUI exposure vectors. The NIST 800-171 Audit and Accountability (AU) controls exist specifically to ensure that if a CUI breach occurs, the organization can reconstruct exactly what happened, who did it, and when.
NIST SP 800-171 Rev 2 organizes its 110 controls into 14 families. Two families are most directly relevant to employee monitoring: Audit and Accountability (AU), which contains nine controls, and Access Control (AC), which contains 22 controls. The AU family is the core requirement for user activity monitoring. The AC family adds requirements for managing privileged and non-privileged accounts in ways that monitoring systems support.
The Audit and Accountability (AU) Control Family: All Nine Controls Explained
The Audit and Accountability family in NIST SP 800-171 Rev 2 contains nine controls organized into two practice levels. Basic controls (numbered AU.2.xxx) establish foundational logging requirements. Derived controls (numbered AU.3.xxx) add sophistication, including log analysis, log protection, and clock synchronization. Every DoD contractor subject to DFARS 252.204-7012 must implement all nine.
AU.2.041: Create and Retain Audit Logs
AU.2.041 requires organizations to create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. This is the foundational audit control. Without a functioning audit log system, none of the other AU controls are achievable. In practice, AU.2.041 means deploying logging on every endpoint, server, and network device that processes CUI. The logs must cover not just system events but user activity, meaning application launches, file access, authentication events, and network connections.
Retention is equally important. NIST SP 800-171A, the assessment guide, specifies that organizations should examine audit records and interview personnel responsible for audit management. NIST does not mandate a specific retention period, but the CMMC Assessment Guide for Level 2 recommends a minimum of 90 days online retention with one year archived. For classified programs, program-specific guidance often requires three years or more.
AU.2.042: Trace User Actions to Individual Users
AU.2.042 is the control that most directly mandates employee user activity monitoring. It requires that the actions of individual users can be uniquely traced to those users so they can be held accountable for their actions. Generic system logs that record events under a shared service account or a workstation hostname do not satisfy this control. The accountability chain must run from the specific action all the way back to the specific authenticated user who performed it.
This control explains why shared accounts are prohibited in CUI environments. If three employees share a single login, no one can be held accountable for a CUI exfiltration event because the audit trail cannot distinguish which person was at the keyboard. Organizations satisfying AU.2.042 must ensure every CUI system user has a unique identifier, and every monitored action links to that identifier.
AU.2.043: Review and Update Logged Events
AU.2.043 requires organizations to review and update logged events. This is a governance control as much as a technical one. Organizations must periodically examine which events their logging systems capture and confirm that the current log scope still matches the threat landscape and CUI processing environment. When new CUI systems come online, when user roles change, or when new threat vectors emerge, the logged event list must be reviewed and updated accordingly. CMMC assessors look for documented evidence of this review, typically in the form of a System Security Plan (SSP) update log or a scheduled review record.
AU.3.045: Review Logs for Unauthorized Access Attempts
AU.3.045 requires organizations to review audit logs for inappropriate or unusual activity. In the context of CUI protection, this specifically means analyzing logs for unauthorized access attempts, including failed login events, privilege escalation attempts, access to CUI outside normal working hours, and bulk file access that suggests exfiltration behavior. This control moves beyond log creation into active monitoring. Simply storing logs does not satisfy AU.3.045. The organization must demonstrate a functioning review process.
The NIST SP 800-171A assessment guide specifies examining the organizational process for reviewing audit logs and interviewing personnel responsible for that review. In a CMMC Level 2 assessment, assessors may request evidence of log review from the past 90 days to verify continuous execution. Organizations relying solely on manual review frequently fail this control because the log volume from a CUI environment makes manual review impractical. Automated alerting through a Security Information and Event Management (SIEM) system is the standard implementation approach.
AU.3.046: Audit Record Reduction and Report Generation
AU.3.046 requires organizations to provide audit record reduction and report generation to support on-demand analysis and reporting. Raw log data from even a modest organization can run to millions of events per day. This control requires the ability to filter, aggregate, and present audit data in a format that supports investigation and compliance reporting. In practice, this means implementing log management tooling that allows security personnel to isolate events by user, time window, event type, or CUI system without requiring manual parsing of raw log files.
AU.3.047: Synchronize System Clocks
AU.3.047 requires a system capability that compares and synchronizes internal system clocks with an authoritative time source. This control addresses a critical forensic problem: when endpoints in a CUI environment have unsynchronized clocks, reconstructing the sequence of events during an incident becomes unreliable or impossible. If Workstation A shows an event at 14:32 and Server B shows a related event at 14:28, investigators cannot determine which occurred first without knowing the clock offset. Network Time Protocol (NTP) synchronized to a NIST time server (time.nist.gov) or another authoritative source satisfies this control.
AU.3.048: Protect Audit Information and Tools
AU.3.048 requires organizations to protect audit information and audit tools from unauthorized access, modification, and deletion. Audit logs are only useful as evidence if adversaries cannot alter or erase them. This control requires access controls on log storage, integrity protections (such as cryptographic hashing), separation of duties between those who are monitored and those who manage log infrastructure, and protection against insider threat attacks that target logging systems specifically to cover tracks before or during a CUI breach.
AU.3.049: Limit Audit Log Management to Privileged Users
AU.3.049 requires limiting management of audit logging to a subset of privileged users. Not every administrator should have the ability to modify, pause, or delete audit configurations. AU.3.049 establishes the principle that audit log management is a specific privileged function, separate from general system administration. Organizations must document which roles have audit management authority, enforce that separation technically through role-based access controls, and ensure that standard system administrators cannot disable logging even if their accounts are compromised.
AU.3.050: Audit Logs Contain Sufficient Event Information
AU.3.050 requires that audit logs contain sufficient information to establish what events occurred, the sources of those events, and the outcomes of those events. This control specifies the data fields that each log entry must capture. At minimum, NIST SP 800-171A identifies these required fields: event type, event date and time, user identity, success or failure indication, and the origin of the event (system component, user, or external source). This control works in conjunction with AU.2.041 (log creation) and AU.2.042 (user traceability) to ensure that the logs created are actually useful for forensic investigation.
Access Control (AC) Controls That Require User Activity Monitoring
The Access Control family in NIST SP 800-171 Rev 2 contains 22 controls. Two controls within this family directly require monitoring of user account behavior in CUI environments.
AC.2.006: Use Non-Privileged Accounts for Non-Security Functions
AC.2.006 requires that users employ non-privileged accounts when accessing non-security functions. In a CUI environment, this means employees performing standard work tasks, such as opening documents, using email, or accessing databases, must do so through accounts without elevated privileges. Privileged accounts (domain administrators, system administrators, security tool operators) must be reserved for the specific administrative tasks that require elevated access.
The monitoring implication is clear: organizations must be able to detect when privileged accounts perform non-privileged activities. A domain administrator account being used to browse the web or open work documents in a CUI environment is an anomaly that AU controls must flag. User activity monitoring that links each action to the account type provides the data needed to detect and report AC.2.006 violations.
AC.2.007: Prevent Non-Privileged Users from Executing Privileged Functions
AC.2.007 requires organizations to prevent non-privileged users from executing privileged functions and to audit the execution of privileged functions. The audit requirement within AC.2.007 overlaps directly with the AU family. Every execution of a privileged function, including changing system configurations, accessing audit logs themselves, modifying user accounts, and installing software, must be captured in the audit trail and attributed to a specific authorized user. Employee monitoring combined with technical access controls satisfies this requirement by detecting and logging any attempt to execute privileged functions from standard user accounts.
NIST 800-171 Control-to-Feature Mapping: eMonitor Implementation Evidence
The table below maps each relevant NIST SP 800-171 Rev 2 control to the specific eMonitor feature that addresses it, and identifies the evidence type that CMMC assessors and SPRS documentation require. This mapping supports both System Security Plan (SSP) development and the evidence collection process for CMMC Level 2 assessments.
| Control ID | Requirement Summary | eMonitor Feature | Evidence for SPRS / CMMC Assessment |
|---|---|---|---|
| AU.2.041 | Create and retain audit logs for monitoring, analysis, and reporting of unlawful activity | Activity Monitoring: app and website usage logs with timestamps; DLP file access and violation logs | Log export showing continuous activity capture; retention configuration screenshots; System Security Plan entry referencing log retention policy |
| AU.2.042 | Trace all user actions to individual authenticated users | User identity attribution on all activity records; unique per-user dashboards; no shared account support in monitoring data | Sample activity report showing User ID linkage to every recorded event; screenshot of user-specific activity timeline |
| AU.2.043 | Review and update which events are logged | Configurable activity classification engine; administrator controls for adjusting monitored event types | SSP documentation of scheduled log scope review; change log showing updates to monitored event categories; dated review records |
| AU.3.045 | Review audit logs for unauthorized or unusual access activity | Real-time alerts for anomalous activity; productivity drop alerts; unauthorized app usage notifications; DLP violation alerts | Alert configuration screenshots; sample alert history report; documented review procedure with responsible personnel identified |
| AU.3.046 | Provide audit record reduction and report generation for analysis | Customizable activity reports; filter by user, date range, app category, and event type; CSV and PDF export | Sample filtered reports demonstrating on-demand analysis capability; report generation procedure in SSP |
| AU.3.048 | Protect audit information and tools from unauthorized access, modification, and deletion | Role-based access controls restricting monitoring data access; encrypted data storage; access limited to designated compliance personnel | Role configuration screenshots showing access separation; encryption specification from vendor documentation; access control policy document |
| AU.3.049 | Limit audit log management to privileged subset of users | Admin role configuration controls; separation between monitored user role and monitoring administrator role | Role assignment screenshots; list of personnel with audit management access; access justification documentation |
| AU.3.050 | Audit logs contain sufficient information: event type, date/time, user, source, outcome | Activity logs capture user ID, timestamp, application name, URL, action type, duration, and active/idle status | Sample log entry showing all required fields; data dictionary describing each log field; NIST 800-171A field mapping document |
| AC.2.006 | Use non-privileged accounts for non-security functions | Account type visibility in activity logs; privileged function execution alerts; activity classification by account privilege level | Account privilege policy documentation; alert history for privileged account anomalies; access control configuration records |
| AC.2.007 | Prevent non-privileged users from executing privileged functions; audit privileged function execution | DLP monitoring for unauthorized system access attempts; activity alerts for non-privileged accounts attempting administrative actions | DLP violation log showing blocked privileged function attempts; alert configuration for privileged function execution; audit trail samples |
Note: eMonitor provides user activity monitoring data that satisfies many AU and AC control requirements at the endpoint level. A complete NIST SP 800-171 AU implementation for larger contractor environments typically combines endpoint monitoring with a centralized SIEM system for log aggregation, retention, and automated analysis.
How NIST 800-171 AU Controls Affect Your SPRS Score
SPRS (Supplier Performance Risk System) is the DoD's contractor risk management database where organizations submit their self-assessed NIST SP 800-171 compliance scores. The scoring methodology assigns a maximum score of 110 points, with deductions for each unimplemented or partially implemented control. Every DoD contractor must submit their SPRS score before being awarded contracts subject to DFARS 252.204-7012.
The scoring model uses a weighted deduction system published by the DoD in its NIST SP 800-171 Assessment Methodology (Version 1.2.1, November 2020). Controls are weighted based on the risk they address. Not all 110 controls carry equal weight. The DoD assigns each control a value of 1, 3, or 5 points, with higher-risk controls receiving higher deductions. For the AU family, the practical implication is that an organization that has not implemented user activity logging and log review faces a meaningful downward score impact.
A score at or near negative 203 (the maximum deduction if all 110 controls are unimplemented) effectively signals to contracting officers that the organization should not be handling CUI. The practical threshold varies by program, but many DoD program offices are requiring minimum SPRS scores as a pre-award condition. Organizations with scores below zero face increased scrutiny and may be required to submit a Plan of Action and Milestones (POA&M) documenting their path to full compliance.
For AU family controls specifically, the implementation evidence required for SPRS scoring consists of documented System Security Plan entries, configuration screenshots showing active monitoring, sample log data demonstrating the required fields, and records of periodic log review. These are exactly the evidence artifacts that a properly configured employee monitoring platform generates as part of its standard operation.
DFARS 252.204-7012 Flow-Down: What Subcontractors Must Do
DFARS 252.204-7012 clause (m) is the flow-down provision. It states that the prime contractor must include the substance of the clause in all subcontracts or task orders that involve the operationally critical support or for which subcontractor performance will involve covered defense information. In plain terms: if your subcontractor's systems will touch CUI, they must implement all 110 NIST SP 800-171 controls, including the full AU control family.
This flow-down obligation creates a supply chain compliance problem that many prime contractors underestimate. A defense manufacturer might have its own CUI systems well-secured and SPRS-documented, then transmit technical drawings to a smaller machining subcontractor that operates a basic Windows environment with no user activity logging. That subcontractor's non-compliance exposes the prime contractor to contract risk because the prime is responsible for ensuring the flow-down clause is in the subcontract and that the subcontractor complies.
The practical steps for managing DFARS flow-down compliance include three actions. First, identify all subcontractors and suppliers whose systems will receive or process CUI. Second, include the DFARS 252.204-7012 clause or its substance in every subcontract with those organizations. Third, obtain from each subcontractor a copy of their SPRS score submission confirmation and their SSP, or at minimum a certification that they have completed a self-assessment against NIST SP 800-171. Prime contractors conducting regular supplier reviews increasingly request evidence of AU control implementation, specifically evidence that subcontractors have functioning user activity monitoring and audit log review processes.
Small subcontractors that lack dedicated security staff find the AU control family particularly challenging to implement without specialized tooling. A monitoring platform that automatically generates user-attributed activity logs, configures role-based access to those logs, and provides exportable compliance reports significantly reduces the implementation burden for smaller suppliers who need to demonstrate NIST 800-171 compliance to their prime contractors.
NIST 800-171 and CMMC 2.0: Why Compliance Is Not Two Separate Efforts
CMMC 2.0 certification requirements and NIST SP 800-171 Rev 2 compliance address the same set of controls. The Cybersecurity Maturity Model Certification framework was designed to verify that contractors have actually implemented the NIST SP 800-171 controls they self-report in their SPRS submissions, rather than accepting self-attestation alone. CMMC 2.0 Level 2 maps every one of its 110 practices directly to a NIST SP 800-171 Rev 2 control, with no additions or modifications.
The key difference is verification. NIST SP 800-171 compliance under DFARS 252.204-7012 is currently self-attested through SPRS scores. CMMC Level 2 compliance for contracts involving critical defense programs requires a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). During a C3PAO assessment, assessors examine evidence for all 110 practices, including the AU family. Organizations that have maintained continuous, documented user activity monitoring are significantly better positioned for a CMMC Level 2 assessment than those that implement logging shortly before the assessment.
For organizations planning ahead, the important implication is this: every month of properly configured and documented employee monitoring generates assessment-ready evidence. AU.2.042 (user traceability), AU.3.045 (log review), and AU.3.048 (log protection) are all controls where assessors ask to see historical evidence of consistent implementation. An organization that can show 12 months of clean, identity-attributed activity logs and documented weekly log reviews demonstrates operational maturity that a newly configured system cannot replicate retroactively.
For a detailed control-by-control comparison of how NIST 800-171 controls map to CMMC Level 2 practices with implementation evidence requirements, see the CMMC control mapping guide.
How to Configure eMonitor for NIST 800-171 AU Family Compliance
Configuring eMonitor to satisfy the NIST SP 800-171 Audit and Accountability control family requires six implementation steps. Each step maps to specific AU controls and produces evidence artifacts suitable for SSP documentation and CMMC assessment preparation.
Step 1: Deploy the Monitoring Agent on All CUI-Processing Endpoints
AU.2.041 requires audit logs for every system that processes CUI. Deploy the eMonitor desktop agent on all Windows and macOS endpoints whose users access CUI systems, including workstations connected to government networks, systems used to open or edit ITAR-controlled documents, and any endpoint that has access to CUI repositories. eMonitor's agent activates automatically when employees authenticate and captures activity from that point forward. Document the deployment scope in the System Security Plan under the AU family section, identifying the number of endpoints covered and the CUI systems they access.
Step 2: Configure User Identity Attribution
AU.2.042 requires that every logged action trace to a specific authenticated user. Verify that eMonitor is configured to associate activity data with individual user accounts rather than device names alone. In environments using Active Directory, ensure that the user identity captured in eMonitor logs matches the domain account identifier used in other audit systems. This consistency is essential for cross-referencing eMonitor user activity data with authentication logs, VPN logs, and file server audit trails during an investigation or assessment.
Step 3: Configure Monitored Event Scope and Review Schedule
AU.2.043 requires periodic review and update of logged events. Define the initial scope of monitoring: which application categories are monitored as productive versus non-productive, which website categories are flagged for review, which file operations generate DLP alerts, and which account types trigger privileged function alerts. Document this configuration in the SSP. Then establish a quarterly review process where a designated compliance officer reviews the monitored event scope and updates it based on changes to the CUI processing environment, new software deployments, or emerging threats.
Step 4: Configure Real-Time Alerts for Anomalous Activity
AU.3.045 requires active log review for unauthorized or unusual activity. Configure eMonitor's alert system to notify designated compliance personnel when specific events occur: access to CUI applications outside scheduled work hours, bulk file activity that could indicate exfiltration, access to restricted website categories from CUI-processing accounts, and USB device connections on monitored endpoints. Document the alert thresholds, the personnel responsible for reviewing alerts, and the expected response time. This documented procedure is what assessors examine when evaluating AU.3.045.
Step 5: Configure Role-Based Access and Log Protection
AU.3.048 and AU.3.049 require protecting audit data and restricting log management access. In eMonitor, configure the administrator role to limit monitoring data access to specifically designated compliance personnel. Standard managers may view their direct team's productivity summaries, but access to the full audit-grade activity logs must be restricted to the individuals named in the SSP as responsible for CUI system monitoring. Export the access control configuration as a screenshot and retain it as SSP evidence. When personnel change, update this configuration within the timeframe specified in your change management policy.
Step 6: Establish the Log Export and Retention Procedure
AU.2.041 requires retaining audit logs sufficient for investigation and reporting. Configure a regular export of eMonitor activity logs to a secure, access-controlled archive. For CMMC Level 2 preparation, a 90-day online retention with 12-month archived retention is the practical benchmark. Establish who is responsible for executing the exports, where archived logs are stored, how they are protected (encryption at rest, integrity hashing), and how they are retrieved for investigation. This procedure, documented in the SSP and demonstrated during an assessment, satisfies AU.2.041 retention requirements and contributes to AU.3.048 (log protection).
Common NIST 800-171 AU Control Implementation Gaps Found During CMMC Assessments
CMMC Third-Party Assessment Organizations (C3PAOs) and the Defense Contract Audit Agency (DCAA) have identified consistent patterns in how contractors fail AU family controls. These gaps are worth understanding before a formal assessment, because remediation is far less disruptive when addressed proactively than when discovered during an active assessment.
Gap 1: Logging exists but lacks user identity attribution. Many contractors have system event logs that capture events without tying them to specific authenticated users. Windows Event Log captures logon events, but application-level activity (which documents were opened, which CUI systems were accessed) often lacks user identity unless a dedicated monitoring agent is in place. This fails AU.2.042 because the action cannot be traced to an individual. Assessors will request samples of activity logs and verify that user identity is present in each entry.
Gap 2: Logs are created but never reviewed. AU.3.045 requires active review, not passive collection. The most common finding in CMMC Level 2 readiness assessments is the existence of audit logs that no one reviews. There is no alert configuration, no review procedure, and no documented evidence that anyone has examined the logs for anomalies. Creating logs satisfies AU.2.041; reviewing them satisfies AU.3.045. Both must be present.
Gap 3: Log management is accessible to all administrators. AU.3.049 requires limiting audit log management to a specific subset of privileged users. When the same administrator account that manages workstations also has full access to audit log configurations, including the ability to pause or delete logging, the control is not satisfied. Assessors verify this through access control reviews and by examining whether the roles that manage logging are documented and restricted.
Gap 4: No documented retention policy. Retaining logs "as long as the system keeps them" does not satisfy AU.2.041. Assessors look for a documented retention policy with specific timeframes, evidence that the policy is enforced (such as automatic archiving or deletion), and records showing that archived logs are accessible for investigation. Organizations relying on default system log settings that overwrite after 30 days frequently fail this requirement.
Gap 5: SSP does not describe the monitoring implementation. The System Security Plan is the primary documentation artifact for NIST SP 800-171. Each AU control must have an entry in the SSP describing how the organization implements it, including which tools are used, which personnel are responsible, and what procedures govern the control's operation. An organization that has functioning monitoring but no SSP entries for the AU family cannot demonstrate compliance, because CMMC assessors use the SSP as their primary reference for evidence examination.
Which CUI Categories Trigger NIST 800-171 Monitoring Requirements?
The NIST SP 800-171 monitoring requirements apply whenever an organization's systems process, store, or transmit any category of Controlled Unclassified Information. The National Archives and Records Administration (NARA) maintains the official CUI Registry, which defines over 100 specific CUI categories. Understanding which CUI categories are most common in defense contracting helps organizations scope their monitoring programs correctly.
Defense contracting most commonly involves these CUI categories: Controlled Technical Information (CTI), which includes military specifications, technical drawings, and engineering data; Export Controlled Research under ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations); Procurement and Acquisition information including source selection data and contractor bid information; and DoD Critical Infrastructure Security data. If any of these categories appear on your contracts, the NIST SP 800-171 AU controls apply to every system that handles them.
A common misunderstanding among smaller defense subcontractors is that NIST 800-171 monitoring requirements apply only to dedicated CUI servers. This is incorrect. The requirements apply to any system where CUI is processed, including the workstation of a single engineer who opens a controlled technical drawing attached to an email. That workstation must have audit logging that satisfies all nine AU controls, including user identity attribution, event scope documentation, anomaly review, and log protection. The scope of the monitoring program must follow the CUI, not just the server infrastructure.
Frequently Asked Questions: NIST 800-171 Employee Monitoring
What is NIST SP 800-171 and who must comply?
NIST SP 800-171 is a National Institute of Standards and Technology publication defining 110 security controls for protecting Controlled Unclassified Information (CUI) in non-federal systems. All DoD contractors and subcontractors that process, store, or transmit CUI must comply under DFARS 252.204-7012. Compliance became mandatory for all covered DoD contracts after December 31, 2017, and non-compliance exposes contractors to contract termination and False Claims Act liability.
Which NIST 800-171 controls directly require employee monitoring?
The Audit and Accountability (AU) control family contains nine controls that directly require user activity monitoring. AU.2.041 mandates audit log creation and retention. AU.2.042 requires individual user traceability for every logged action. AU.3.045 requires active review for unauthorized activity. Access Control controls AC.2.006 and AC.2.007 also require monitoring of privileged and non-privileged account activity to detect policy violations in CUI environments.
Does NIST 800-171 compliance equal CMMC Level 2?
Yes. CMMC 2.0 Level 2 maps directly to all 110 NIST SP 800-171 Rev 2 controls, practice for practice. An organization that fully implements NIST SP 800-171 satisfies the technical requirements for CMMC Level 2. The key distinction is that CMMC Level 2 for critical programs requires third-party verification by a C3PAO assessor, whereas NIST 800-171 compliance under DFARS currently allows self-attestation through SPRS score submission.
What is the SPRS score and how do AU controls affect it?
The SPRS score is a contractor's self-assessed NIST SP 800-171 compliance rating, ranging from negative 203 (all controls unimplemented) to positive 110 (all controls fully implemented). The DoD scoring methodology assigns weighted deduction values to each unimplemented control. The nine AU family controls carry point deductions that collectively represent a significant portion of achievable score. Implementing user activity monitoring and log review directly improves a contractor's SPRS score and reduces contracting risk.
Do DFARS 252.204-7012 requirements flow down to subcontractors?
Yes. DFARS 252.204-7012 clause (m) requires prime contractors to flow down the full NIST SP 800-171 compliance obligation to any subcontractor whose systems will process, store, or transmit CUI. Subcontractors must implement all 110 controls, submit their own SPRS score, and provide compliance evidence upon request. Prime contractors that fail to enforce this flow-down expose themselves to DFARS violation risk if a subcontractor's non-compliance contributes to a CUI breach.
What log fields does NIST 800-171 AU.3.050 require?
AU.3.050 requires audit logs to contain sufficient information to establish what events occurred, their sources, and their outcomes. NIST SP 800-171A identifies the minimum required fields as: event type, event date and time, user identity, success or failure of the event, and origin of the event. A compliant log entry therefore captures the user's identity, the specific action performed, when it occurred, on which system, and whether the action succeeded or failed.
How does NIST 800-171 differ from NIST 800-53?
NIST SP 800-171 is a subset of NIST SP 800-53 tailored for protecting CUI in non-federal contractor environments. NIST 800-53 contains over 1,000 controls across 20 families and governs federal agency security authorizations under FISMA and FedRAMP. NIST 800-171 contains 110 controls across 14 families and is the contractual requirement for DoD suppliers via DFARS. They share a common control language but serve different audiences and enforcement mechanisms.
How often must NIST 800-171 audit logs be reviewed?
NIST SP 800-171 requires log review under AU.3.045 but does not mandate a specific frequency. NIST SP 800-171A recommends daily automated review using SIEM alerting supplemented by weekly manual review for high-risk CUI environments. The review frequency must be documented in the System Security Plan. CMMC assessors request evidence of log reviews from the preceding 90 days, making consistent documented review critical for assessment readiness.
What are the consequences of non-compliance with NIST 800-171 under DFARS?
Non-compliance with NIST SP 800-171 under DFARS can result in contract termination for default, suspension or debarment from federal contracting, and False Claims Act civil liability for contractors that certify compliance without implementing the required controls. The DOJ Civil Cyber-Fraud Initiative, launched in 2021, has pursued multiple False Claims Act cases against defense contractors for NIST 800-171 misrepresentation, with settlements ranging from $930,000 to $9 million.
Can employee monitoring software alone satisfy all NIST 800-171 AU controls?
Employee monitoring software addresses the user activity attribution requirements of AU.2.041 and AU.2.042 and the anomaly alerting aspects of AU.3.045. A complete AU family implementation for a CUI environment also requires a SIEM system for log aggregation and long-term retention, network logging for non-endpoint events, and documented review procedures. Employee monitoring is a necessary component of the AU control stack, but not sufficient on its own for organizations with more than a handful of CUI-handling users.
What is the System Security Plan (SSP) and how does employee monitoring evidence support it?
The System Security Plan is the primary documentation artifact for NIST SP 800-171 compliance. Each of the 110 controls must have an SSP entry describing the implementation approach, responsible personnel, and evidence location. For AU controls, employee monitoring evidence supports the SSP by providing: deployment scope documentation, user identity attribution configuration screenshots, alert configuration records, access control screenshots for log management, and periodic log review records. These artifacts form the evidence package that CMMC assessors examine when evaluating AU family implementation.
How do NIST 800-171 user monitoring requirements apply to remote workers handling CUI?
NIST SP 800-171 applies equally to remote and on-site workers processing CUI. Remote employees accessing CUI through VPN or government-furnished equipment must have the same AU controls in place as on-site personnel, including user activity logging, identity attribution, and anomaly review. Remote environments add monitoring complexity because the endpoint is outside the organizational network perimeter, making a locally installed monitoring agent the most reliable way to maintain AU control coverage regardless of network location.