3.3.9 — Limit Who Manages Logs

What It Says

Limit management of audit logging functionality to a subset of privileged users.

What It Actually Means

Not every privileged user should be able to change what gets logged or manage the logging tools. Only a small, documented subset of privileged users — typically senior security personnel — should have the ability to:

Configure which events are logged
Change where logs are sent
Modify retention settings
Administer the SIEM or log collector
Install, update, or remove logging agents

Two things the assessor checks:

The subset is defined. You have a documented list of who is authorized to manage audit logging. Not all of IT — a specific, small group. Names or roles, reviewed periodically.
Access is technically enforced. It’s not just a policy that says “only these people should manage logging.” RBAC in your SIEM restricts the admin role to the defined subset. Logging agent deployment is controlled through a management platform that general admins can’t override. A general sysadmin who tries to change SIEM settings is blocked, not just told not to.

This is separation of duties applied to the audit system itself. The people managing everyday IT operations — creating accounts, patching servers, configuring firewalls — should not be the same people who control what gets logged about those operations. If the sysadmin can quietly disable logging on a server they manage, the audit trail is compromised.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the subset of privileged users authorized to manage audit logging defined?	Documented list of named individuals or specific roles — reviewed and current
2	Is management of audit logging functionality limited to that subset?	RBAC enforced — general sysadmins cannot modify logging config, SIEM settings, or agent deployment

What to Have Ready on Assessment Day

Documents they’ll review: Audit and accountability policy; access control policy for audit systems; procedures addressing audit log management; system security plan; system configuration showing RBAC for SIEM and logging tools; list of authorized audit logging administrators; access control lists for logging infrastructure

People they’ll talk to: Personnel with audit and accountability responsibilities; information security personnel; system or network administrators; anyone on the authorized log admin list

Live demos they’ll ask for: “Show me who can modify your SIEM configuration.” “Log in as a general sysadmin and try to change a logging setting — show me it’s blocked.” “Show me the documented list of authorized log administrators.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“Who is authorized to manage audit logging? Show me the list.”
“Can a general system administrator modify logging configurations? Prove it.”
“How is this restriction technically enforced — policy only, or RBAC?”
“Is the authorized list reviewed? When was the last review?”
“Are audit management responsibilities separated from general system administration?”
“Can a standard IT admin uninstall a logging agent from a server they manage?”

A defense contractor designates two people as audit logging administrators: the IT Security Lead and a Senior Security Engineer. Only these two hold the “Sentinel Contributor” role in Microsoft Sentinel — they can modify analytics rules, manage data connectors, and configure retention policies. General IT admins hold the “Sentinel Reader” role — they can view dashboards and run queries but cannot change any logging configuration. Logging agent deployment is managed through Intune; only the Intune administrator (the IT Security Lead) can modify agent policies. The authorized administrator list is documented in the system security plan and reviewed every six months. During the assessment, a general sysadmin logs into the Sentinel portal and the assessor observes they cannot access configuration settings — only the dashboard view.

Where Companies Trip Up

Every admin has full SIEM access. All domain admins or IT team members can modify SIEM configurations. The assessor asks “who can change your logging settings?” and the answer is “all ten of our IT staff.” Restrict SIEM admin to two or three designated people.

Policy but no enforcement. The policy says only designated personnel manage logging, but technically any admin can modify SIEM settings or uninstall logging agents. Policy without technical enforcement fails the requirement.

No documented list. Access is restricted but nobody documented who the authorized log administrators are. Maintain a named list, reviewed at least annually.

Shared SIEM admin credentials. Two people share the same SIEM admin account. This undermines both this requirement and 3.3.2 (traceability). Each authorized log administrator needs their own credentials.

Log admins also general admins with no separation. The same two people who manage logging also perform everyday sysadmin work. While small organizations may need some overlap, there should be separate credentials — use your general admin account for daily work and elevate to the log admin role only when managing audit configuration.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.3.8 — Tamper-Proof Logs	Limiting who manages logging is a key control for protecting log integrity
3.1.5 — Separate Duties	Separation of duties principle applied specifically to audit management
3.1.7 — No Shared Accounts for Admin	Log admin accounts must be unique per person — no shared SIEM credentials
3.3.2 — Trace Every Action	Log management actions must be traceable to the individual who performed them

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

CMMC Practice ID: AU.L2-3.3.9 | SPRS Weight: 1 point | POA&M Eligible: Yes