Imagine thinking you’re compliant, only to discover during your assessment that one pesky misconfiguration is holding you back. Here’s how ASCERA allowed one organization to avoid exactly that.
Setting the Scene
A leading aerospace company implemented ASCERA to automate evidence collection and status reporting for CMMC. Shortly after setup, however, something critical was uncovered: the organization was unknowingly in violation of control AU.L2-3.3.1, System Auditing.
ASCERA in Action
Control AU.L2-3.3.1 calls for organizations to both define how long audit records are kept (Objective “e”) and ensure those records are actually retained for that time period (Objective “f”). Missing either of these can put an entire compliance program at risk.
ASCERA allowed the customer to formally define their retention policy and mapped that requirement directly to log data, including to certain firewall logs.
What it found: the index for these firewall logs wasn’t meeting the retention threshold. This single misconfiguration meant the customer was failing Assessment Objective “f” — and by extension, the entire 3.3.1 control.
What Would’ve Happened Without ASCERA?
Without visibility into this gap, the organization would’ve assumed compliance only to be blindsided during an assessment. This one unnoticed failure could have triggered findings, POA&Ms, and a delayed compliance timeline.
Moving Forward with ASCERA’s Continuous Controls Monitoring
Now, ASCERA continuously tracks the audit record retention settings across all log sources and alerts the customer the moment a control drifts out of alignment. With automation on their side, the organization can continuously be confident in its compliance status.