a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; andc. Review and update the current audit and accountability:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; ande. Review and update the event types selected for logging [Assignment: organization-defined frequency].
[Withdrawn: Incorporated into AU-12.]
[Withdrawn: Incorporated into AU-12.]
[Withdrawn: Incorporated into AU-2.]
[Withdrawn: Incorporated into AC-6(9).]
Ensure that audit records contain information that establishes the following:a. What type of event occurred;b. When the event occurred;c. Where the event occurred;d. Source of the event;e. Outcome of the event; andf. Identity of any individuals, subjects, or objects/entities associated with the event.
Generate audit records containing the following additional information: [Assignment: organization-defined additional information].
[Withdrawn: Incorporated into PL-9.]
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.
a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; andb. Take the following additional actions: [Assignment: organization-defined additional actions].
Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity.
Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts].
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds.
Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists.
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality].
a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;b. Report findings to [Assignment: organization-defined personnel or roles]; andc. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].
[Withdrawn: Incorporated into SI-4.]
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information.
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
[Withdrawn: Incorporated into AU-6.]
Provide and implement an audit record reduction and report generation capability that:a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; andb. Does not alter the original content or time ordering of audit records.
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].
[Withdrawn: Incorporated into AU-7(1).]
a. Use internal system clocks to generate time stamps for audit records; andb. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
[Withdrawn: Incorporated into SC-45(1).]
[Withdrawn: Incorporated into SC-45(2).]
a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; andb. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.
Write audit trails to hardware-enforced, write-once media.
Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles].
Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].
Store audit information on a component running a different operating system than the system or component being audited.
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].
(a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and(b) Provide the means for authorized individuals to determine the identity of the producer of the information.
(a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and(b) Perform [Assignment: organization-defined actions] in the event of a validation error.
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
(a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and(b) Perform [Assignment: organization-defined actions] in the event of a validation error.
[Withdrawn: Incorporated into SI-7.]
Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; andc. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.
a. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; andb. If an information disclosure is discovered:1. Notify [Assignment: organization-defined personnel or roles]; and2. Take the following additional actions: [Assignment: organization-defined additional actions].
Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms].
Review the list of open-source information sites being monitored [Assignment: organization-defined frequency].
Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.
a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; andb. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Initiate session audits automatically at system start-up.
[Withdrawn: Incorporated into AU-14.]
Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.
[Withdrawn: Incorporated into None.]
Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
Preserve the identity of individuals in cross-organizational audit trails.
Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries.