SPARC

Audit and Accountability

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 92

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

AU-1

Audit and Accountability Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, ma...

► View parameters

Param ID	Label	Constraint / Choices
au-1_prm_1	organization-defined personnel or roles	Organization-defined
au-1_prm_2	organization-defined frequency	Organization-defined
au-1_prm_3	organization-defined frequency	Organization-defined

—

AU-2

Audit Events 2 params

► View parameters

Param ID	Label	Constraint / Choices
au-2_prm_1	organization-defined auditable events	Organization-defined
au-2_prm_2	organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event	Organization-defined

—

AU-2(1)

Compilation of Audit Records from Multiple Sources

—

AU-2(2)

Selection of Audit Events by Component

—

AU-2(3)

Reviews and Updates 1 param

The organization reviews and updates the audited events {{ insert: param, au-2.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-2.3_prm_1	organization-defined frequency	Organization-defined

—

AU-2(4)

Privileged Functions

—

AU-3

Content of Audit Records

—

AU-3(1)

Additional Audit Information 1 param

The information system generates audit records containing the following additional information: {{ insert: param, au-3.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-3.1_prm_1	organization-defined additional, more detailed information	Organization-defined

—

AU-3(2)

Centralized Management of Planned Audit Record Content 1 param

The information system provides centralized management and configuration of the content to be captured in audit records generated by {{ insert: param, au-3.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-3.2_prm_1	organization-defined information system components	Organization-defined

—

AU-4

Audit Storage Capacity 1 param

The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-4_prm_1	organization-defined audit record storage requirements	Organization-defined

—

AU-4(1)

Transfer to Alternate Storage 1 param

The information system off-loads audit records {{ insert: param, au-4.1_prm_1 }} onto a different system or media than the system being audited.

► View parameters

Param ID	Label	Constraint / Choices
au-4.1_prm_1	organization-defined frequency	Organization-defined

—

AU-5

Response to Audit Processing Failures 2 params

The information system: a. Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and b. Takes the following additional actions: {{ insert: param, au-5_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-5_prm_1	organization-defined personnel or roles	Organization-defined
au-5_prm_2	organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)	Organization-defined

—

AU-5(1)

Audit Storage Capacity 3 params

The information system provides a warning to {{ insert: param, au-5.1_prm_1 }} within {{ insert: param, au-5.1_prm_2 }} when allocated audit record storage volume reaches {{ insert: param, au-5.1_p...

► View parameters

Param ID	Label	Constraint / Choices
au-5.1_prm_1	organization-defined personnel, roles, and/or locations	Organization-defined
au-5.1_prm_2	organization-defined time period	Organization-defined
au-5.1_prm_3	organization-defined percentage	Organization-defined

—

AU-5(2)

Real-time Alerts 3 params

The information system provides an alert in {{ insert: param, au-5.2_prm_1 }} to {{ insert: param, au-5.2_prm_2 }} when the following audit failure events occur: {{ insert: param, au-5.2_prm_3 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-5.2_prm_1	organization-defined real-time period	Organization-defined
au-5.2_prm_2	organization-defined personnel, roles, and/or locations	Organization-defined
au-5.2_prm_3	organization-defined audit failure events requiring real-time alerts	Organization-defined

—

AU-5(3)

Configurable Traffic Volume Thresholds 1 param

The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and {{ insert: param, au-5.3_prm_1 }} network traffic above thos...

► View parameters

Param ID	Label	Constraint / Choices
au-5.3_prm_1		Select one: rejects; delays

—

AU-5(4)

Shutdown On Failure 2 params

The information system invokes a {{ insert: param, au-5.4_prm_1 }} in the event of {{ insert: param, au-5.4_prm_2 }}, unless an alternate audit capability exists.

► View parameters

Param ID	Label	Constraint / Choices
au-5.4_prm_1		Select one: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available
au-5.4_prm_2	organization-defined audit failures	Organization-defined

—

AU-6

Audit Review, Analysis, and Reporting 3 params

The organization: a. Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and b. Reports findings to {{ inse...

► View parameters

Param ID	Label	Constraint / Choices
au-6_prm_1	organization-defined frequency	Organization-defined
au-6_prm_2	organization-defined inappropriate or unusual activity	Organization-defined
au-6_prm_3	organization-defined personnel or roles	Organization-defined

—

AU-6(1)

Process Integration

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

—

AU-6(2)

Automated Security Alerts

—

AU-6(3)

Correlate Audit Repositories

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

—

AU-6(4)

Central Review and Analysis

The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

—

AU-6(5)

Integration / Scanning and Monitoring Capabilities 2 params

The organization integrates analysis of audit records with analysis of {{ insert: param, au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity.

► View parameters

Param ID	Label	Constraint / Choices
au-6.5_prm_1		Select one-or-more: vulnerability scanning information; performance data; information system monitoring information; {{ insert: param, au-6.5_prm_2 }}
au-6.5_prm_2	organization-defined data/information collected from other sources	Organization-defined

—

AU-6(6)

Correlation with Physical Monitoring

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, o...

—

AU-6(7)

Permitted Actions 1 param

The organization specifies the permitted actions for each {{ insert: param, au-6.7_prm_1 }} associated with the review, analysis, and reporting of audit information.

► View parameters

Param ID	Label	Constraint / Choices
au-6.7_prm_1		Select one-or-more: information system process; role; user

—

AU-6(8)

Full Text Analysis of Privileged Commands

The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicate...

—

AU-6(9)

Correlation with Information from Nontechnical Sources

The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.

—

AU-6(10)

Audit Level Adjustment

The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence informati...

—

AU-7

Audit Reduction and Report Generation

The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigation...

—

AU-7(1)

Automatic Processing 1 param

The information system provides the capability to process audit records for events of interest based on {{ insert: param, au-7.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-7.1_prm_1	organization-defined audit fields within audit records	Organization-defined

—

AU-7(2)

Automatic Sort and Search 1 param

The information system provides the capability to sort and search audit records for events of interest based on the content of {{ insert: param, au-7.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-7.2_prm_1	organization-defined audit fields within audit records	Organization-defined

—

AU-8

Time Stamps 1 param

The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (...

► View parameters

Param ID	Label	Constraint / Choices
au-8_prm_1	organization-defined granularity of time measurement	Organization-defined

—

AU-8(1)

Synchronization with Authoritative Time Source 3 params

The information system: (a) Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and (b) Synchronizes the internal system cl...

► View parameters

Param ID	Label	Constraint / Choices
au-8.1_prm_1	organization-defined frequency	Organization-defined
au-8.1_prm_2	organization-defined authoritative time source	Organization-defined
au-8.1_prm_3	organization-defined time period	Organization-defined

—

AU-8(2)

Secondary Authoritative Time Source

The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

—

AU-9

Protection of Audit Information 1 param

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

► View parameters

Param ID	Label	Constraint / Choices
au-09_odp	personnel or roles	personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit informatio...

—

AU-9(1)

Hardware Write-once Media

The information system writes audit trails to hardware-enforced, write-once media.

—

AU-9(2)

Audit Backup On Separate Physical Systems / Components 1 param

The information system backs up audit records {{ insert: param, au-9.2_prm_1 }} onto a physically different system or system component than the system or component being audited.

► View parameters

Param ID	Label	Constraint / Choices
au-9.2_prm_1	organization-defined frequency	Organization-defined

—

AU-9(3)

Cryptographic Protection

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

—

AU-9(4)

Access by Subset of Privileged Users 1 param

The organization authorizes access to management of audit functionality to only {{ insert: param, au-9.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-9.4_prm_1	organization-defined subset of privileged users	Organization-defined

—

AU-9(5)

Dual Authorization 2 params

The organization enforces dual authorization for {{ insert: param, au-9.5_prm_1 }} of {{ insert: param, au-9.5_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-9.5_prm_1		Select one-or-more: movement; deletion
au-9.5_prm_2	organization-defined audit information	Organization-defined

—

AU-9(6)

Read Only Access 1 param

The organization authorizes read-only access to audit information to {{ insert: param, au-9.6_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-9.6_prm_1	organization-defined subset of privileged users	Organization-defined

—

AU-10

Non-repudiation 1 param

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed {{ insert: param, au-10_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-10_prm_1	organization-defined actions to be covered by non-repudiation	Organization-defined

—

AU-10(1)

Association of Identities 1 param

The information system: (a) Binds the identity of the information producer with the information to {{ insert: param, au-10.1_prm_1 }}; and (b) Provides the means for authorized individuals to d...

► View parameters

Param ID	Label	Constraint / Choices
au-10.1_prm_1	organization-defined strength of binding	Organization-defined

—

AU-10(2)

Validate Binding of Information Producer Identity 2 params

The information system: (a) Validates the binding of the information producer identity to the information at {{ insert: param, au-10.2_prm_1 }}; and (b) Performs {{ insert: param, au-10.2_prm_2...

► View parameters

Param ID	Label	Constraint / Choices
au-10.2_prm_1	organization-defined frequency	Organization-defined
au-10.2_prm_2	organization-defined actions	Organization-defined

—

AU-10(3)

Chain of Custody

The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

—

AU-10(4)

Validate Binding of Information Reviewer Identity 2 params

The information system: (a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between {{ insert: param, au-...

► View parameters

Param ID	Label	Constraint / Choices
au-10.4_prm_1	organization-defined security domains	Organization-defined
au-10.4_prm_2	organization-defined actions	Organization-defined

—

AU-10(5)

Digital Signatures

—

└ au-10.1.(a)

Binds the identity of the information producer with the information to {{ insert: param, au-10.1_prm_1 }}; and

—

└ au-10.1.(b)

Provides the means for authorized individuals to determine the identity of the producer of the information.

—

└ au-10.2.(a)

Validates the binding of the information producer identity to the information at {{ insert: param, au-10.2_prm_1 }}; and

—

└ au-10.2.(b)

Performs {{ insert: param, au-10.2_prm_2 }} in the event of a validation error.

—

└ au-10.4.(a)

Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between {...

—

└ au-10.4.(b)

Performs {{ insert: param, au-10.4_prm_2 }} in the event of a validation error.

—

AU-11

Audit Record Retention 1 param

The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational info...

► View parameters

Param ID	Label	Constraint / Choices
au-11_prm_1	organization-defined time period consistent with records retention policy	Organization-defined

—

AU-11(1)

Long-term Retrieval Capability 1 param

The organization employs {{ insert: param, au-11.1_prm_1 }} to ensure that long-term audit records generated by the information system can be retrieved.

► View parameters

Param ID	Label	Constraint / Choices
au-11.1_prm_1	organization-defined measures	Organization-defined

—

AU-12

Audit Generation 2 params

The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }}; b. Allows {{ insert: param, au-12_prm_2 }...

► View parameters

Param ID	Label	Constraint / Choices
au-12_prm_1	organization-defined information system components	Organization-defined
au-12_prm_2	organization-defined personnel or roles	Organization-defined

—

AU-12(1)

System-wide / Time-correlated Audit Trail 2 params

The information system compiles audit records from {{ insert: param, au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12....

► View parameters

Param ID	Label	Constraint / Choices
au-12.1_prm_1	organization-defined information system components	Organization-defined
au-12.1_prm_2	organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail	Organization-defined

—

AU-12(2)

Standardized Formats

The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

—

AU-12(3)

Changes by Authorized Individuals 4 params

The information system provides the capability for {{ insert: param, au-12.3_prm_1 }} to change the auditing to be performed on {{ insert: param, au-12.3_prm_2 }} based on {{ insert: param, au-12.3...

► View parameters

Param ID	Label	Constraint / Choices
au-12.3_prm_1	organization-defined individuals or roles	Organization-defined
au-12.3_prm_2	organization-defined information system components	Organization-defined
au-12.3_prm_3	organization-defined selectable event criteria	Organization-defined
au-12.3_prm_4	organization-defined time thresholds	Organization-defined

—

└ au-12a

Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};

—

└ au-12b

Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and

—

└ au-12c

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

—

AU-13

Monitoring for Information Disclosure 2 params

The organization monitors {{ insert: param, au-13_prm_1 }} {{ insert: param, au-13_prm_2 }} for evidence of unauthorized disclosure of organizational information.

► View parameters

Param ID	Label	Constraint / Choices
au-13_prm_1	organization-defined open source information and/or information sites	Organization-defined
au-13_prm_2	organization-defined frequency	Organization-defined

—

AU-13(1)

Use of Automated Tools

The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

—

AU-13(2)

Review of Monitored Sites 1 param

The organization reviews the open source information sites being monitored {{ insert: param, au-13.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-13.2_prm_1	organization-defined frequency	Organization-defined

—

AU-14

Session Audit

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

—

AU-14(1)

System Start-up

The information system initiates session audits at system start-up.

—

AU-14(2)

Capture/record and Log Content

The information system provides the capability for authorized users to capture/record and log content related to a user session.

—

AU-14(3)

Remote Viewing / Listening

The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

—

AU-15

Alternate Audit Capability 1 param

The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides {{ insert: param, au-15_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-15_prm_1	organization-defined alternate audit functionality	Organization-defined

—

AU-16

Cross-organizational Auditing 2 params

The organization employs {{ insert: param, au-16_prm_1 }} for coordinating {{ insert: param, au-16_prm_2 }} among external organizations when audit information is transmitted across organizational ...

► View parameters

Param ID	Label	Constraint / Choices
au-16_prm_1	organization-defined methods	Organization-defined
au-16_prm_2	organization-defined audit information	Organization-defined

—

AU-16(1)

Identity Preservation

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

—

AU-16(2)

Sharing of Audit Information 2 params

The organization provides cross-organizational audit information to {{ insert: param, au-16.2_prm_1 }} based on {{ insert: param, au-16.2_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-16.2_prm_1	organization-defined organizations	Organization-defined
au-16.2_prm_2	organization-defined cross-organizational sharing agreements	Organization-defined

—

└ au-1a

Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:

—

└ au-1a.1

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational...

—

└ au-1a.2

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

—

└ au-1b

Reviews and updates the current:

—

└ au-1b.1

Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and

—

└ au-1b.2

Audit and accountability procedures {{ insert: param, au-1_prm_3 }}.

—

└ au-2a

Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};

—

└ au-2b

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to hel...

—

└ au-2c

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

—

└ au-2d

Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}.

—

└ au-5a

Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and

—

└ au-5b

Takes the following additional actions: {{ insert: param, au-5_prm_2 }}.

—

└ au-6a

Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and

—

└ au-6b

Reports findings to {{ insert: param, au-6_prm_3 }}.

—

└ au-7a

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

—

└ au-7b

Does not alter the original content or time ordering of audit records.

—

└ au-8.1.(a)

Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and

—

└ au-8.1.(b)

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, au-8.1_prm_3 }}.

—

└ au-8a

Uses internal system clocks to generate time stamps for audit records; and

—

└ au-8b

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: para...

—