SPARC

Audit and Accountability

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 115

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

AU-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}: 1. {{ insert: param, au-01_odp.03 }} audit and accountability policy that: (a) Addresses purpose, scope, roles,...

► View parameters

Param ID	Label	Constraint / Choices
au-1_prm_1	organization-defined personnel or roles	Organization-defined
au-01_odp.01	personnel or roles	personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;
au-01_odp.02	personnel or roles	personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;
au-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
au-01_odp.04	official	an official to manage the audit and accountability policy and procedures is defined;
au-01_odp.05	frequency	the frequency at which the current audit and accountability policy is reviewed and updated is defined;
au-01_odp.06	events	events that would require the current audit and accountability policy to be reviewed and updated are defined;
au-01_odp.07	frequency	the frequency at which the current audit and accountability procedures are reviewed and updated is defined;
au-01_odp.08	events	events that would require audit and accountability procedures to be reviewed and updated are defined;

—

AU-02

Event Logging 5 params

a. Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }}; b. Coordinate the event logging function with other or...

► View parameters

Param ID	Label	Constraint / Choices
au-2_prm_2	organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type	Organization-defined
au-02_odp.01	event types	the event types that the system is capable of logging in support of the audit function are defined;
au-02_odp.02	event types (subset of AU-02_ODP[01])	the event types (subset of AU-02_ODP[01]) for logging within the system are defined;
au-02_odp.03	frequency or situation	the frequency or situation requiring logging for each specified event type is defined;
au-02_odp.04	frequency	the frequency of event types selected for logging are reviewed and updated;

—

AU-02(01)

Compilation of Audit Records from Multiple Sources

—

AU-02(02)

Selection of Audit Events by Component

—

AU-02(03)

Reviews and Updates

—

AU-02(04)

Privileged Functions

—

AU-03

Content of Audit Records

Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event...

—

AU-03(01)

Additional Audit Information 1 param

Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-03.01_odp	additional information	additional information to be included in audit records is defined;

—

AU-03(02)

Centralized Management of Planned Audit Record Content

—

AU-03(03)

Limit Personally Identifiable Information Elements 1 param

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-03.03_odp	elements	elements identified in the privacy risk assessment are defined;

—

AU-04

Audit Log Storage Capacity 1 param

Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-04_odp	audit log retention requirements	audit log retention requirements are defined;

—

AU-04(01)

Transfer to Alternate Storage 1 param

Transfer audit logs {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.

► View parameters

Param ID	Label	Constraint / Choices
au-04.01_odp	frequency	the frequency of audit logs transferred to a different system, system component, or media other than the system or sy...

—

AU-05

Response to Audit Logging Process Failures 3 params

a. Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and b. Take the following additional actions: {{ insert: pa...

► View parameters

Param ID	Label	Constraint / Choices
au-05_odp.01	personnel or roles	personnel or roles receiving audit logging process failure alerts are defined;
au-05_odp.02	time period	time period for personnel or roles receiving audit logging process failure alerts is defined;
au-05_odp.03	additional actions	additional actions to be taken in the event of an audit logging process failure are defined;

—

AU-05(01)

Storage Capacity Warning 3 params

Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of reposit...

► View parameters

Param ID	Label	Constraint / Choices
au-05.01_odp.01	personnel, roles, and/or locations	personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repos...
au-05.01_odp.02	time period	time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reach...
au-05.01_odp.03	percentage	percentage of repository maximum audit log storage capacity is defined;

—

AU-05(02)

Real-time Alerts 3 params

Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-05.02_odp.01	real-time period	real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;
au-05.02_odp.02	personnel, roles, and/or locations	personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]...
au-05.02_odp.03	audit logging failure events requiring real-time alerts	audit logging failure events requiring real-time alerts are defined;

—

AU-05(03)

Configurable Traffic Volume Thresholds 1 param

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and {{ insert: param, au-05.03_odp }} network traffic above those thresholds.

► View parameters

Param ID	Label	Constraint / Choices
au-05.03_odp		Select one-or-more: reject; delay

—

AU-05(04)

Shutdown on Failure 2 params

Invoke a {{ insert: param, au-05.04_odp.01 }} in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.

► View parameters

Param ID	Label	Constraint / Choices
au-05.04_odp.01		Select one-or-more: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available
au-05.04_odp.02	audit logging failures	audit logging failures that trigger a change in operational mode are defined;

—

AU-05(05)

Alternate Audit Logging Capability 1 param

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-05.05_odp	alternate audit logging functionality	an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;

—

AU-06

Audit Record Review, Analysis, and Reporting 3 params

a. Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity...

► View parameters

Param ID	Label	Constraint / Choices
au-06_odp.01	frequency	frequency at which system audit records are reviewed and analyzed is defined;
au-06_odp.02	inappropriate or unusual activity	inappropriate or unusual activity is defined;
au-06_odp.03	personnel or roles	personnel or roles to receive findings from reviews and analyses of system records is/are defined;

—

AU-06(01)

Automated Process Integration 1 param

Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-06.01_odp	automated mechanisms	automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;

—

AU-06(02)

Automated Security Alerts

—

AU-06(03)

Correlate Audit Record Repositories

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

—

AU-06(04)

Central Review and Analysis

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

—

AU-06(05)

Integrated Analysis of Audit Records 2 params

Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.

► View parameters

Param ID	Label	Constraint / Choices
au-06.05_odp.01		Select one-or-more: vulnerability scanning information; performance data; system monitoring information; {{ insert: param, au-06.05_odp.02 }}
au-06.05_odp.02	data/information collected from other sources	data/information collected from other sources to be analyzed is defined (if selected);

—

AU-06(06)

Correlation with Physical Monitoring

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activ...

—

AU-06(07)

Permitted Actions 1 param

Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information.

► View parameters

Param ID	Label	Constraint / Choices
au-06.07_odp		Select one-or-more: system process; role; user

—

AU-06(08)

Full Text Analysis of Privileged Commands

Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.

—

AU-06(09)

Correlation with Information from Nontechnical Sources

Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.

—

AU-06(10)

Audit Level Adjustment

—

AU-07

Audit Record Reduction and Report Generation

Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investiga...

—

AU-07(01)

Automatic Processing 1 param

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-07.01_odp	fields within audit records	fields within audit records that can be processed, sorted, or searched are defined;

—

AU-07(02)

Automatic Sort and Search

—

AU-08

Time Stamps 1 param

a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal ...

► View parameters

Param ID	Label	Constraint / Choices
au-08_odp	granularity of time measurement	granularity of time measurement for audit record timestamps is defined;

—

AU-08(01)

Synchronization with Authoritative Time Source

—

AU-08(02)

Secondary Authoritative Time Source

—

AU-09

Protection of Audit Information 1 param

a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, mod...

► View parameters

Param ID	Label	Constraint / Choices
au-09_odp	personnel or roles	personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit informatio...

—

AU-09(01)

Hardware Write-once Media

Write audit trails to hardware-enforced, write-once media.

—

AU-09(02)

Store on Separate Physical Systems or Components 1 param

Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.

► View parameters

Param ID	Label	Constraint / Choices
au-09.02_odp	frequency	the frequency of storing audit records in a repository is defined;

—

AU-09(03)

Cryptographic Protection

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

—

AU-09(04)

Access by Subset of Privileged Users 1 param

Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-09.04_odp	subset of privileged users or roles	a subset of privileged users or roles authorized to access management of audit logging functionality is defined;

—

AU-09(05)

Dual Authorization 2 params

Enforce dual authorization for {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-09.05_odp.01		Select one-or-more: movement; deletion
au-09.05_odp.02	audit information	audit information for which dual authorization is to be enforced is defined;

—

AU-09(06)

Read-only Access 1 param

Authorize read-only access to audit information to {{ insert: param, au-09.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-09.06_odp	subset of privileged users or roles	a subset of privileged users or roles with authorized read-only access to audit information is defined;

—

AU-09(07)

Store on Component with Different Operating System

Store audit information on a component running a different operating system than the system or component being audited.

—

AU-10

Non-repudiation 1 param

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-10_odp	actions	actions to be covered by non-repudiation are defined;

—

AU-10(01)

Association of Identities 1 param

(a) Bind the identity of the information producer with the information to {{ insert: param, au-10.01_odp }} ; and (b) Provide the means for authorized individuals to determine the identity of t...

► View parameters

Param ID	Label	Constraint / Choices
au-10.01_odp	strength of binding	the strength of binding between the identity of the information producer and the information is defined;

—

AU-10(02)

Validate Binding of Information Producer Identity 2 params

(a) Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and (b) Perform {{ insert: param, au-10.02_odp.02 }} in the event of a...

► View parameters

Param ID	Label	Constraint / Choices
au-10.02_odp.01	frequency	the frequency at which to validate the binding of the information producer identity to the information is defined;
au-10.02_odp.02	actions	the actions to be performed in the event of a validation error are defined;

—

AU-10(03)

Chain of Custody

Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.

—

AU-10(04)

Validate Binding of Information Reviewer Identity 2 params

(a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} ; and ...

► View parameters

Param ID	Label	Constraint / Choices
au-10.04_odp.01	security domains	security domains for which the binding of the information reviewer identity to the information is to be validated at ...
au-10.04_odp.02	actions	actions to be performed in the event of a validation error are defined;

—

AU-10(05)

Digital Signatures

—

└ au-10.1.(a)

Bind the identity of the information producer with the information to {{ insert: param, au-10.01_odp }} ; and

—

└ au-10.1.(b)

Provide the means for authorized individuals to determine the identity of the producer of the information.

—

└ au-10.2.(a)

Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and

—

└ au-10.2.(b)

Perform {{ insert: param, au-10.02_odp.02 }} in the event of a validation error.

—

└ au-10.4.(a)

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between...

—

└ au-10.4.(b)

Perform {{ insert: param, au-10.04_odp.02 }} in the event of a validation error.

—

AU-11

Audit Record Retention 1 param

Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

► View parameters

Param ID	Label	Constraint / Choices
au-11_odp	time period	a time period to retain audit records that is consistent with the records retention policy is defined;

—

AU-11(01)

Long-term Retrieval Capability 1 param

Employ {{ insert: param, au-11.01_odp }} to ensure that long-term audit records generated by the system can be retrieved.

► View parameters

Param ID	Label	Constraint / Choices
au-11.01_odp	measures	measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;

—

AU-12

Audit Record Generation 2 params

a. Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }}; b. Allow {{ insert: ...

► View parameters

Param ID	Label	Constraint / Choices
au-12_odp.01	system components	system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) ...
au-12_odp.02	personnel or roles	personnel or roles allowed to select the event types that are to be logged by specific components of the system is/ar...

—

AU-12(01)

System-wide and Time-correlated Audit Trail 2 params

Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-12.01_odp.01	system components	system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail ar...
au-12.01_odp.02	level of tolerance	level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;

—

AU-12(02)

Standardized Formats

Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

—

AU-12(03)

Changes by Authorized Individuals 4 params

Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.0...

► View parameters

Param ID	Label	Constraint / Choices
au-12.03_odp.01	individuals or roles	individuals or roles authorized to change the logging on system components are defined;
au-12.03_odp.02	system components	system components on which logging is to be performed are defined;
au-12.03_odp.03	selectable event criteria	selectable event criteria with which change logging is to be performed are defined;
au-12.03_odp.04	time thresholds	time thresholds in which logging actions are to change is defined;

—

AU-12(04)

Query Parameter Audits of Personally Identifiable Information

Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

—

└ au-12a

Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: p...

—

└ au-12b

Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and

—

└ au-12c

Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

—

AU-13

Monitoring for Information Disclosure 4 params

a. Monitor {{ insert: param, au-13_odp.01 }} {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information; and b. If an information disclosure is disc...

► View parameters

Param ID	Label	Constraint / Choices
au-13_odp.01	open-source information and/or information sites	open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizat...
au-13_odp.02	frequency	the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized ...
au-13_odp.03	personnel or roles	personnel or roles to be notified if an information disclosure is discovered is/are defined;
au-13_odp.04	additional actions	additional actions to be taken if an information disclosure is discovered are defined;

—

AU-13(01)

Use of Automated Tools 1 param

Monitor open-source information and information sites using {{ insert: param, au-13.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-13.01_odp	automated mechanisms	automated mechanisms for monitoring open-source information and information sites are defined;

—

AU-13(02)

Review of Monitored Sites 1 param

Review the list of open-source information sites being monitored {{ insert: param, au-13.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
au-13.02_odp	frequency	the frequency at which to review the open-source information sites being monitored is defined;

—

AU-13(03)

Unauthorized Replication of Information

Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.

—

└ au-13a

Monitor {{ insert: param, au-13_odp.01 }} {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information; and

—

└ au-13b

If an information disclosure is discovered:

—

└ au-13b.1

Notify {{ insert: param, au-13_odp.03 }} ; and

—

└ au-13b.2

Take the following additional actions: {{ insert: param, au-13_odp.04 }}.

—

AU-14

Session Audit 3 params

a. Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} ; and b....

► View parameters

Param ID	Label	Constraint / Choices
au-14_odp.01	users or roles	users or roles who can audit the content of a user session are defined;
au-14_odp.02		Select one-or-more: record; view; hear; log
au-14_odp.03	circumstances	circumstances under which the content of a user session can be audited are defined;

—

AU-14(01)

System Start-up

Initiate session audits automatically at system start-up.

—

AU-14(02)

Capture and Record Content

—

AU-14(03)

Remote Viewing and Listening

Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.

—

└ au-14a

Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under...

—

└ au-14b

Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders...

—

AU-15

Alternate Audit Logging Capability

—

AU-16

Cross-organizational Audit Logging 2 params

Employ {{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries.

► View parameters

Param ID	Label	Constraint / Choices
au-16_odp.01	methods	methods for coordinating audit information among external organizations when audit information is transmitted across ...
au-16_odp.02	audit information	audit information to be coordinated among external organizations when audit information is transmitted across organiz...

—

AU-16(01)

Identity Preservation

Preserve the identity of individuals in cross-organizational audit trails.

—

AU-16(02)

Sharing of Audit Information 2 params

Provide cross-organizational audit information to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
au-16.02_odp.01	organizations	organizations with which cross-organizational audit information is to be shared are defined;
au-16.02_odp.02	cross-organizational sharing agreements	cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizat...

—

AU-16(03)

Disassociability 1 param

Implement {{ insert: param, au-16.03_odp }} to disassociate individuals from audit information transmitted across organizational boundaries.

► View parameters

Param ID	Label	Constraint / Choices
au-16.03_odp	measures	measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;

—

└ au-1a

Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:

—

└ au-1a.1

{{ insert: param, au-01_odp.03 }} audit and accountability policy that:

—

└ au-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ au-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ au-1a.2

Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;

—

└ au-1b

Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy a...

—

└ au-1c

Review and update the current audit and accountability:

—

└ au-1c.1

Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and

—

└ au-1c.2

Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}.

—

└ au-2a

Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};

—

└ au-2b

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection crit...

—

└ au-2c

Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};

—

└ au-2d

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

—

└ au-2e

Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}.

—

└ au-3a

What type of event occurred;

—

└ au-3b

When the event occurred;

—

└ au-3c

Where the event occurred;

—

└ au-3d

Source of the event;

—

└ au-3e

Outcome of the event; and

—

└ au-3f

Identity of any individuals, subjects, or objects/entities associated with the event.

—

└ au-5a

Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and

—

└ au-5b

Take the following additional actions: {{ insert: param, au-05_odp.03 }}.

—

└ au-6a

Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential im...

—

└ au-6b

Report findings to {{ insert: param, au-06_odp.03 }} ; and

—

└ au-6c

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement informat...

—

└ au-7a

Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

—

└ au-7b

Does not alter the original content or time ordering of audit records.

—

└ au-8a

Use internal system clocks to generate time stamps for audit records; and

—

└ au-8b

Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offs...

—

└ au-9a

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

—

└ au-9b

Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information.

—