AU.3.046

Control Acronym

AU

Family

Audit And Accountability

CMMC Level

3

800-171 Control #

3.3.4

CMMC Description

Alert in the event of an audit logging process failure.

CMMC Clarification

Audit logging keeps track of activities occurring on the network, servers, user workstations and other components of the overall system. These logs must always be available and functional. The organization’s designated security personnel (e.g., system administrator and security officer) need to be aware when the audit log process fails or becomes unavailable. Automated notifications need to be sent to the organization’s designated security personnel to immediately take appropriate action. If security personnel are unaware of the audit logging process failure, then they will be unaware of any suspicious activity occurring at that time. Your response to an audit logging process failure should account for the extent of the failure (e.g., a single component’s audit logging versus failure of the centralized logging solution), the risks involved in this loss of audit logging, and other factors (e.g., possibility an adversary could have caused the audit logging process failure). Example You are in charge of IT operations for your organization. Your responsibilities include management of the audit logging process. One of the logging mechanisms failed, but you had configured the system to notify the designated security personnel that a problem with the auditing system occurred. After verifying the alert, you restart the logging mechanism and verify that it is now logging.

800-171 Description

Alert in the event of an audit logging process failure.

800-171 Discussion

Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 6.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-5

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.3.4

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AU.3.046.[a] personnel or roles to be alerted in the event of an audit logging process failure are identified;

Assessment Sub-Criteria 2

AU.3.046.[b] types of audit logging process failures for which alert will be generated are defined; and

Assessment Sub-Criteria 3

AU.3.046.[c] identified personnel or roles are alerted in the event of an audit logging process failure.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15