AU.5.055

Control Acronym

AU

Family

Audit And Accountability

CMMC Level

5

800-171 Control #

N/A

CMMC Description

Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.

CMMC Clarification

Robust audit logging is critical in defending against cyber attacks and preventing future attacks since logs are a common starting point for incident response and a core element in post-attack cyber forensics. A cyber attacker may try to disrupt logging at the start of an attack, making the absence of audit logging an initial indicator of a potential attack. Even if the audit logging failure occurred from benign causes, restoring the logging is needed to maintain a secure posture. Identifying assets that are reporting logs and comparing against the inventory of assets expected to provide audit logs provides the set of assets for which audit remediation is needed. It is important that the logging requirements for each asset, which may include many logs to be collected, are documented and compared to the set of received logs. Any discrepancies will start an investigation and remediation process. Example You are working your shift in the security operations center (SOC) when one of your hourly scanning scripts indicates that a data server is not providing logs to the central log collection server. The data server is on the list of assets for which a log is required. You send a notification to the administrator for the server to investigate and turn logging on, and copy the company threat hunting team as well.

800-171 Description

800-171 Discussion

N/A

Other Source Discussion

Practice AU.2.042 required the creation and retention of audit logs. Audit logs are essential to cybersecurity awareness and incident response. This practice requires organizations to proactively determine if any assets that should be creating audit logs are not generating the required logs.

CIS Control References

CIS Controls v7.1 6.2

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-12

CMMC Derived

CMMC

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15