Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [FedRAMP Assignment: (H) organization and/or service provider system owner].
NIST 800-53 (r4) Supplemental Guidance:
Related controls: AU-2, AU-12.
NIST 800-53 (r5) Discussion:
Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.
38North Guidance:
Meets Minimum Requirement:
Automatically audits account actions for creation, modification, enabling, disabling, & removal.
Notifications are sent out to organization-defined personnel to include system owner for FedRAMP High.
Best Practice:
Have audit events defined to include auditing all account activity especially for account activities for creation, modification, enabling, disabling, & removal.
All audit events should be sent to a SIEM & actively monitored by SOC or designated personnel.
Alerts should be generated when account activities occur within the boundary for creation, modification, enabling, disabling, & removal. Notifications should be sent to organization-defined personnel for FedRAMP Moderate and the system owner for FedRAMP High.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of audit log activity from the SIEM tool along with alert trigger configuration to alert on account activity specifically related for creation, modification, enabling, disabling, & removal.
Screenshots of email alerts, SIEM tool alerts, or SIEM tool dashboards for alerting of account activities for creation, modification, enabling, disabling, & removal.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse