Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [FedRAMP Assignment: (H) minimum actions including the addition, modification, deletion, approval, sending, or receiving of data].
NIST 800-53 (r4) Supplemental Guidance:
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23.
References: None.
NIST 800-53 (r5) Discussion:
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Offering (CSO) protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation through the use of strong access control implementation or through the configuration of digital signatures and digital message receipts.
Minimum actions to be covered by non-repudiation are addition, modification, deletion, approval, sending, or receiving of data.
Best Practice:
Ensure that all audit logs identify the user or personnel involved in the event.
Ensure that log data cannot be changed or modified after it has been collected by the Security Information and Event Management (SIEM).
Ensure that limited administrator roles or privileges are configured within the SIEM to only allow certain users to be able to delete audit logs or manually move them to a different server or system.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List or screen shot of users or roles that have administrator privileges within the SIEM tool.
Screen shot sample of logs from different system components that demonstrate that each log can be identified by a individual user performing an action.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse