Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [FedRAMP Assignment: (L)(M)(H) all information system and network components where audit capability is deployed/available];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
NIST 800-53 (r4) Supplemental Guidance:
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7.
References: None.
NIST 800-53 (r5) Discussion:
Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.
38North Guidance:
Meets Minimum Requirement:
Part a.
The Cloud Security Offering (CSO) is required to provide audit record generation capability, for the auditable events defined in AU-2a, at org-defined information system components.
All CSO and network components where capability is deployed/available within the system boundary are able to generate audit logs based on the defined auditable events list.
Part b.
The organization allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system.
Part c.
Generates CSO component audit records for the events defined in AU-2d with the content defined in AU-3.
Best Practice:
Implement a Security Information and Event Management (SIEM) tool to aggregate audit logs from all system components to track & ensure all system components are generating logs.
Implement specific personnel to select events that will be included in the audit records for the various components within the boundary.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
SIEM tool listing of all system components collecting logs and compare against list of audit events as defined in AU-2d with the content in defined in AU-3
Screen shots of offenses or dashboard alerts within the SIEM tool demonstrating audit logs are being generated for all components within the boundary.
Screen shots of audit alerts such as successful and unsuccessful logins into system components & databases etc. that demonstrate a comprehensive over all view that audit logs are being generated for the environment.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse