AU-12 (1) Audit Generation | System-wide / Time-correlated Audit Trail (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system compiles audit records from [FedRAMP Assignment: (H) all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].

NIST 800-53 (r4) Supplemental Guidance:

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12.

NIST 800-53 (r5) Discussion:

38North Guidance:

Meets Minimum Requirement:

The Cloud Service Offering (CSO) is required to compile audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail.
All network, data storage, and computing devices are to be compiled into a system-wide (logical or physical) time-correlated audit trail.

Best Practice:

Ensure that all system components and databases audit logs include time stamps to aid in potential incident investigations etc.
Ensure all systems components are in synchronization with a CSO Network Time Protocol (NTP) server that is in synchronization with an authoritative time source (NIST) located here.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Screen shots of audit logs that have a granularity of seconds or milliseconds demonstrating potential incidents can be investigated to determine who, what, when, where, and how.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse