Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system provides the capability for [FedRAMP Assignment: (H) service provider-defined individuals or roles with audit configuration responsibilities] to change the auditing to be performed on [FedRAMP Assignment: (H) all network, data storage, and computing devices] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7.
NIST 800-53 (r5) Discussion:
Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).
38North Guidance:
Meets Minimum Requirement:
Only authorized service provider-defined individuals or roles with Cloud Service Offering (CSO) audit configuration responsibilities are permitted to make changes to system components (all network, data storage, and computing devices) audit capabilities.
The organization provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
Best Practice:
Only permit authorized personnel with specific roles and responsibilities to make changes to the audit capabilities of system components with the boundary.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Active Directory account listing of user roles with capabilities to make audit capability changes to information system components.
Screen shots of network components user roles and responsibilities within the network component demonstrating users and roles with admin privileges are restricted so that only certain users can make changes to what is audited.
Security Information and Event Management (SIEM) tool user privileges demonstrating who has the ability to make changes to the audit tool.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse