Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
NIST 800-53 (r4) Supplemental Guidance:
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.
References: None.
NIST 800-53 (r5) Discussion:
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Provider (CSP) is required to define the audit record storage requirements for the Cloud Service Offering (CSO). The CSP should consult the National Archives and Records Administration (NARA) https://www.archives.gov/records-mgmt/grs to ensure the CSO audit storage capacity meets the NARA disposition requirement for the data stored within the CSO.
The CSP implements the defined audit record storage requirement within audit log system of record (ex. Splunk, Greylog) for the CSO.
Best Practice:
Best practice is 90 days online of audit records and one year offline. Although this is a best practice, it may not meet the NARA requirements for the CSO data types.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review the Audit and Accountability policy and procedures to determine the organization defined audit record storage requirement.
Review AU-4 of the System Security Plan (SSP) to confirm the Audit and Accountability policy and procedure audit record storage requirement is defined within the SSP.
Review the configuration settings of the CSO Security Information and Event Management (SIEM) tool to determine if the SIEM is configured with enough storage capacity to meet NARA audit record storage requirements for the CSO data.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse