Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [FedRAMP Assignment: (L)(M)(H) organization-defined actions to be taken (overwrite oldest record)].
NIST 800-53 (r4) Supplemental Guidance:
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12.
References: None.
NIST 800-53 (r5) Discussion:
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.
38North Guidance:
Meets Minimum Requirement:
Part a. The Cloud Service Offering (CSO) alerts an [organization defined group or role] when an audit processing failure [software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity] for the system occurs.
Part b. The Cloud Service Provider (CSP) configures the system to overwrite the oldest CSO record in the event of an audit processing failure.
Best Practice:
If the CSO uses an alerting mechanism like Pager Duty, ensure that the message sent to the CSO personnel does not include federal meta data.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Recent email notifications sent to a defined group or role when audit processing failures occur for the CSO.
Configuration settings of the Security Information and Event Management (SIEM) log aggregation tool that showcase the audit log storage capacity meets the defined NARA requirements and the configuration of the automated email notification settings that denotes notifications are sent to a defined group or role when an audit processing failure occurs.
If a SIEM log aggregation tool is not in place, then the CSO will need to show the audit log storage capacity requirements are met for NARA within each CSO component. Additionally, each component would be required to notify a defined group or role in the event of an audit processing failure.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse