Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system provides an alert in [FedRAMP Assignment: (H) real-time] to [FedRAMP Assignment: (H) service provider personnel with authority to address failed audit events] when the following audit failure events occur: [FedRAMP Assignment: (H) audit failure events requiring real-time alerts, as defined by organization audit policy].
NIST 800-53 (r4) Supplemental Guidance:
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
NIST 800-53 (r5) Discussion:
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
38North Guidance:
Meets Minimum Requirement:
This control ensures timely review and analysis of system audit records for indication of inappropriate or unusual activity so that the identified findings can be reported to a Cloud Service Provider (CSP) defined organizationally defined group or role in a timely fashion.
What is "real-time?"
If we go by purely the FedRAMP High defined parameter (real-time) and NIST 800-53 r5 discussion (...seconds or less), it appears real-time means within seconds. However, assessors have accepted time intervals such as 5 minutes because they realize for large environments, it unrealistic to expect CSPs to provide alerts within seconds as that would be an additional load on the network that would likely cause performance issues.
The definition of real-time is flexible, and close to or near real-time is considered sufficient. Assessors will evaluate the CSP's ability to send out alerts and review audit logs promptly. They'll also examine any compensating controls and if any alerts are set up in the case that audit tools (such as a SIEM) is failing to grab audit logs... need to have an alert for that.
The people managing the SIEM should be able to validate that the alerts are set up, and the IR process is in place and triggered to investigate and troubleshoot any issues with audit tools. The final call relies on the CSP's ability to articulate their approach and demonstrate the effectiveness of their controls. As long as the CSP can provide a compelling narrative and show that their compensating controls, such as IR processes, are in place, a 5-minute delay in sending alerts will not be considered significant.
We recommend within minutes, as long as we're not approaching an hour, we should be fine.
Best Practice:
The alerting from inappropriate or unusual activity is typically enabled within a Security Information and Event Management (SIEM) tool.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review the CSO audit policy and procedure to determine the audit failure events requiring real-time alerts and the group or role that receives the real-time alerts as defined by the CSP.
Review the configuration settings of the SIEM tool to validate the audit log aggregation tool is set up to provide real-time alerts to the CSP defined groups or roles based on the audit failure.
Review recent audit processing failure real-time alerts that were sent to CSP defined groups or roles based on the audit processing failure. Validate the alerts are sent in real-time based on audit processing failure. In this scenario, check for timestamps between the event and the alert. The alert should be as close to real-time as possible.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse