CCI-001490

Defines the actions to be taken by the system upon audit failure, including shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

Implementation Guidance

The organization being inspected/assessed will define and document actions to be taken by the information system upon audit failure. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions. Unless availability is an overriding concern, the default action should be to shut down the information system. DoD has determined that the actions are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed has defined the actions to be taken by the information system upon audit failure. DoD has determined that the actions are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated audit and accountability policy 2.) Applicable STIG/SRG checks

The controls below (if any) were marked by NIST as being related to CCI-001490.