Navigate

CCI-001877

CCI-001877 Definition

The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support after-the-fact investigations of security incidents (either natively or through the use of third-party tools). For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1877.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that supports after-the-fact investigations of security incidents (either natively or through the use of third-party tools). For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1877.

Compelling Evidence

1.) After action reports which include audit logs

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001877.

Control	Description
AU-7	The information system provides an audit reduction and report generation capability that: AU-7a.: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7b.: Does not alter the original content or time ordering of audit records.