Navigate

AU-12

AU-12: Audit Record Generation

a: Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;];

b: Allow [personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;] to select the event types that are to be logged by specific components of the system; and

c: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

Supplemental

Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, Classified, DAF Baseline, Int-A, Int-B, Int-C, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
DE.CM-1, DE.CM-3, DE.CM-7, PR.PT-1

Related Controls

The controls below (if any) were marked by NIST as being related to AU-12.

Control	Description
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-17	a: Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b: Authorize each type of remote access to the system prior to allowing such connections.
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-3	Ensure that audit records contain information that establishes the following: a: What type of event occurred; b: When the event occurred; c: Where the event occurred; d: Source of the event; e: Outcome of the event; and f: Identity of any individuals, subjects, or objects/entities associated with the event.
AU-4	Allocate audit log storage capacity to accommodate [audit log retention requirements are defined;].
AU-5	a: Alert [personnel or roles receiving audit logging process failure alerts are defined;] within [time period for personnel or roles receiving audit logging process failure alerts is defined;] in the event of an audit logging process failure; and b: Take the following additional actions: [additional actions to be taken in the event of an audit logging process failure are defined;].
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-7	Provide and implement an audit record reduction and report generation capability that: a: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b: Does not alter the original content or time ordering of audit records.
AU-14	a: Provide and implement the capability for [users or roles who can audit the content of a user session are defined;] to [one or more of "record"/"view"/"hear"/"log"] the content of a user session under [circumstances under which the content of a user session can be audited are defined;] ; and b: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
CM-5	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
MA-4	a: Approve and monitor nonlocal maintenance and diagnostic activities; b: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d: Maintain records for nonlocal maintenance and diagnostic activities; and e: Terminate session and network connections when nonlocal maintenance is completed.
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
SA-8	Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [one of ].
SC-18	a: Define acceptable and unacceptable mobile code and mobile code technologies; and b: Authorize, monitor, and control the use of mobile code within the system.
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].
SI-10	Check the validity of the following information inputs: [information inputs to the system requiring validity checks are defined;].

Enhancements

The controls below (if any) add on to the requirements of AU-12.

Control	Description
AU-12(1)	Compile audit records from [system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;] into a system-wide (logical or physical) audit trail that is time-correlated to within [level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;].
AU-12(2)	Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
AU-12(3)	Provide and implement the capability for [individuals or roles authorized to change the logging on system components are defined;] to change the logging to be performed on [system components on which logging is to be performed are defined;] based on [selectable event criteria with which change logging is to be performed are defined;] within [time thresholds in which logging actions are to change is defined;].
AU-12(4)	Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

Related CCIs

The CCIs below are tied to AU-12.

CCI	Definition
CCI-000169	Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.
CCI-000171	Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
CCI-000172	Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-001459	Defines system components that provide audit record generation capability.
CCI-001910	Defines the personnel or roles allowed to select which event types are to be logged by specific components of the system.