Navigate

AU-12

AU-12: Audit Generation

The information system:

AU-12a.: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];

AU-12b.: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and

AU-12c.: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Supplemental

Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Classified, Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-A, Int-B, Int-C, Privacy (High), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to AU-12.

Control	Description
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AU-2	The organization: AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-3	The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-6	The organization: AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
AU-7	The information system provides an audit reduction and report generation capability that: AU-7a.: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7b.: Does not alter the original content or time ordering of audit records.

Enhancements

The controls below (if any) add on to the requirements of AU-12.

Control	Description
AU-12 (1)	The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
AU-12 (2)	The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
AU-12 (3)	The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].

Related CCIs

The CCIs below are tied to AU-12.

CCI	Definition
CCI-000169	The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
CCI-000171	The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
CCI-000172	The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CCI-001459	The organization defines information system components that provide audit record generation capability.
CCI-001910	The organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system.