Navigate

AU-5

AU-5: Response to Audit Processing Failures

The information system:

a: Alerts [one of ] in the event of an audit processing failure; and

b: Takes the following additional actions: [one of ].

Supplemental

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	low

Overlays
None

CSF Categories
PR.PT-1

Related Controls

The controls below (if any) were marked by NIST as being related to AU-5.

Control	Description
AU-4	The organization allocates audit record storage capacity in accordance with [one of ].
SI-12	The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Enhancements

The controls below (if any) add on to the requirements of AU-5.

Control	Description
AU-5(1)	The information system provides a warning to [one of ] within [one of ] when allocated audit record storage volume reaches [one of ] of repository maximum audit record storage capacity.
AU-5(2)	The information system provides an alert in [one of ] to [one of ] when the following audit failure events occur: [one of ].
AU-5(3)	The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [one of "rejects"/"delays"] network traffic above those thresholds.
AU-5(4)	The information system invokes a [one of "full system shutdown"/"partial system shutdown"/"degraded operational mode with limited mission/business functionality available"] in the event of [one of ], unless an alternate audit capability exists.

Related CCIs

The CCIs below are tied to AU-5.

CCI	Definition
CCI-000139	Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.
CCI-000140	Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
CCI-001490	Defines the actions to be taken by the system upon audit failure, including shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
CCI-001572	Defines the personnel or roles to be alerted in the event of an audit logging process failure.