Navigate

AU-9

AU-9: Protection of Audit Information

a: Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and

b: Alert [personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;] upon detection of unauthorized access, modification, or deletion of audit information.

Supplemental

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AU-9.

Control	Description
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-11	Retain audit records for [a time period to retain audit records that is consistent with the records retention policy is defined;] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
AU-14	a: Provide and implement the capability for [users or roles who can audit the content of a user session are defined;] to [one or more of "record"/"view"/"hear"/"log"] the content of a user session under [circumstances under which the content of a user session can be audited are defined;] ; and b: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
AU-15
MP-2	Restrict access to [one of ] to [one of ].
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
PE-2	a: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b: Issue authorization credentials for facility access; c: Review the access list detailing authorized facility access by individuals [frequency at which to review the access list detailing authorized facility access by individuals is defined;] ; and d: Remove individuals from the facility access list when access is no longer required.
PE-3	a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by: 1: Verifying individual access authorizations before granting access to the facility; and 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"]; b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;]; c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;]; d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;]; e: Secure keys, combinations, and other physical access devices; f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
PE-6	a: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b: Review physical access logs [the frequency at which to review physical access logs is defined;] and upon occurrence of [events or potential indication of events requiring physical access logs to be reviewed are defined;] ; and c: Coordinate results of reviews and investigations with the organizational incident response capability.
SA-8	Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [one of ].
SC-8	Protect the [one or more of "confidentiality"/"integrity"] of transmitted information.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Enhancements

The controls below (if any) add on to the requirements of AU-9.

Control	Description
AU-9(1)	Write audit trails to hardware-enforced, write-once media.
AU-9(2)	Store audit records [the frequency of storing audit records in a repository is defined;] in a repository that is part of a physically different system or system component than the system or component being audited.
AU-9(3)	Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
AU-9(4)	Authorize access to management of audit logging functionality to only [a subset of privileged users or roles authorized to access management of audit logging functionality is defined;].
AU-9(5)	Enforce dual authorization for [one or more of "movement"/"deletion"] of [audit information for which dual authorization is to be enforced is defined;].
AU-9(6)	Authorize read-only access to audit information to [a subset of privileged users or roles with authorized read-only access to audit information is defined;].
AU-9(7)	Store audit information on a component running a different operating system than the system or component being audited.

Related CCIs

The CCIs below are tied to AU-9.

CCI	Definition
CCI-000162	Protect audit information from unauthorized access.
CCI-000163	Protect audit information from unauthorized modification.
CCI-000164	Protect audit information from unauthorized deletion.
CCI-001493	Protect audit tools from unauthorized access.
CCI-001494	Protect audit tools from unauthorized modification.
CCI-001495	Protect audit tools from unauthorized deletion.
CCI-003831	Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
CCI-003832	Defines the personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information.