Navigate

AU-9 (5)

AU-9 (5): Dual Authorization

The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].

Supplemental

Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3

Related Controls

The controls below (if any) were marked by NIST as being related to AU-9 (5).

Control	Description
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
MP-2	The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].

Enhancements

The controls below (if any) add on to the requirements of AU-9 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AU-9 (5).

CCI	Definition
CCI-001895	The organization defines the audit information requiring dual authorization for movement or deletion actions.
CCI-001896	The organization enforces dual authorization for movement and/or deletion of organization-defined audit information.