Reference: CMMC 2.0
Family: AU
Level Introduced: 2
Title: Audit Protection
Practice:
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
CMMC Clarification:
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. This protection starts with ensuring proper configuration of logging to ensure proper space for the needed log retention. The logs must also be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being
accessed directly from logs or from audit tools.
Example
You are in charge of IT operations in your organization. Your responsibilities include protecting audit information and audit logging tools. You protect the audit information by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators. Centralized audit information is protected from deletion or alteration and only approved individuals can view the information in the audit tool. The central audit information server is backed up daily with those backups being encrypted and sent offsite where they are physically secured by a third-party.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (2)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.