Level 5 CMMC - CMMC Practices

AU.3.049  

Reference: CMMC 1.02

Family: AU

Level Introduced: 3

Practice:
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

CMMC Clarification:
Audit information is a critical record of what events occurred, the source of the events, and the outcomes of the events; this information needs to be protected. This protection starts with ensuring proper configuration of logging to ensure proper space for the needed log retention. The logs must also be properly secured so that the information may not be modified or deleted, either intentionally or unintentionally. Only those with a legitimate need-to-know should have access to audit information, whether that information is being
accessed directly from logs or from audit tools.

Example
You are in charge of IT operations in your organization. Your responsibilities include protecting audit information and audit logging tools. You protect the audit information by having audit log events forwarded to a central server and by restricting the local audit logs to only be viewable by the system administrators. Centralized audit information is protected from deletion or alteration and only approved individuals can view the information in the audit tool. The central audit information server is backed up daily with those backups being encrypted and sent offsite where they are physically secured by a third-party.

3.3.8

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Discussion:
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.

Source: NIST Special Publication 800-171 Rev. 2

AU-6 (7)

AUDIT REVIEW, ANALYSIS, AND REPORTING | PERMITTED ACTIONS

Description:
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.

Supplemental Guidance:
Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete.

AU-9

PROTECTION OF AUDIT INFORMATION

Description:
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental Guidance:
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02