1. Home
  2. FedRAMP
  3. AU-2

BRACKETOLOGY | FEDRAMP

AU-2: AUDIT EVENTS

  • FedRAMP Baseline Membership AU-2:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
    • b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
    • c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
    • d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

AU-2 a.: Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes;

AU-2 b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2 c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2 d.: Determines that the following events are to be audited within the information system: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event.

REQUIREMENT

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

AU-2 a.: Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes;

AU-2 b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2 c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2 d.: Determines that the following events are to be audited within the information system: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event.

REQUIREMENT

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

AU-2 a.: Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes;

AU-2 b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2 c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2 d.: Determines that the following events are to be audited within the information system: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event.

REQUIREMENT

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

SUPPLEMENTAL GUIDANCE

An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

CONTROL ENHANCEMENTS

AU-2 (1) AUDIT EVENTS | COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES

[Withdrawn: Incorporated into AU-12].

AU-2 (2) AUDIT EVENTS | SELECTION OF AUDIT EVENTS BY COMPONENT

[Withdrawn: Incorporated into AU-12].

AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES
  • FedRAMP Baseline Membership AU-3:
  • LOW
  • MODERATE
  • HIGH

The organization reviews and updates the audited events [Assignment: organization-defined frequency].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

Review and update the audited events annually or whenever there is a change in the threat environment.

FedRAMP GUIDANCE:

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

Review and update the audited events annually or whenever there is a change in the threat environment.

FedRAMP GUIDANCE:

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

Supplemental Guidance:

Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.

AU-2 (4) AUDIT EVENTS | PRIVILEGED FUNCTIONS

[Withdrawn: Incorporated into AC-6 (9)].

REFERENCES:

  • NIST Special Publication 800-92
  • http://idmanagement.gov