BRACKETOLOGY | FEDRAMP

AU-5: RESPONSE TO AUDIT PROCESSING FAILURES

FedRAMP Baseline Membership AU-5:
LOW
MODERATE
HIGH

How Do I Use This Page for FedRAMP Cloud Security

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system:

a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

AU-5a.: Alert organization-defined personnel or roles in the event of an audit processing failure; and

AU-5b.: Takes the following additional actions: organization-defined actions to be taken; (overwrite oldest record).

AU-5a.: Alert organization-defined personnel or roles in the event of an audit processing failure; and

AU-5b.: Takes the following additional actions: organization-defined actions to be taken; (overwrite oldest record).

AU-5a.: Alert organization-defined personnel or roles in the event of an audit processing failure; and

AU-5b.: Takes the following additional actions: organization-defined actions to be taken; (overwrite oldest record).

SUPPLEMENTAL GUIDANCE

Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

CONTROL ENHANCEMENTS

AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY

FedRAMP Baseline Membership AU-5 (1):
HIGH

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.

There are no FedRAMP-specific requirements if this control is used for a High Impact system.

Supplemental Guidance:

Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS

FedRAMP Baseline Membership AU-5 (2):
HIGH

The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

The information system provides an alert in organization-defined real-time to service provider personnel with authority to address failed audit events when the following audit failure events occur: audit failure events requiring real-time alerts, as defined by organization audit policy.

The information system provides an alert in organization-defined real-time period to service provider personnel with authority to address failed audit events when the following audit failure events occur: audit failure events requiring real-time alerts, as defined by organization audit policy.

Supplemental Guidance:

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

AU-5 (3) RESPONSE TO AUDIT PROCESSING FAILURES | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS

The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.

Supplemental Guidance:

Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity.

AU-5 (4) RESPONSE TO AUDIT PROCESSING FAILURES | SHUTDOWN ON FAILURE

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

Supplemental Guidance:

Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

RELATED CONTROLS: AU-5 (4)

AU-15 — AUDIT AND ACCOUNTABILITY | ALTERNATE AUDIT CAPABILITY

REFERENCES:

NO REFERENCES

BRACKETOLOGY | FEDRAMP

AU-5: RESPONSE TO AUDIT PROCESSING FAILURES

FedRAMP Baseline Membership AU-5:

How Do I Use This Page for FedRAMP Cloud Security

FedRAMP Bracketology

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

SUPPLEMENTAL GUIDANCE

RELATED CONTROLS: AU-5

CONTROL ENHANCEMENTS

AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY

FedRAMP Baseline Membership AU-5 (1):

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS

FedRAMP Baseline Membership AU-5 (2):

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

AU-5 (3) RESPONSE TO AUDIT PROCESSING FAILURES | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS

AU-5 (4) RESPONSE TO AUDIT PROCESSING FAILURES | SHUTDOWN ON FAILURE

REFERENCES: