BRACKETOLOGY | FEDRAMP
AU-9: PROTECTION OF AUDIT INFORMATION
-
FedRAMP Baseline Membership AU-9:
- LOW
- MODERATE
- HIGH
FedRAMP Bracketology
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
SUPPLEMENTAL GUIDANCE
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.
RELATED CONTROLS: AU-9
CONTROL ENHANCEMENTS
AU-9 (1) PROTECTION OF AUDIT INFORMATION | HARDWARE WRITE-ONCE MEDIA
The information system writes audit trails to hardware-enforced, write-once media.
Supplemental Guidance:
This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media.
RELATED CONTROLS: AU-9 (1)
AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS
-
FedRAMP Baseline Membership AU-9 (2):
- MODERATE
- HIGH
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a Low Impact system.
AU-9 (2): The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.
AU-9 (2): The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.
Supplemental Guidance:
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.
RELATED CONTROLS: AU-9 (2)
AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION
-
FedRAMP Baseline Membership AU-9 (3):
- HIGH
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
Supplemental Guidance:
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
RELATED CONTROLS: AU-9 (3)
AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS
-
FedRAMP Baseline Membership AU-9 (4):
- MODERATE
- HIGH
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a Low Impact system.
There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.
There are no FedRAMP-specific requirements if this control is used for a High Impact system.
Supplemental Guidance:
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.
RELATED CONTROLS: AU-9 (4)
AU-9 (5) PROTECTION OF AUDIT INFORMATION | DUAL AUTHORIZATION
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of[Assignment: organization-defined audit information].
Supplemental Guidance:
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control.
RELATED CONTROLS: AU-9 (5)
AU-9 (6) PROTECTION OF AUDIT INFORMATION | READ ONLY ACCESS
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
Supplemental Guidance:
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity).
REFERENCES:
- NO REFERENCES