CMMC AU.3.046 - Alert Logging Failures

CMMC AU.3.046 - Alert Logging Failures

Requirement text: AU.3.046: Alert in the event of an audit logging process failure.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Audit logging process failures include software and hardware errors, failures in the audit
record capturing mechanisms, and audit record storage capacity being reached or exceeded.
This requirement applies to each audit record data storage repository (i.e., distinct system
component where audit records are stored), the total audit record storage capacity of
organizations (i.e., all audit record data storage repositories combined), or both.

CMMC CLARIFICATION
Audit logging keeps track of activities occurring on the network, servers, user workstations
and other components of the overall system. These logs must always be available and
functional. The organization’s designated security personnel (e.g., system administrator and
security officer) need to be aware when the audit log process fails or becomes unavailable.
Automated notifications need to be sent to the organization’s designated security personnel
to immediately take appropriate action. If security personnel are unaware of the audit
logging process failure, then they will be unaware of any suspicious activity occurring at that
time. Your response to an audit logging process failure should account for the extent of the
failure (e.g., a single component’s audit logging versus failure of the centralized logging
solution), the risks involved in this loss of audit logging, and other factors (e.g., possibility an
adversary could have caused the audit logging process failure).

Example
You are in charge of IT operations for your organization. Your responsibilities include
management of the audit logging process. One of the logging mechanisms failed, but you had
configured the system to notify the designated security personnel that a problem with the
auditing system occurred. After verifying the alert, you restart the logging mechanism and
verify that it is now logging.

References
• NIST SP 800-171 Rev 1 3.3.4
• CIS Controls v7.1 6.7
• NIST SP 800-53 Rev 4 AU-5

    • Related Articles

    • CMMC AU.5.055 - Assure Appropriate Logging

      Requirement text: AU.5.055: Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging. DISCUSSION FROM SOURCE: CMMC Practice AU.2.042 required the creation and retention of audit logs. Audit logs are ...

    • CMMC AU.4.053 - Automate Log Analysis

      Requirement text: AU.4.053: Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity. DISCUSSION FROM SOURCE: CMMC Adversary activity typically leaves indications in audit ...

    • CMMC AU.2.041 - Ensure System User Attribution

      Requirement text: AU.2.041: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement ensures that the ...

    • CMMC AU.2.042 - Retain System Audit Logs

      Requirement text: AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC AU.3.048 - Centralize Audit Information

      Requirement text: AU.3.048: Collect audit information (e.g., logs) into one or more central repositories. DISCUSSION FROM SOURCE: CMMC Aggregate and store audit logs in a central location. Central repositories enable analysis by storing audit record ...