Requirement text: AU.3.050: Limit management of audit logging functionality to a subset of privileged
users.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Individuals with privileged access to a system and who are also the subject of an audit by
that system, may affect the reliability of audit information by inhibiting audit logging
activities or modifying audit records. This requirement specifies that privileged access be
further defined between audit-related privileges and other privileges, thus limiting the users
with audit-related privileges.
CMMC CLARIFICATION
Organizations should restrict access to audit logging functions to a limited number of
privileged users that can modify audit logs and audit settings. There are three classes of
users: general users, privileged users, and audit managers. General users should not be
granted permissions to perform audit management. All audit managers should come from
the set of privileged users, but only a small subset of privileged users will be given audit
management responsibilities. Functions performed by privileged users must be distinctly
separate from the functions performed by users who have audit-related responsibilities to
reduce the potential of fraudulent activities by privileged users not being detected or
reported.
Example
You are in charge of IT operations in your organization. You are responsible for the
administration of the infrastructure, but you are not an audit manager and cannot review
audit logs, delete audit logs, or modify audit log settings. Full control of audit logging
functions has been given to the security auditors, and they are able to review logs and modify
audit log settings. This separation of system administration duties from audit logging
management is necessary to prevent possible log file tampering.
References
• NIST SP 800-171 Rev 1 3.3.9
• CERT RMM v1.2 MON:SG2.SP2
• NIST SP 800-53 Rev 4 AU-6(7), AU-9(4)