Companies that work with the Department of Defense (DoD) as contractors or vendors need to meet specific cybersecurity regulations. The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The third family of 14 Families of Requirements for NIST 800-171 compliance is audit and accountability.
What is Audit & Accountability in Terms of NIST 800-171?
Audit and accountability refers to a business maintaining a record of who is performing actions in the environment, when and how, down to the individual user level. NIST 800-171 requires aggregation of 90 days worth of logs, and timely reporting of any incident. A business must maintain system audit records to support the monitoring, analysis, investigation and reporting of unapproved cyber activity, including the ability to generate reports. With appropriate audit trails configured properly a business can detect intrusion attempts or unauthorized access quickly enabling incident response to occur in a timely manner. A SIEM tool enables a business to detect and report an incident. The environment must also be configured to accurately record audit logs. Audit and Accountability consists of 2 Basic and 7 Derived Requirements.
Basic Requirements:
- 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
Derived Requirements:
- 3.3.3 Review and update logged events
- 3.3.4 Alert in the event of an audit logging process failure.
- 3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
- 3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
- 3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
- 3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- 3.3.9 Limit management of audit logging functionality to a subset of privileged users
For information on security log management check out SP 800-92. To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
How NeQter Labs Can Help
NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.
