Companies that work with the Department of Defense (DoD) as contractors or vendors need to meet specific cybersecurity regulations. The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The third family of 14 Families of Requirements for NIST 800-171 compliance is audit and accountability.
What is Audit & Accountability in Terms of NIST 800-171?
Audit and accountability refers to a business maintaining a record of who is performing actions in the environment, when and how, down to the individual user level. NIST 800-171 requires aggregation of 90 days worth of logs, and timely reporting of any incident. A business must maintain system audit records to support the monitoring, analysis, investigation and reporting of unapproved cyber activity, including the ability to generate reports. With appropriate audit trails configured properly a business can detect intrusion attempts or unauthorized access quickly enabling incident response to occur in a timely manner. A SIEM tool enables a business to detect and report an incident. The environment must also be configured to accurately record audit logs. Audit and Accountability consists of 2 Basic and 7 Derived Requirements.
Basic Requirements:
- 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
Derived Requirements:
- 3.3.3 Review and update logged events
- 3.3.4 Alert in the event of an audit logging process failure.
- 3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
- 3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
- 3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
- 3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- 3.3.9 Limit management of audit logging functionality to a subset of privileged users
For information on security log management check out SP 800-92. To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.
Keep up with our latest content by following NeQter Labs on Twitter, Facebook, LinkedIn, and Youtube.