This is the fourth in a 15-part blog series where we'll discuss each domain in Cybersecurity Maturity Model Certification (CMMC). In addition, this blog will explore the CMMC audit and Accountability (AU) domain.
The Audit and Accountability domain discusses the essentialness of system auditing, user accountability, audit management, and reporting. We will dive into these topics to get a better understanding of the requirements of this domain.
We will be exploring Audit and Accountability in the following manner:
Within the Audit and Accountability domain, there are two core focus areas: auditing and accountability.
For CMMC 2.0, there are no practices in CMMC Level 1 for the Audit and Accountability domain. However, there are 9 total practices for CMMC Level 2 for the AU domain. For CMMC Level 3, the AU practices are yet to be determined.
There are a variety of actions taken within a system every day. Therefore, creating and retaining system audit logs and records for any important action, access, or information change is essential for your organization and its security. This allows for proper monitoring and analysis of events and the ability to investigate unlawful or unauthorized system activity. An event can be defined as any observable occurrence within a system, no matter how small it might be. Organizations are allowed to identify event types for logging purposes, but events that are significant and relevant to the security of systems must be audited.
System auditing is not enough to determine certain events, such as user-specific actions. Whether the user is authorized or not, their access and activity should be monitored. It is your organization's responsibility to ensure that the actions of individuals accessing systems can be uniquely traced to the specific user and that accountability can be established. This requirement focuses on the specifics of an audit log, and your organization must consider logging account usage, remote access, wireless connectivity, physical access, and more to ensure accountability. You can start by capturing user IDs, source and destination addresses, and time stamps.
A part of system auditing and logging is periodically reviewing and updating your organization's events and changing the list of events you log as needed. It is quite possible that the events you log can change over time, and some things you log may no longer be needed. Therefore, it is important to update this process to allow your audit reports to be specific, remove information that may no longer be needed, and include information that has not been added to the event logs. In addition, the review process should be continuous, and your organization can determine the time between each review.
Alongside reviewing logs, reviewing the auditing process is another thing to consider. Your auditing process and mechanism should be set up to alert your organization in the event of an audit logging process failure. This ensures that the process is not compromised and those important events that need to be logged are not missed. Failures can include software and hardware errors, audit record capturing failures, or audit record storage capacity being exceeded. This process should be applied to all your auditing processes within your organization.
As a part of your auditing process, you must correlate audit record review, analysis, and reporting processes to ensure that they work collectively. This will be an important part of investigations in response to indications of unlawful, unauthorized, or suspicious activity. If each system does not work together, it can lead to flaws in this process, which your organization needs to avoid. Furthermore, your organization should provide audit record reduction and report generation, which will support on-demand analysis. Audit record reduction is a process that manipulates the information you have collected in an audit and then organizes it in a way that is easy to understand and meaningful to analysts. Report generation works in hand with this, allowing for creating a customizable report. The needs of each organization will differ, so you can determine how these are set up for your organization.
Any audit log or record is incomplete without a time stamp to verify it. That being said, your system must be capable of comparing and synchronizing internal system clocks with an "authoritative" time source. What does that mean? Each of your systems might use different time granularities or be across different time zones, so you must synchronize your systems with a central time server to ensure that all systems record activity for audit logs with the same time source. This makes logging more efficient and easier to understand when it comes time to review them.
Just as audit logs and records identify activity across all systems (both authorized and unauthorized), the audit logs also need to be protected against unauthorized access. This requirement will focus on protecting any information that is recorded within an audit, and your organization must limit the ability to access and execute audit logging tools to only those authorized within your organization. Again, this includes both physical and technical protection.
This domain covers various important topics, including system audit logging, user accountability, and audit management and protection. Meeting the requirements of this domain will require a step-by-step process that builds up to efficient management of auditing within your organization.
For CMMC Level 1, your organization is not mandated to implement practices in this domain. For CMMC Level 2, your organization must look further into each of the nine practices required and provide proper implementation and documentation.