NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-10(2)Validate Binding of Information Producer Identity

Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and Perform {{ insert: param, au-10.02_odp.02 }} in the event of a validation error.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.

Practitioner Notes

Validate that the identity of the person who created or produced information is accurately bound to that information. The producer cannot deny creating it.

Example 1: Use code signing certificates for all software produced by your development team. Every build artifact is signed with the developer's certificate. The signature proves who built it and that it has not been modified since signing. Configure your CI/CD pipeline to sign automatically.

Example 2: Require document signing for formal deliverables. Use Adobe Sign, DocuSign, or PKI-based digital signatures on all official documents. The signature binds the signer's identity to the document content, providing non-repudiation for authorship.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component