NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-10(3) — Chain of Custody
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
Supplemental Guidance
Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used.
Practitioner Notes
Maintain a chain of custody for audit records and evidence. From creation to review to archival, you must be able to prove the records were not tampered with.
Example 1: For incident response evidence, follow forensic chain of custody procedures: compute hashes of all evidence files immediately upon collection, document who collected them, when, and from where. Store evidence on write-protected media and maintain an evidence log tracking every person who accessed it.
Example 2: For regular audit logs, implement integrity verification. When archiving logs, generate a SHA-256 hash manifest and store it separately (different system, different admin). To verify chain of custody, recompute hashes and compare against the manifest. Any discrepancy indicates potential tampering.