NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-15Alternate Audit Logging Capability

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

Have a backup plan for audit logging. If your primary logging mechanism fails, you need an alternate way to capture audit events until the primary is restored.

Example 1: Configure systems to write audit logs both to the local event log and to the SIEM. If the SIEM forwarder fails, local logs continue to accumulate and can be imported later. Set local log file sizes large enough to buffer at least 48 hours of events.

Example 2: For cloud systems, enable platform-native logging (Azure Activity Logs, AWS CloudTrail) in addition to your SIEM connector. If the SIEM connector breaks, the platform logs provide continuity. Set up an alert (in Azure Monitor or CloudWatch) that detects when the SIEM connector stops receiving data.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component