NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-16 — Cross-organizational Audit Logging
Employ {{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries.
Supplemental Guidance
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.
Practitioner Notes
When your organization works with partners and shares systems, coordinate audit logging across organizational boundaries. You need to be able to trace events that span multiple organizations.
Example 1: In your interconnection agreements (ISAs), include provisions for audit log sharing. Specify what log data each party will provide during incident investigations, the format it will be provided in, and the timeline for delivery (within 24 hours of request). Document this as a requirement in the ISA.
Example 2: For cloud service providers, verify that your contract includes audit log access. In Azure, your Azure AD and M365 logs are accessible to you by default. For third-party SaaS, ensure your contract specifies log availability, format, and retention. Request SOC 2 reports that document the provider's logging capabilities.