NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-5(5)Alternate Audit Logging Capability

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure.

Practitioner Notes

If the primary audit logging system fails, switch to an alternate logging mechanism. Do not let a SIEM outage mean you have zero visibility.

Example 1: Configure a secondary syslog destination on all systems. If your primary SIEM (Splunk) goes down, logs continue flowing to a backup syslog server running on a separate system. You can import these logs into Splunk once it is restored.

Example 2: For cloud environments, enable native platform logging as a fallback. Azure Activity Logs, AWS CloudTrail, and M365 Unified Audit Logs capture events independently of your SIEM. Even if your SIEM connector fails, the platform logs are still being written and can be reviewed through the native console.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component