NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-6(7)Permitted Actions

Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.

Practitioner Notes

When audit review reveals that someone performed an unauthorized action, the organization must define what happens next. This could range from additional training to termination to legal action.

Example 1: Document a response matrix in your security policy: first offense of minor policy violation (e.g., sharing a password) results in counseling and additional training. Repeated offenses or serious violations (data exfiltration, unauthorized system access) result in suspension of access and referral to management and legal.

Example 2: When an audit reveals a policy violation, create a formal incident record in your ticketing system. Document what was found, which logs contain the evidence, and what corrective action was taken. Have the ISSO and the employee's manager sign off on the resolution. Add the incident to the employee's training record.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component