NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-9(1) — Hardware Write-once Media
Write audit trails to hardware-enforced, write-once media.
Supplemental Guidance
Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media.
Practitioner Notes
Write audit logs to hardware-based write-once media so they cannot be modified or deleted after they are written. This provides the strongest protection for audit records.
Example 1: Configure your long-term log archive to write to WORM (Write Once Read Many) storage. AWS S3 Object Lock in Compliance mode or Azure Blob Storage with immutable storage policies provides this capability in the cloud. Once written, no one — not even root — can modify or delete the records until the retention period expires.
Example 2: For on-premises environments, archive audit logs to a dedicated WORM storage appliance or use tape backup with WORM cartridges. Label and store tapes in a secure location with controlled access. Maintain a tape inventory and verify readability annually.