NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(2)Store on Separate Physical Systems or Components

Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.

Practitioner Notes

Store audit logs on separate physical systems or components from the systems being audited. If the production server is compromised, the attacker should not be able to reach the logs.

Example 1: Run your SIEM on a dedicated server (or cluster) that is not part of the general production environment. Place it on a separate network segment with firewall rules that only allow log ingestion traffic inbound and management access from the SOC workstations.

Example 2: Forward logs to a cloud-based SIEM (Microsoft Sentinel, Splunk Cloud) so that audit records are physically stored in a different infrastructure from your on-premises production systems. An attacker who compromises your on-premises environment cannot reach the cloud-stored logs without separate credentials.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component