NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(3)Cryptographic Protection

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Practitioner Notes

Use cryptographic mechanisms to protect the integrity of audit records. Digital signatures or hashing ensures that any tampering with log records is detectable.

Example 1: Configure your log forwarders to use TLS when transmitting logs to the SIEM. In rsyslog, use @@(o)siem.company.com:6514 for TLS-encrypted syslog. This protects integrity during transmission. Verify the TLS certificate chain to prevent man-in-the-middle attacks.

Example 2: For critical log files, generate SHA-256 hashes at regular intervals (hourly or daily) and store the hashes separately from the logs. If you need to verify log integrity for an investigation, recompute the hash and compare. Any mismatch indicates the logs were modified. Tools like OSSEC provide built-in file integrity monitoring for log files.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component