NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(6)Read-only Access

Authorize read-only access to audit information to {{ insert: param, au-09.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity.

Practitioner Notes

Provide read-only access to audit records for personnel who need to review logs but do not need to manage the audit system. Separation of duties between log reviewers and log administrators.

Example 1: In Splunk, create a reader role with search capability on security indexes but no ability to create, modify, or delete indexes, saved searches, or system configurations. Assign this role to auditors and compliance reviewers.

Example 2: In Microsoft Sentinel, assign the Azure Sentinel Reader role to compliance and audit personnel. They can view incidents, run queries, and review workbooks but cannot modify analytics rules, create automations, or change data connectors. Assign via Azure → Access Control (IAM) on the Sentinel workspace.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component