NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(13)Logging Syntax

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

In support of better incident response and the ability to more quickly reconstruct security-related actions, identifying specific requirements for secure logging facilitates the ability to connect application-produced audit event logs with operational data. Event types are consistent with the event types defined in [AU-02](#au-2).

Practitioner Notes

Standardize your logging syntax across all systems and applications so that logs from different sources can be correlated and analyzed together. Inconsistent log formats make security analysis difficult.

Example 1: Define a standard log format for all applications: include timestamp (ISO 8601), severity level, source application, event type, user identity, source IP, and event description. Use structured logging (JSON format) so logs are machine-parseable.

Example 2: Use a centralized logging framework (Serilog, Log4j, Winston) with organization-defined templates that enforce your standard format. Configure your SIEM (Microsoft Sentinel) with parsers that understand your standard format and can automatically correlate events across different applications.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment