NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-7(8)Auditing Capability for Significant Events

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: {{ insert: param, si-07.08_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.

Practitioner Notes

When significant integrity events occur, generate audit records with enough detail for forensic investigation.

Example 1: Configure your FIM to log: what file changed, the previous and new hash values, what user or process made the change, the timestamp, and the machine name. Forward these audit records to your SIEM and retain them for your required audit period (typically one year or more).

Example 2: Enable Windows security auditing for file system changes to critical directories. Configure SACLs (System Access Control Lists) on directories containing executables and configuration files to log all modification attempts, successful or failed.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status