AU-10: Non-Repudiation

CSF v1.1 References:

Threats Addressed:

Baselines:

  • Low

    N/A

  • Moderate

    N/A

  • High
    • AU-10

Next Version:

Control Statement

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].

Supplemental Guidance

Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).

Control Enhancements

AU-10(1): Association Of Identities

Baseline(s):

(Not part of any baseline)

The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information.

AU-10(2): Validate Binding Of Information Producer Identity

Baseline(s):

(Not part of any baseline)

The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error.

AU-10(3): Chain Of Custody

Baseline(s):

(Not part of any baseline)

The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

AU-10(4): Validate Binding Of Information Reviewer Identity

Baseline(s):

(Not part of any baseline)

The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error.