AU-10: Non-Repudiation
Control Family:
CSF v1.1 References:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
- AU-10
Next Version:
- NIST Special Publication 800-53 Revision 5:
- AU-10: Non-repudiation
Control Statement
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
Supplemental Guidance
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).
Control Enhancements
AU-10(1): Association Of Identities
Baseline(s):
The information system: Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provides the means for authorized individuals to determine the identity of the producer of the information.
AU-10(2): Validate Binding Of Information Producer Identity
Baseline(s):
The information system: Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Performs [Assignment: organization-defined actions] in the event of a validation error.
AU-10(3): Chain Of Custody
Baseline(s):
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
AU-10(4): Validate Binding Of Information Reviewer Identity
Baseline(s):
The information system: Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and Performs [Assignment: organization-defined actions] in the event of a validation error.