AU-5: Response To Audit Processing Failures
Control Family:
CSF v1.1 References:
Threats Addressed:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- AU-5: Response to Audit Logging Process Failures
Control Statement
The information system:
- Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
- Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Supplemental Guidance
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Control Enhancements
AU-5(1): Audit Storage Capacity
Baseline(s):
- High
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.
AU-5(2): Real-Time Alerts
Baseline(s):
- High
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
AU-5(3): Configurable Traffic Volume Thresholds
Baseline(s):
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
AU-5(4): Shutdown On Failure
Baseline(s):
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.