AU-10: Non-repudiation

Threats Addressed:

Baselines:

  • Low

    N/A

  • Moderate

    N/A

  • High
    • AU-10
  • Privacy

    N/A

Previous Version:

Control Statement

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].

Supplemental Guidance

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

Control Enhancements

AU-10(1): Association of Identities

Baseline(s):

(Not part of any baseline)

Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and Provide the means for authorized individuals to determine the identity of the producer of the information.

AU-10(2): Validate Binding of Information Producer Identity

Baseline(s):

(Not part of any baseline)

Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and Perform [Assignment: organization-defined actions] in the event of a validation error.

AU-10(3): Chain of Custody

Baseline(s):

(Not part of any baseline)

Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.

AU-10(4): Validate Binding of Information Reviewer Identity

Baseline(s):

(Not part of any baseline)

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and Perform [Assignment: organization-defined actions] in the event of a validation error.