The Cybersecurity Maturity Model Capability (CMMC) framework is made up of 17 domains. Each domain describes practices, processes and capabilities within the CMMC’s five maturity levels.
CMMC’s Audit and Accountability (AU) domain contains four capabilities, which in turn include 14 practices at levels 2 through 5.
What does the CMMC Audit and Accountability domain cover?
Practices in the CMMC Audit and Accountability domain enable organizations with the ability to identify, record, store, protect, and review significant and relevant auditable event significant to the securing a covered information system (i.e. information systems processing, storing, or transmitting CUI), which is the data classification that CMMC was created to protect.
According to NIST Special Publication 800-53r4, AU-2, and the CMMC Model, version 1.02, Audit and Accountability is defined as “a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result to ensure that the actions of an entity may be traced uniquely to that entity.”
How do I comply with the Audit and Accountability practices and processes?
This domain require organizations to establish and resource a capability to identify, create, manage, protect, and correlate audit records to aid in tracking users who access the CUI that your organization handles, as well as securely auditing those logs to hold users accountable for their actions (nonrepudiation).
To comply with the practices in this domain at various maturity levels, you will need to define your specific audit requirements, meaning create a policy stating “what” your organization defines as sufficient audit information that aids in security investigation, supporting processes stating how your organization defines, documents, reviews, protects, and correlates said records to aid in said security activities, and collection of objective evidence, supporting your organization is “saying” what they are doing (documented policy / processes) and doing what they are saying (periodic reviewing the audit records, the audit alerts, and updating these as needed to improve the capability’s maturity, and thus, the organization’s cyber hygiene)
What are the CMMC Audit and Accountability domain capabilities?
The CMMC Audit and Accountability domain includes four capabilities:
- Define audit requirements
- Perform auditing
- Identify and protect audit information
- Review and manage audit logs
Some of the steps involved in establishing these capabilities, depending on the maturity level you need to reach, would include:
- Enabling logging for all the information systems, components, and devices in your scope (e.g., your firewalls, routers, and switches, your cloud environment(s), your manufacturing information systems, your development/staging/test environments, all desktops and laptops, your database and application servers, etc., etc.
- Documenting procedures and training staff on how to access, protect, and manage the audit logs
- Deciding where and how to securely store the log data, and for how long
- Requiring regular audit log reviews in the appropriate policy document
- Reviewing the log data
The larger and more complex your environment, the more log data you’ll need to store, manage and review. Many companies will benefit from using third-party tools to help organize, filter and/or report on all their sources of log data.
What are the CMMC Audit and Accountability practices?
The CMMC Audit and Accountability domain includes 14 practices, distributed across levels 2 to 5.
Even at level 2 you need to ensure unique traceability for individual users, create and review audit logs, and synchronize system clocks to ensure accurate audit time stamps. Levels 3 and 4 add requirements for alerting on logged events, securing logged data and developing more sophisticated log analysis to support incident response. Level 5 adds a process to make sure that all the appropriate systems are generating audit logs as per policy.
Because they impact so many systems and drive so much data collection and reporting, the CMMC Audit and Accountability practices can leave many organizations wondering what exactly they need to do to achieve compliance, while streamlining the broad operational implications of holding users accountable.
If you have questions about how your business can best meet CMMC’s Audit and Accountability requirements, contact Pivot Point Security to connect with a CMMC expert.