Deep Dive into Changes to the Audit and Accountability Family in FedRAMP Revision 5 

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Audit and Accountability family that the new baselines bring. 

Considerable Changes to the Low, Moderate, and High baselines include:

• Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
• A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
• A requirement for reviewing and updating the event types selected for logging at a defined frequency
• A requirement to generate alerts on audit processing failures within a specified time period
• An inclusion of the consideration of potential impact of the inappropriate or unusual activity when reviewing audit records
• An addition of new alert requirements for specified individuals or roles upon detection of unauthorized access, modification, or deletion of audit information
• A requirement to specify individuals or roles receiving alerts on unauthorized access, modification, or deletion of audit information

Considerable Changes to the Moderate and High baselines include:

• A new requirement to specify automated mechanisms to integrate audit record review, analysis, and reporting processes
• An inclusion of sort and search functions for audit records for events of interest

Considerable Changes to the High baseline include:

• Removal of the requirement to provide centralized management and configuration of the content to be captured in audit records (incorporated into PL-9)
• Emphasis on the benefits of a separate repository to store audit records

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp