Access Control

CMMC Audit & Accountability Domain Explained

Omer Aslim selfie
By: Omer Kaan Aslim
June 16, 2020
In this post we explain the CMMC audit & accountability domain and its associated requirements.

The audit & accountability domain has four capability requirements and a total of fourteen practices.

What does Audit & Accountability Mean?

Audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Accountability - The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Audit and Accountability Domain Explained

The goal of the audit and accountability domain is to record system and security logs on systems to support the monitoring, investigation, and reporting of system activity. It also seeks to ensure that system audit logs can be traced back to users so that they can be held accountable for their actions.

What are the CMMC Access Control Domain Capabilities?

  • C007: Define audit requirements
  • C008: Perform auditing
  • C009: Identify and protect audit information
  • C010: Review and manage audit logs

Examples of Audit and Accountability

Examples of audit and accountability requirements include: audit events, time stamps, nonrepudiation, protection of audit information, audit record retention, and session audit. These allow you to trace events back to a specific user, device, or process.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance