Transcription
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021Issued by the EPA Chief Information Officer,Pursuant to Delegation 1-19, dated 07/07/2005Information Security – Audit and Accountability Procedures1.PURPOSETo implement the security control requirements for the Audit and Accountability (AU)control family, as identified in National Institute of Standards and Technology (NIST)Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for FederalInformation Systems and Organizations.2.SCOPEThe procedures cover all EPA information and information systems, to include informationand information systems used, managed, or operated by a contractor, another agency, oranother organization on behalf of the agency.The procedures apply to all EPA employees, contractors, and all other users of EPAinformation and information systems that support the operations and assets of the EPA.3.AUDIENCEThe audience is all EPA employees, contractors, and all other users of EPA information andinformation systems that support the operations and assets of the EPA.4.BACKGROUNDBased on federal requirements and mandates, the EPA is responsible for ensuring that alloffices within the Agency meet the minimum security requirements defined in the FederalInformation Processing Standards (FIPS) Publication 200, Minimum SecurityRequirements for Federal Information and Information Systems. All EPA informationsystems shall meet security requirements through the use of the security controls definedin the NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal InformationSystems and Organizations. This document addresses the procedures and standards setforth by the EPA, and complies with the family of Audit and Accountability controls.5.AUTHORITYE-Government Act of 2002, Public Law 107-347, Title III, Federal Information SecurityManagement Act (FISMA) as amendedFederal Information Security Modernization Act of 2014, Public Law 113-283, to amendchapter 35 of title 44, United States Code (U.S.C.)Freedom of Information Act (FOIA), 5 U.S.C. § 552, as amended by Public Law 104-231,Page 1 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996Clinger-Cohen Act of 1996, Public Law 104-106Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3519)Privacy Act of 1974 (5 USC § 552a) as amendedUSA PATRIOT Act of 2001, Public Law 107-56Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C – EmployeesResponsible for the Management or Use of Federal Computer Systems, Section 930.301through 930.305 (5 C.F.R 930.301-305)Office of Management and Budget (OMB) Memorandum M-06-16, “Protection of SensitiveAgency Information,” June 2006OMB Circular A-130, “Managing Federal Information as a Strategic Resource,” Appendix I,“Responsibilities for Protecting and Managing Federal Information Resources” July 2016Federal Information Processing Standards (FIPS) 140-2, Security Requirements forCryptographic Modules, May 2001FIPS 199, Standards for Security Categorization of Federal Information and InformationSystems, February 2004FIPS 200, Minimum Security Requirements for Federal Information and InformationSystems, March 2006EPA Information Security Program PlanEPA Information Security PolicyEPA Roles and Responsibilities ProceduresEPA Information Security Continuous Monitoring Strategic PlanCIO Policy Framework and Numbering System6.PROCEDUREThe "AU" designator identified in each procedure represents the NIST-specified identifier forthe Audit and Accountability control family, as identified in NIST SP 800-53, Revision 4,Security and Privacy Controls for Federal Information Systems and Organizations.AU-2 – Audit EventsFor All Information Systems:1) System Owners (SO), in coordination with Information Owners (IO), for EPA-operatedsystems, and Service Managers (SM), in coordination with IOs, for systems operatedon behalf of the EPA 1, shall ensure that service providers:a) Configure information systems to audit for the following events:i) The following events shall be identified within server audit logs:(1) Server startup and shutdown(2) Loading and unloading of services1 InformationOwners and Service Managers shall follow FedRAMP requirements for all services obtainedwhere EPA information is transmitted, stored, or processed on non-EPA operated systems.Page 2 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021(3) Installation and removal of software(4) System alerts and error messages(5) User logon and logoff(6) System administration activities(7) Accesses to sensitive information, files, and systems(8) Account creation, modification, or deletion(9) Modifications of privileges and access controls(10) Additional security-related events, as required by the SO or to supportthe nature of the supported business and applicationsii) The following events shall be identified within application and database audit logs:(1) Modifications to the application(2) Application alerts and error messages(3) User logon and logoff(4) System administration activities(5) Accesses to information and files(6) Account creation, modification, or deletion(7) Modifications of privileges and access controlsiii) The following events shall be identified within network device (e.g., router, firewall,switch, wireless access point) audit logs:(1)(2)(3)(4)(5)(6)Device startup and shutdownAdministrator logon and logoffConfiguration changesAccount creation, modification, or deletionModifications of privileges and access controlsSystem alerts and error messagesb) Configure audit logging for desktops in accordance with United States GovernmentConfiguration Baseline (USGCB) requirements.c) Coordinate the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection ofauditable events.d) Provide rationale as to why the list of auditable events is deemed adequate to supportafter- the-fact investigations of security incidents.e) Configure the information system to be able to adjust depth and breadth of audit loggingcapabilities to allow for an increase and decrease of these capabilities based on currentthreat information and ongoing assessment of risk.AU-2 (1) – Audit Events Compilation of Audit Events from Multiple SourcesIncorporated into AU-12.AU-2 (2) – Audit Events Selection of Audit Events by ComponentIncorporated into AU-12.Page 3 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021For FedRAMP 2 Moderate Information Systems:1) SMs, in coordination with IOs, for systems operated on behalf of the EPA 3, shall ensureservice providers:a) Verify that the information system backs up audit records weekly onto a differentsystem or media than the system being audited.b) Review and update audited events annually, or when there is a change in thethreat environment.i) The Chief Information Security Officer (CISO) shall communicate changes in thethreat environment.AU-2 (3) – Audit Events Reviews and Updates for Moderate and High InformationSystems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Review and update the list of the auditable events annually, or when a majorchange to the information system occurs.i) When operating in an environment of increased risk, based on current threatinformation, the list shall be reviewed on a monthly basis as a minimum.ii) The list of events to be audited by the information system shall include theexecution of privileged functions.For FedRAMP Moderate Information Systems1) SMs, in coordination with IOs, for systems operated on behalf of the EPA, shall ensureservice providers:a) Review and update audited events at least annually, or whenever changes occurwithin the threat environment.i)The CISO shall communicate changes in the threat environment to the serviceprovider.AU-2 (4) – Audit Events Privileged FunctionsIncorporated into AC-6 (9)AU-3 – Content of Audit Records for All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to generate audit records containing sufficientinformation to establish what type of event occurred, when the event occurred,where the event occurred, the source of the event, the outcome of the event, andthe identity of any individuals or subjects associated with the event. At a minimum,the following elements shall be identified within each audit record:i) Date and time when the event occurred2The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program thatprovides a standardized approach to security assessment, authorization, and continuous monitoring for cloudproducts and services.3 Information Owners and Service Managers shall follow FedRAMP requirements for all services obtainedwhere EPA information is transmitted, stored, or processed on non-EPA operated systems.Page 4 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021ii) The software or hardware component of the information system where theiii)iv)v)vi)vii)event occurredSource of the event (e.g., network address, console)Type of event that occurredSubject identity (e.g., user, device, process context)The outcome (i.e., success or failure) of the eventSecurity-relevant actions associated with processingAU-3 (1) – Content of Audit Records Additional Audit Information for Moderate andHigh Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to generate audit records containing the followingadditional elements:i)ii)iii)iv)v)Manufacturer-specific event name / type of eventSource and destination network addressesSource and destination port or protocol identifiersOutcome of the eventIdentity of the user/subject associated with the eventNote: EPA requires information systems, when system functionalitypermits, to include more detailed information in the audit records. Thedetailed information that shall be included may be defined as significantsystem events or risks.AU-3 (2) – Content of Audit Records Centralized Management of Planned AuditRecord ContentFor High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Manage the content of audit records generated by defined information systemcomponents centrally.AU-4 – Audit Storage Capacity for All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Comply with EPA Records Schedule 1012, Information and TechnologyManagement for the disposition of historically significant and routine ITmanagement records.i)EPA Records Schedule 1012 excludes Information Technology (IT)management logs and records for specific, individual systems (e.g. AQS,CERCLIS), which must be scheduled separately, in coordination with theCISO and associated SOs, IOs, and SMs, for systems operated on behalf ofthe EPA.Page 5 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021ii) EPA Records Schedule is found at https://www.epa.gov/recordsAU-4 (1) – Audit Storage Capacity Transfer to Alternate StorageNot selected as part of the control baseline.AU-5 – Response to Audit Processing Failures for All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure the information system to alert designated officials in the event of anaudit failure or when audit capacity is 70%, 80%, and again at 90% utilizationautomatically. This alert should be distributed by a mechanism that allows systemadministrators to receive it at any time including after normal working hours (e.g.,email, text message).i)Once the maximum storage capacity for audit logs is reached or there is anaudit failure, the information system shall overwrite the oldest audit records orautomatically shut down in an effort to eliminate the chance of anincident, in the absence of auditing and accountability.ii)When devices cannot generate logs, the information system should beconfigured to send an alert to system administrators within 2 minutes.Procedures should reflect escalation of priority resolution actions after 24hours for high information systems.AU-5 (1) – Response to Audit Processing Failures Audit Storage Capacity for HighInformation Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to provide a warning to designated officials (toinclude the system administrator(s), ISSO, ISO and SO) within two minutes whenallocated audit record storage volume reaches 70%, 80%, 90% and 100% ofrepository maximum audit record storage capacity. At 90% and 100% of maximumaudit record storage capacity, alerts shall be sent to the SO, ISO and ISSO by thesystem. Procedures should reflect escalation of priority resolution actions after 24hours for high-value systems.AU-5 (2) – Response to Audit Processing Failures Real-Time Alerts for HighInformation Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to provide an alert within two minutes to SystemAdministrators (SAs), ISSOs, ISOs, and SOs when the system experiences afailure to write to audit logs or overwrite old logs.AU-5 (3) – Response to Audit Processing Failures Configurable Traffic VolumeThresholdsNot selected as part of the security control baseline.Page 6 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021AU-5 (4) – Response to Audit Processing Failures Shutdown on FailureNot selected as part of the security control baseline.AU-6 – Audit Review, Analysis, and Reporting for All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Review and analyze audit logs and records weekly for the following:i) Indications of inappropriate or unusual activity.ii) Assurance that logging is functioning properlyiii) Adherence to logging standards identified in this procedure.b) Adhere to the following review and analysis requirements:i) Logs on critical systems shall be reviewed daily.ii) The level of audit review, analysis, and reporting may be adjusted if there is achange in risk to organizational operations, assets, or personnel. Adjustmentsshall be based upon advisories and warnings such as those provided by theNational Terrorism Advisory System, or EPA internal advisory mechanisms.iii) Logs for firewalls, routers, and other network devices shall be time-correlated(to within 30 seconds) with logs of other critical systems and examined daily todetermine if any incidents have occurred.iv) All other logs, including access server logs, shall be reviewed weekly.v) Logs identifying Personally Identifiable Information (PII) access and extractsshall be reviewed monthly.(1) For information systems containing PII, the monthly review of audit logswill assist in determining what data extracts shall be deleted.c) Review audit logs for logons, logoffs, and accesses to system weekly.d) Ensure all staff involved with log management responsibilities are trained on howto review and analyze audit logs, and how to report incidents when applicable.i) Personnel performing the review shall have the level of background screeningequivalent to the information system’s sensitivity.e) Ensure personnel report findings to Information Security Officers (ISOs).i) ISOs shall promptly report findings to EPA Computer Security IncidentResponse Capability (CSIRC), which may escalate the incident to UnitedStates Computer Emergency Readiness Team (US-CERT).(1) CSIRC may notify law enforcement about the incident.ii) The appropriate actions, including notification of local legal counsel, the Officeof Inspector General (OIG), and local and federal law enforcement officialsshall be coordinated when investigations reveal that the incident is aprosecutable offense under statutes.iii) Additionally, anomalies shall be reported in accordance with EPA incidentreporting requirements and procedures.(1) Refer to the EPA Information Security –Incident Response Procedures forrequirements on incident reporting.iv) If the investigation reveals an exploitable system or procedural vulnerability,coordination shall occur between the appropriate management and technicalpersonnel to ensure that the vulnerability is addressed.AU-6 (1) – Audit Review, Analysis and Reporting Process Integration for Moderateand High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationPage 7 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021with IOs, for systems operated on behalf of the EPA, shall ensure that service providers:a) Employ automated mechanisms to integrate audit review, analysis, and reportingprocesses to support EPA processes 4 for investigation and response to suspiciousactivities.For FedRAMP Moderate Information Systems:1) SMs, in coordination with IOs, for systems operated on behalf of the EPA, shall ensureservice providers:a) Employ automated mechanisms to integrate audit review, analysis, and reportingprocesses to support organizational processes for investigation and response tosuspicious activities.b) Analyze and correlate audit records across different audit repositories to gainsituational awareness.AU-6 (2) – Audit Review, Analysis and Reporting Automated Security AlertsIncorporated into SI-4.AU-6 (3) – Audit Review, Analysis and Reporting Correlate Audit Repositories forModerate and High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordination withIOs, for systems operated on behalf of the EPA, shall ensure that service providers:a) Analyze and correlate audit records across different repositories to gain EPA-widesituational awareness across all three tiers of risk management (i.e., organizational,mission/business process, and information system).For FedRAMP Moderate Information Systems:1) SMs, in coordination with IOs, for systems operated on behalf of the EPA, shall ensureservice providers:a) Analyze and correlate audit records across different repositories to gain EPA-widesituational awareness.AU-6 (4) – Audit Review, Analysis and Reporting Central Review and AnalysisNot selected as part of the security control baseline.AU-6 (5) – Audit Review, Analysis and Reporting Scanning and MonitoringCapabilities for High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Integrate analysis of audit records with analysis of vulnerability scan information,performance data, information system and insider threats monitoring information,monitoring information from scanning and Intrusion Detection and PreventionSystem (IDPS) tools, and data/information collected from other sources toenhance the ability to identify inappropriate or unusual activity further.4EPA processes benefiting from integrated audit review, analysis, and reporting include, for example,incident response, continuous monitoring, contingency planning, and Inspector General audits.Page 8 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021AU-6 (6) – Audit Review, Analysis and Reporting Correlation with PhysicalMonitoring for High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Correlate information from audit records with information obtained from monitoringphysical access to enhance the ability to identify suspicious, inappropriate,unusual, or malevolent activity further.AU-6 (7) – Audit Review, Analysis and Reporting Permitted ActionsNot selected as part of the security control baseline.AU-6 (8) – Audit Review, Analysis and Reporting Full Text Analysis of PrivilegedCommandsNot selected as part of the security control baseline.AU-6 (9) – Audit Review, Analysis and Reporting Correlation with Information fromNon- technical SourcesNot selected as part of the security control baseline.AU-6 (10) – Audit Review, Analysis and Reporting Audit Level AdjustmentNot selected as part of the security control baseline.AU-7 – Audit Reduction and Report Generation for Moderate and High InformationSystems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure the information system to provide an audit reduction 5 and reportgeneration capability that:i) Supports near real-time audit review, analysis, and reporting requirementsdescribed in AU-6 and after-the-fact investigations of security incidents; andii) Does not alter the original content or time recording of audit records.AU-7 (1) – Audit Reduction and Report Generation Automatic Processing forModerate and High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Employ automated tools to review audit records. The following audit analysis toolsmay be used:i) Audit analysis tools based on attack signature, variance techniques, and auditreduction methodologies to detect intrusionii) Data reduction audit tools to help reduce the amount of information containedin audit records, as well as to distill useful information from the raw dataiii) Query applications that have the ability to query an audit log by username,5Auditreduction includes using tools and techniques that reduce audit data in order to save storage spaceand to extract more useful and readable data for the review process.Page 9 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021location, application name, date, and time, or other applicable parameters;and have the ability to execute reports with the results of the queryb) Ensure information systems provide the capability to process audit records forevents of interest based on selectable event criteria including event types, eventlocations, event times, event dates, system resources involved, IP addressesinvolved, or information objects accessed.AU-7 (2) – Audit Reduction and Report Generation Automatic Sort and SearchNot selected as part of the security control baseline.AU-8 – Time StampsFor All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to use internal system clocks to generate timestamps for audit records.i) Time stamps generated by the information system shall include both the dateand time.b) Configure information systems to record time stamps that can be mapped toCoordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meetsthirty (30) seconds accuracy (i.e., the degree of synchronization betweeninformation system clocks and reference clocks).AU-8 (1) – Time Stamps Synchronization with Authoritative Time Source forModerate and High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to synchronize internal information system clocksat least daily with EPA’s defined authoritative time source to ensure that timestamps in audit records are as accurate as possible and correlated across differentsystems or system components. EPA time sources will synchronize to stratum 1Network Time Protocol (NTP) servers.b) Configure information systems to synchronize the internal system clocks to theauthoritative time source when the time difference is greater than 30 seconds.For FedRAMP Moderate Information Systems:1) SMs, in coordination with IOs, for systems operated on behalf of the EPA, shallensure service providers:a) Ensure the information system is configured to compare the internal informationsystem clocks with primary and secondary timeservers used by the NIST Internettime service using NTP.i) The secondary server is selected from a different geographic region than theprimary server; the service provider synchronizes the system clocks ofnetwork computers that run operating systems other than Windows to theWindows Server Domain Controller emulator or to the same time source forthat server.b) Synchronize the internal system clocks to the authoritative time source when thePage 10 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021time difference is greater than 30 seconds.AU-8 (2) – Time Stamps Secondary Authoritative Time SourceNot selected as part of the security control baselineAU-9 – Protection of Audit Information for All Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Protect audit information 6 and audit tools from unauthorized modification, access,or destruction while online and during offline storage.b) Rotate log files to a system other than their source systemAU-9 (1) – Protection of Audit Information Hardware Write-Once MediaNot selected as part of the security control baseline.AU-9 (2) – Protection of Audit Information Audit Backup on Separate PhysicalSystems ComponentsFor High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Configure information systems to back up audit records nightly onto a physicallydifferent system or system component than the system or component beingaudited.For FedRAMP Moderate Information Systems:1) SMs, in coordination with IOs, for systems operated on behalf of the EPA, shall ensureservice providers:a. Ensure the information system backs up audit records onto a physically differentsystem or system component than the system or component being audited at leastweekly.AU-9 (3) – Protection of Audit Information Cryptographic Protection for HighInformation Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:a) Implement cryptographic7 mechanisms on information systems to protect theintegrity of audit information and audit tools.AU-9 (4) – Protection of Audit Information Access by Subset of Privileged Users forModerate and High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operated on behalf of the EPA, shall ensure that serviceproviders:6Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed tosuccessfully audit information system activity.Page 11 of 18Form Rev. 06/18/2019
IT/IM DIRECTIVEPROCEDUREInformation Security – Audit and Accountability ProceduresDirective No:CIO 2150-P-03.3CIO Approval:August 2019Review Date:August 2021a) Authorize access to management of audit functionality to only SOs, authorizedsystem administrators, and the designated security officials.AU-9 (5) – Protection of Audit Information Dual AuthorizationNot selected as part of the security control baseline.AU-9 (6) – Protection of Audit Information Read-Only AccessNot selected as part of the security control baseline.AU-10 – Non-repudiationFor High Information Systems:1) SOs, in coordination with IOs, for EPA-operated systems, and SMs, in coordinationwith IOs, for systems operat
Aug 15, 2019 · The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and
