NIST 800-171 3.3 - Audit and Accountability

The National Institute of Standards and Technology (NIST) Special Publication 800-171 Audit reports provide documentation and compliance artifacts that help you demonstrate compliance with the requirements outlined by NIST 800-171.

The NIST 800-171 3.3 - Audit and Accountability report provides links to log search, notifications, log review and event analysis reporting, file integrity monitoring, dashboards, and incident response features in the Alert Logic console that help demonstrate compliance with the following NIST 800-171 Basic Security and Derived Security Requirements:

  • Basic Security Requirements 3.3.1 and 3.3.2
  • Derived Security Requirements 3.3.3, 3.3.4, 3.3.5, and 3.3.8

To access the NIST 800-171 3.3 - Audit and Accountability report:

  1. In the Alert Logic console, click the menu icon (), and then click Validate.
  2. Click Reports, and then click Compliance.
  3. Under NIST 800 171 Audit, click VIEW.
  4. Click NIST 800-171 3.3 - Audit and Accountability.

The report summary page displays two columns. Basic Security Requirements and Derived Security Requirements list specific requirements from the NIST 800-171 family for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Available Documentation and Artifacts describes and contains links to the documentation and compliance artifacts that this report can generate to meet each requirement.

Filter the report

To refine your findings, you can filter your report by date range and customer account.

Filter the report using drop-down menus

By default, Alert Logic includes (All) values for most filters in the report.

To add or remove filter values:

  1. Click the drop-down menu in the filter, and then select or clear values.
  2. Click Apply.

Schedule the report

After you finish setting up the report, you can use CREATE REPORT to run it periodically and subscribe users or an integration (such as a webhook) to receive a notification when the report is generated. To learn how to schedule the report and subscribe notification recipients, see Scheduled Reports and Notifications.

Basic Security Requirements 3.3.1 and 3.3.2

Derived Security Requirement 3.3.1 requires you to create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

This section provides links to access the Alert Logic Log Search page. You can use the date range menu on the page to search and display log messages received on or before the date a year from the current date. For more information about searching log messages, see Get Started with Search.

Derived Security Requirement 3.3.3

Derived Security Requirement 3.3.3 requires you to review and update logged events.

This section provides a link to the Search tab of the Search page, where a prepopulated query will search for a breakdown of log message types for a specific time range. For more information about searching log messages in the Search page, see Search Expert Mode .

Derived Security Requirement 3.3.4

Derived Security Requirement 3.3.4 requires alerts in the event of an audit logging process failure.

This section provides links to the Notifications page in the Alert Logic console, where you can access alert notifications for health status alerts, including network coverage, collection issues, and hosts with no agents installed. For more information, see Notifications.

Derived Security Requirement 3.3.5

Derived Security Requirement 3.3.5 requires correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

This section provides links to the following pages for quick access to appropriate features in the Alert Logic console that help demonstrate compliance with the requirement:

  • Monthly Log Review Report—From this page, you can review security anomalies detected from monitored logs across your environment. For more information about the Monthly Log Review Analysis report, see Monthly Log Review Report.
  • Event Analysis Report—From this page, you can review summary, distribution, and trending data for security events detected across your environment. For more information about Event Analysis reports, see Event Analysis.
  • Incidents Page—From this page, you can review security incidents in your environment and the actions taken in response. For more information about incidents and response actions, see Incidents.

Derived Security Requirement 3.3.8

Derived Security Requirement 3.3.8 requires you to protect audit information and audit logging tools from unauthorized access, modification, and deletion.

This section provides links to the following pages for quick access to appropriate features in the Alert Logic console that help demonstrate compliance with the requirement:

  • Log Search Page—From this page, a prepopulated query will search logs for message types related to message types containing "Log Cleared", "Stop Logging" or "Monitoring Failed". For more information about searching log messages, see Get Started with Search.
  • Deployments Page—From this page, you can click a deployment to view the current File Integrity Monitoring (FIM) configuration. For more information about File Integrity Monitoring (FIM) page, see File Integrity Monitoring .
  • File Integrity Monitoring Dashboard—From this page, you can view or export file monitoring events. For more information about File Integrity Monitoring (FIM) Dashboard, see File Integrity Monitoring Dashboard .