Audit and Accountability Plan

Approach basics → §4.x

SIEM tooling, ingestion pipeline, and where audit records ultimately land.

SIEM / log aggregation system of record * Authoritative platform for audit records (e.g., Splunk Enterprise Security, Microsoft Sentinel, Elastic Security, Sumo Logic, Chronicle, Graylog, AWS CloudWatch + Athena).

Log destinations / forwarding architecture How audit records get from generators to the SIEM. Mention agents (Splunk Universal Forwarder, Fluent Bit, Vector), kinesis / kafka pipelines, syslog relays, and any intermediate parsing.

Log format / standard — Select — JSON (structured) CEF (Common Event Format) LEEF (Log Event Extended Format) OCSF (Open Cybersecurity Schema Framework) Syslog (RFC 5424) Mixed (specify in narrative) Primary log encoding the SIEM ingests. JSON or OCSF is increasingly common for structured analytics.

Log protection one-liner Brief phrase describing protection (e.g., 'WORM-tier S3 + KMS encryption + RBAC restricting log access to the SOC group'). Detailed approach goes in the dedicated sub-section.

Event Inventory → §4.x

What categories of events are logged, and what data each record carries.

Event categories logged

Authentication (success + failure) Authorization decisions (deny + privileged grant) Account management (create / modify / disable / delete) Privileged command execution Configuration changes Data access (read / write to sensitive data) Network connections (inbound + outbound) Cryptographic operations Audit-system events (start / stop / config change) Object access (file / database / object-store) Process creation / termination Vulnerability scans Antivirus / EDR detections

Required fields in each audit record

Timestamp (UTC, ISO-8601 with millisecond precision) Event type / event ID Source identifier (host, container, function) User identifier (subject) Outcome (success / failure / deny) Object affected (target) Source IP / port Process / parent process Session / correlation ID Severity

Cadence for reviewing the auditable-event list itself — Select — Quarterly Semi-annually Annually On material system change AU-2 requires periodic review of which events are logged. Most plans review annually + on material change.

Log Protection → §4.x

Tamper protection, access controls, and encryption for audit records.

Tamper-protection mechanism How audit records are protected from unauthorized modification (WORM storage, hash chains, signed batches, immutable object lock).

Who can read / search / export audit records Roles with each level of access. Reference AC-5 separation-of-duties — audit reviewers should not have administrative authority over the audit system itself.

Encryption at rest Mechanism + key custody (e.g., 'AWS KMS customer-managed key in the SOC account; key admin separated from log readers').

Encryption in transit Transport security between log sources, forwarders, and SIEM (TLS 1.2+ with mutual authentication preferred).

Log Review and Analysis → §4.x

Automated correlation, manual review, and SOC integration.

Automated review (SIEM correlation rules / UEBA) Categories of automated rules (failed-auth threshold, privilege escalation, data exfiltration patterns) and where they're authored / tuned.

Manual review cadence — Select — Continuous (24/7 SOC) Daily Weekly Monthly Triggered by alert

Responsible role for review Role accountable for ensuring review happens (often 'Tier 2 SOC analyst' or 'ISSO + SOC partnership').

Escalation path What happens when review surfaces a probable incident — who's paged, what's logged in the IR tracker, who can authorize containment.

Audit Failure Response → §4.x

What the system does when audit-logging itself fails (AU-5).

Action on audit-logging failure — Select — Block (system fails closed; no further activity until logging restored) Alert + continue (system logs to backup channel; on-call paged) Alert + degrade (some functions disabled until logging restored) Best effort (note in record once restored — generally not acceptable for ATO)

Alert target Who is paged on audit failure (PagerDuty rotation, security email distribution).

Storage-capacity warning threshold Free space remaining that triggers a warning (e.g., '20% free' or '7 days of headroom at current ingest rate').

Privacy and Redaction → §4.x

What the system masks or redacts in audit records to balance investigative value with privacy.

Fields masked / redacted before storage

PII (SSN, DOB, full name) PHI (health information) Payment data (PAN, CVV) Passwords / authenticators (always redacted) Session tokens Customer email addresses (where applicable) Internal IP addresses Cryptographic key material

Redaction mechanism Where redaction occurs (forwarder vs SIEM ingestion pipeline). Hash vs replace-with-token vs remove.

Privacy framework reference Pointer to the privacy assessment (PIA / SORN reference) governing audit-record handling.

Audit Volume and Scope → §2.x

Order-of-magnitude scope of the audit pipeline.

Approximate log source count How many distinct sources feed the SIEM (hosts, containers, applications, network appliances).

Approximate daily event volume Order of magnitude (e.g., '~10M events/day', '~50 GB ingest/day').

Peak burst factor Multiple of baseline volume seen at peak (e.g., '3x normal during patch Tuesday').

Retention and Storage Strategy → §6.x

Online vs cold-archive split, retention period, and storage tiers.

Online (hot) retention period How long records remain queryable in the SIEM without restore (e.g., '90 days').

Cold archive retention period How long records remain in cold storage before destruction (e.g., '7 years per NARA GRS 4.2').

Total retention period (one-line for §4 narrative) Combined online + archive period in narrative form (e.g., '90 days online + 7 years cold archive').

Storage tier(s) used Storage classes: hot (S3 Standard / Splunk indexer), warm (S3 IA), cold (S3 Glacier Deep Archive / Azure Archive).

Records destruction process How records are destroyed at end of retention. Verification / certificate of destruction. References NARA schedule if federal.

Time Synchronization → §6.x

Authoritative time source and accuracy verification (AU-8).

Authoritative time source Stratum-1/2 NTP server or vendor service (e.g., 'Internal Stratum-2 NTP servers synced to USNO Master Clock', 'AWS Time Sync Service').

Maximum allowed drift Threshold beyond which a host is flagged (e.g., '100 ms').

Drift monitoring approach How drift is detected and remediated (SIEM rule, daily script, NTP-monitor integration).

Audit Metrics & KPIs → §6.x

Metrics tracked to demonstrate AU control effectiveness over time.

Tracked metrics

Add item

Suggested: + Ingestion lag (median + P95) + Dropped-event count (target: 0) + % sources reporting in last hour + Storage headroom (days remaining) + Time-drift violations per quarter + Mean time to detect (MTTD) + Mean time to acknowledge alerts + % alerts triaged within SLA + Audit-system uptime

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the AU control implementations are summarized (e.g., 'SSP §13.3').

POA&M ID prefix for AU findings Convention for AU-related POA&M items (e.g., 'POAM-AU-').

AC family event sourcing How authentication / authorization events from the AC family land in the audit pipeline. Pointer to the AC plan if separate.

SI-4 alerting integration How audit detections feed System Monitoring (SI-4). Reference SOAR playbook locations.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying AU continuous-monitoring activities to the broader ConMon plan.