home || catalog: SP800-53rev3 / class: Technical / family: (AU) Audit and Accountability ||
search controls:
search nistpubs:

AC
AT
AU

AU-01
AU-02
AU-03
AU-04
AU-05
AU-06
AU-07
AU-08
AU-09
AU-10 *
AU-11
AU-12
AU-13
AU-14
AU-3, AC-22

CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AU-10: Non-repudiation  

base control objective:
The information system protects against an individual falsely denying having performed a particular action.

supplemental objective information:
Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).

enhancements to the base objective:

(1) The information system associates the identity of the information producer with the information.

Enhancement Supplemental Guidance: This control enhancement supports audit requirements that provide appropriate organizational officials the means to identify who produced specific information in the event of an information transfer. The nature and strength of the binding between the information producer and the information are determined and approved by the appropriate organizational officials based on the security categorization of the information and relevant risk factors.

(2) The information system validates the binding of the information producer’s identity to the information.

Enhancement Supplemental Guidance: This control enhancement is intended to mitigate the risk that information is modified between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums.

(3) The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

Enhancement Supplemental Guidance: If the reviewer is a human or if the review function is automated but separate from the release/transfer function, the information system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, this control enhancement provides appropriate organizational officials the means to identify who reviewed and released the information. In the case of automated reviews, this control enhancement helps ensure that only approved review functions are employed.

(4) The information system validates the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.

Enhancement Supplemental Guidance: This control enhancement is intended to mitigate the risk that information is modified between review and transfer/release.

(5) The organization employs [Selection: FIPS 140-2 validated; NSA-approved] cryptography to implement digital signatures.

mapping to FIPS199 baseline:

  LOW: null     MOD: null     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for AU-10:

Document Date Status Title
FIPS 198 July, 2008 current   The Keyed-Hash Message Authentication Code (HMAC)
NIST SP800-107 August, 2012 current   Recommendation for Applications Using Approved Hash Algorithms
NIST SP800-49 November, 2002 current   Federal S/MIME V3 Client Profile
NIST SP800-52 June, 2005 current   Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST SP800-89 November, 2006 current   Recommendation for Obtaining Assurances for Digital Signature Applications
NIST SP800-95 August, 2006 DRAFT   Guide to Secure Web Services

Search SP800-53rev3 catalog: