FedRAMP - Response to Audit Processing Failures AU-5

Overview:
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

Supplemental Guidance:
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Related controls: AU-4, SI-12.

Action Items:
1) Ensure alerts are triggered in the event of an audit processing failures and the appropriate actions are taken

Related Documents:
1) Audit and Accountability Policy

2) Logging and Monitoring Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
AU-5 (b) [organization-defined actions to be taken (overwrite oldest record)

Moderate Additional FedRAMP Requirements and Guidance
none