Continuing the Top 10 Failed Requirements for 800-171! Onward to #7: 3.3.4 “๐๐ฅ๐๐ซ๐ญ ๐ข๐ง ๐ญ๐ก๐ ๐๐ฏ๐๐ง๐ญ ๐จ๐ ๐๐ง ๐๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ ๐ข๐ง๐ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ ๐๐๐ข๐ฅ๐ฎ๐ซ๐.”
Sit with me while I tell a story…
๐๐ฏ ๐ฐ๐ณ๐จ๐ข๐ฏ๐ช๐ป๐ข๐ต๐ช๐ฐ๐ฏ ๐ฅ๐ช๐ด๐ค๐ฐ๐ท๐ฆ๐ณ๐ด ๐ต๐ฉ๐ข๐ต ๐ต๐ฉ๐ฆ๐บ ๐ธ๐ฆ๐ณ๐ฆ ๐ฃ๐ณ๐ฆ๐ข๐ค๐ฉ๐ฆ๐ฅ ๐ฃ๐ฆ๐ค๐ข๐ถ๐ด๐ฆ ๐จ๐ฐ๐ท๐ฆ๐ณ๐ฏ๐ฎ๐ฆ๐ฏ๐ต ๐ด๐ฆ๐ค๐ณ๐ฆ๐ต๐ด ๐ข๐ณ๐ฆ ๐ฃ๐ฆ๐ช๐ฏ๐จ ๐ด๐ฐ๐ญ๐ฅ ๐ฐ๐ฏ ๐ต๐ฉ๐ฆ ๐ฅ๐ข๐ณ๐ฌ ๐ธ๐ฆ๐ฃ.
๐๐3 ๐ช๐ฏ๐ค๐ช๐ฅ๐ฆ๐ฏ๐ต ๐ณ๐ฆ๐ด๐ฑ๐ฐ๐ฏ๐ด๐ฆ ๐ต๐ฆ๐ข๐ฎ๐ด ๐ข๐ณ๐ฆ ๐ค๐ข๐ญ๐ญ๐ฆ๐ฅ; ๐ต๐ฉ๐ฆ๐บ ๐ด๐ต๐ข๐ณ๐ต ๐ฅ๐ช๐จ๐จ๐ช๐ฏ๐จ ๐ช๐ฏ๐ต๐ฐ ๐ต๐ฉ๐ฆ ๐ญ๐ฐ๐จ๐ด ๐ต๐ฐ ๐ง๐ช๐ฏ๐ฅ ๐ฐ๐ถ๐ต ๐ธ๐ฉ๐ข๐ต ๐ฉ๐ข๐ฑ๐ฑ๐ฆ๐ฏ๐ฆ๐ฅ. ๐๐ถ๐ต ๐ต๐ฉ๐ฆ๐บ ๐ข๐ณ๐ฆ ๐ช๐ฎ๐ฎ๐ฆ๐ฅ๐ช๐ข๐ต๐ฆ๐ญ๐บ ๐ด๐ต๐บ๐ฎ๐ช๐ฆ๐ฅ – ๐ต๐ฉ๐ฆ๐ณ๐ฆ ๐ข๐ณ๐ฆ ๐ฏ๐ฐ ๐ญ๐ฐ๐จ๐ด ๐ง๐ณ๐ฐ๐ฎ ๐ต๐ฉ๐ฆ ๐ง๐ช๐ณ๐ฆ๐ธ๐ข๐ญ๐ญ ๐ฐ๐ณ ๐ด๐ฆ๐ณ๐ท๐ฆ๐ณ๐ด.
๐๐ฉ๐ฆ ๐ฐ๐ณ๐จ๐ข๐ฏ๐ช๐ป๐ข๐ต๐ช๐ฐ๐ฏ’๐ด ๐ด๐บ๐ด๐ต๐ฆ๐ฎ ๐ข๐ฅ๐ฎ๐ช๐ฏ๐ช๐ด๐ต๐ณ๐ข๐ต๐ฐ๐ณ๐ด ๐ค๐ญ๐ข๐ช๐ฎ ๐ต๐ฉ๐ข๐ต ๐ต๐ฉ๐ฆ๐บ ๐ด๐ฆ๐ต ๐ถ๐ฑ ๐ญ๐ฐ๐จ๐ด ๐ช๐ฏ ๐ต๐ฉ๐ฆ ๐ฑ๐ข๐ด๐ต. ๐๐ฐ ๐ฐ๐ฏ๐ฆ ๐ฌ๐ฏ๐ฐ๐ธ๐ด ๐ธ๐ฉ๐ฆ๐ต๐ฉ๐ฆ๐ณ ๐ต๐ฉ๐ฆ ๐ฃ๐ข๐ฅ ๐จ๐ถ๐บ๐ด ๐ต๐ถ๐ณ๐ฏ๐ฆ๐ฅ ๐ฐ๐ง๐ง ๐ต๐ฉ๐ฆ ๐ญ๐ฐ๐จ๐ด, ๐ฐ๐ณ ๐ช๐ง ๐ต๐ฉ๐ฆ๐บ ๐ฃ๐ณ๐ฐ๐ฌ๐ฆ ๐ฐ๐ฏ ๐ต๐ฉ๐ฆ๐ช๐ณ ๐ฐ๐ธ๐ฏ. ๐๐ช๐ต๐ฉ๐ฆ๐ณ ๐ธ๐ข๐บ, ๐ต๐ฉ๐ฆ๐บ ๐ฉ๐ข๐ท๐ฆ ๐ฏ๐ฐ ๐ญ๐ฐ๐จ๐ด.
And that is how new requirements are born. (sigh)
๐ ๐จ๐ซ 3.3.4, ๐ฐ๐ ๐๐ฑ๐ฉ๐๐๐ญ ๐๐ง ๐จ๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง ๐ญ๐จ ๐ฌ๐๐ญ ๐ฎ๐ฉ ๐ฉ๐ฎ๐ฌ๐ก ๐๐ฅ๐๐ซ๐ญ๐ฌ ๐ฐ๐ก๐ข๐๐ก ๐ ๐จ ๐ญ๐จ ๐ญ๐ก๐ ๐๐จ๐ซ๐ซ๐๐๐ญ ๐ฉ๐๐จ๐ฉ๐ฅ๐ ๐ฐ๐ก๐๐ง ๐๐ฎ๐๐ข๐ญ ๐ฅ๐จ๐ ๐ฌ ๐๐ซ๐จ๐ฉ ๐๐๐ฅ๐จ๐ฐ ๐๐ง ๐๐ฑ๐ฉ๐๐๐ญ๐๐ ๐ฅ๐๐ฏ๐๐ฅ.
Let’s dissect this.
Push alerts: You can’t go manually check if logs came in. An alert, email, notification, text, ticket, etc, must be generated and sent to a responsible person or team.
Go to the correct people: When being assessed, a great piece of evidence is showing an alert for audit log failure coming in to the person who is identified as responsible for fixing audit log issues.
Drop below an expected level: Assessors understand that some of your systems are 24×7 and some of them are 8×5. For the systems that are 24×7, you should absolutely have individual alerts for each system set up. Think firewalls and servers. For systems that are part-time (laptops), you may need to get inventive. For both situations, you should identify thresholds for what is “normal” log generation.
For example, you could create a logic rule: your firewall should generate at least 10,000 events per day. If it drops below that level, send an alert to the security team.
Inheritance: This requirement is hard to prove with cloud systems, particularly SaaS clouds. We know there are servers and firewalls and networking equipment in the cloud but they aren’t visible to you as the customer. You need to verify that the cloud admins are performing this requirement in-house. This is where FedRAMP is useful – FedRAMP moderate baseline includes this requirement (so if a cloud is FedRAMP authorized, they are doing this internally). If you store, process, or transmit CUI in an SaaS cloud, you should discuss how you verified that the cloud is performing 3.3.4.