NIST SP 800-171 3.3.5 𝐂𝐨𝐫𝐫𝐞𝐥𝐚𝐭𝐞 𝐚𝐮𝐝𝐢𝐭 𝐫𝐞𝐜𝐨𝐫𝐝 𝐫𝐞𝐯𝐢𝐞𝐰, 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬, 𝐚𝐧𝐝 𝐫𝐞𝐩𝐨𝐫𝐭𝐢𝐧𝐠 𝐩𝐫𝐨𝐜𝐞𝐬𝐬𝐞𝐬 𝐟𝐨𝐫 𝐢𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐭𝐨 𝐢𝐧𝐝𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐨𝐟 𝐮𝐧𝐥𝐚𝐰𝐟𝐮𝐥, 𝐮𝐧𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐞𝐝, 𝐬𝐮𝐬𝐩𝐢𝐜𝐢𝐨𝐮𝐬, 𝐨𝐫 𝐮𝐧𝐮𝐬𝐮𝐚𝐥 𝐚𝐜𝐭𝐢𝐯𝐢𝐭𝐲.
This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according to the DoD’s Cybersecurity Assessment Center.
The problem is that this requirement can be read in two (totally) different ways.
Option 1) When scary logs are generated, 𝘴𝘰𝘮𝘦𝘰𝘯𝘦 𝘯𝘰𝘵𝘪𝘤𝘦𝘴 𝘢𝘯𝘥 𝘴𝘵𝘢𝘳𝘵𝘴 𝘥𝘰𝘪𝘯𝘨 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵 𝘳𝘦𝘴𝘱𝘰𝘯𝘴𝘦! In other words “see something, do something”.
Option 2) All logs from all systems need to go to a central place so that you can ‘correlate’ multiple sources of logs together using technical means.
Very different interpretations, right???
My personal take: I think that Option 1 is the best way to interpret this requirement. I’m looking at the word 𝐩𝐫𝐨𝐜𝐞𝐬𝐬𝐞𝐬 to mean manual activities performed by people.
Without Option 1 , we have a problem where 800-171 requires lots of logs, and it requires lots of incident response, but there is no link between the two. I think we need this requirement to tell companies that they have to start incidents when they see 𝐢𝐧𝐝𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐨𝐟 𝐮𝐧𝐥𝐚𝐰𝐟𝐮𝐥, 𝐮𝐧𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐞𝐝, 𝐬𝐮𝐬𝐩𝐢𝐜𝐢𝐨𝐮𝐬, 𝐨𝐫 𝐮𝐧𝐮𝐬𝐮𝐚𝐥 𝐚𝐜𝐭𝐢𝐯𝐢𝐭𝐲.
My personal pet peeve: I’ve talked to many companies that hired external SOC services or MSSPs, are paying them thousands of dollars per month, and have had “zero” incidents in the last year. 𝑹𝒆𝒂𝒍𝒍𝒚? 𝑪’𝒎𝒐𝒏.
That is an example of not correlating audit record review to analysis and reporting processes.
Another argument for Option 1 – an examinable object for this is “procedures addressing investigation of and response to suspicious activities”.
I also respect those who interpret 3.3.5 as Option 2 – Have a SIEM. A test object is “mechanisms supporting analysis and correlation of audit records”. This would normally be done by collecting logs in a central location so that you can correlate different alarms and activities as an intruder passes through your different systems.
Maybe both???
In preparation for Kieri Solution’s CMMC assessment by DIBCAC, we took the “both” approach to be safe. We discussed how we have processes that ensure incidents are started when there is scary activity in the logs. We also mentioned how we use a SIEM. Our assessors were satisfied.