Why we have an AU policy

Early in December, the ISPG Policy Team published a new Audit and Accountability (AU) handbook as part of the growing collection of security and privacy handbooks on CyberGeek.

The handbook formalizes AU policy guidance for CMS information systems. AU procedures are safeguards required to create, protect, and retain system audit records in a way that ensures individual accountability. AU procedures also define the standards for keeping information safe through:

• Monitoring
• Analysis
• Investigation
• Reporting of unlawful, authorized, or inappropriate activity

Audit and accountability of users’ access and operations within a system, when combined with the appropriate tools, make it possible to detect anomalies and determine causes of adverse events – while also helping to prevent future incidents.

Until now, ISPG did not have a handbook documenting the guidance around Audit and Accountability (AU) policy. The AU handbook is completely new, and does not replace any existing Risk Management Handbook chapters.

What is AU?

Audit and Accountability procedures create, protect, and retain system audit records.

AU procedures serve as a critical tool in uncovering and investigating inappropriate activity within CMS information systems. They make it possible to create audit trails, and to monitor, analyze, investigate, and report on activity that is unauthorized or even illegal. AU procedures are a key security practice.

All auditing requirements are designed to meet the requirements of OMB M-21-31 (PDF) or its successor.

This handbook is a critical resource for maintaining the integrity and security of information systems within CMS. By adhering to these guidelines and best practices, system stakeholders can effectively:

• Mitigate risks
• Ensure compliance with security standards
• Foster a culture of user accountability for the use of IT resources
• Continuously improve the security posture of systems

Who is this handbook for?

The primary audience for the AU handbook includes any position responsible for creating and maintaining system audit records.

This includes:

• Security and Privacy Officers (ISSOs)
• Information System Owners
• System Developers and Maintainers
• CMS Cybersecurity Integration Center (CCIC) and Security Operations Center (SOC) teams who support AU with various technical and automation capabilities

What’s in the new AU handbook?

• Links to primary sources that document AU requirements, including:
  • The National Archives and Records Administration (NARA) General Records Schedule (GRS)
  • NIST
  • The CMS IS2P2
  • OMB M-21-31: Improving Investigative and Remediation Capabilities Related to Cybersecurity Incidents
• An overview of OMB M-21-31 standards, including:
  • Expanded Event Logging
  • Centralized Log Collection and SIEM Integration
  • Detailed Audit Record Content and Non-Repudiation
  • Log Access Controls and Data Protection
  • Real-Time Alerts for Logging Failures
  • Interagency Collaboration for Incident Response
• CMS Audit and Accountability Key Components:
  • Event Logging and Management
  • Audit Record Content
  • Data Retention and Storage Capacity
  • Access Controls and Audit Log Protection
  • Real-Time Alerts and Automated Responses
  • Continuous Review and Reporting
  • Cross-Organizational Log Integration
  • Non-Repudiation Measures
  • Synchronization and Time Correlation 

Questions?

For policy and guidance questions regarding the AU handbook, or about Audit and Accountability at CMS more broadly, contact us:

• On CMS Slack in #ispg-sec_privacy-policy
• Via email at CISO@cms.hhs.gov

Tell us what you think

At ISPG, we want to provide everyone at CMS with helpful information about security and privacy requirements. Please take a moment to let us know how we’re doing.

Give feedback about the new AU Handbook here.