NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-10 — Non-repudiation
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.
Supplemental Guidance
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
Practitioner Notes
Non-repudiation means that someone cannot deny performing an action after the fact. The system must prove who did what in a way that cannot be disputed.
Example 1: Require digital signatures (S/MIME or PGP) for emails containing official decisions, approvals, or authorizations. The digital signature cryptographically proves who sent the email and that the content was not altered after signing. Configure Outlook to sign all outgoing messages for key decision-makers.
Example 2: Use individual authentication (no shared accounts) combined with tamper-proof audit logs. When your audit log shows that john.smith deleted a file at 2:47 PM, and the log is protected from modification (cryptographic hashing, WORM storage), John cannot credibly deny the action.