NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-10(4)Validate Binding of Information Reviewer Identity

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} ; and Perform {{ insert: param, au-10.04_odp.02 }} in the event of a validation error.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.

Practitioner Notes

Validate that the identity of the person who reviews information is accurately recorded. The reviewer cannot deny having reviewed it.

Example 1: When conducting log reviews, require the reviewer to sign off digitally. In your review tracker, the reviewer logs in with their individual account and timestamps their review. The review record includes the reviewer's identity, the date, and what was reviewed.

Example 2: For document reviews (SSP reviews, POA&M updates), use a workflow system that requires the reviewer to authenticate and explicitly approve. In SharePoint, configure approval workflows that log the reviewer's identity and timestamp. The approval cannot be forged because it is tied to the reviewer's Azure AD authentication.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component