NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-12(2)Standardized Formats

Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails.

Practitioner Notes

Use standardized log formats so that records from different systems can be easily compared and correlated. If every system uses a different format, analysis becomes extremely difficult.

Example 1: Configure all log sources to use a common format. For syslog, use RFC 5424 format with structured data. For Windows, the Windows Event Log format is already standardized. In your SIEM, apply a common information model (CIM in Splunk, ASIM in Sentinel) to normalize all data at ingestion.

Example 2: For custom applications, require developers to use JSON structured logging with a mandatory field set: timestamp (ISO 8601), level, event_type, user_id, source_ip, action, outcome, resource. Publish this as a logging standard and enforce it during code review.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component