NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-14Session Audit

Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} ; and Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed.

Practitioner Notes

Session audit means capturing detailed records of user sessions — not just individual events, but the full stream of activity within a session.

Example 1: Use a session recording tool (CyberArk PSM, BeyondTrust, Wallix) for all privileged sessions. These tools record the entire screen, keystrokes, and commands for the duration of the admin session. Recordings are searchable and indexed by user, system, and timestamp.

Example 2: Enable Windows Remote Desktop session shadowing and recording on your RDP gateway servers. Third-party tools like ObserveIT (now Proofpoint ITM) can record all user sessions on sensitive systems, creating a video record of every action taken during the session.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component