NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-16(2)Sharing of Audit Information

Provide cross-organizational audit information to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations.

Practitioner Notes

Share audit information with partner organizations when needed for joint security operations, incident investigation, or compliance reporting.

Example 1: Set up a secure file sharing mechanism (encrypted SFTP, DoD SAFE) for sharing audit data with partners. When a joint incident occurs, each party exports relevant log data, encrypts it, and transfers it through the approved channel. Document all data sharing in the incident report.

Example 2: For continuous sharing, consider federated SIEM access. Grant partner SOC analysts read-only access to a limited scope of your SIEM data — only events related to the shared system or interface. In Splunk, create a dedicated role with index-level restrictions. In Sentinel, use Lighthouse or workspace permissions to share specific log analytics workspaces.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component