NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-16(3)Disassociability

Implement {{ insert: param, au-16.03_odp }} to disassociate individuals from audit information transmitted across organizational boundaries.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability.

Practitioner Notes

When sharing audit data, disassociate PII from the records if the receiving organization does not need to know the identities. Share the audit trail without exposing personal information.

Example 1: Before sharing log data for research or benchmarking purposes, anonymize the records. Replace usernames with pseudonymous identifiers (User001, User002), remove IP addresses or replace with subnet-level data, and strip any PII fields. Use a consistent mapping so that events by the same user can still be correlated by the pseudonymous identifier.

Example 2: In Splunk, use anonymize commands in your export search to hash or mask sensitive fields before sharing. For example: | eval user=md5(user) | eval src_ip=replace(src_ip, "(\d+)\.(\d+)$", "x.x"). This preserves analytical value while protecting individual identities.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component