NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-3(3)Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

Practitioner Notes

When audit records might contain PII, limit what is captured to the minimum necessary. Do not log full SSNs, credit card numbers, or medical record details if you only need to know that a record was accessed.

Example 1: In your application logging, mask sensitive fields. Instead of logging "User accessed SSN 123-45-6789", log "User accessed SSN ***-**-6789". Configure your logging framework to apply masking rules automatically to fields tagged as PII.

Example 2: In your SIEM, implement data masking at the ingestion level. In Splunk, use SEDCMD in props.conf to mask SSN patterns: SEDCMD-mask-ssn = s/\d{3}-\d{2}-(\d{4})/XXX-XX-\1/g. This preserves the last four digits for identification while protecting the full number.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component