NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-5(1)Storage Capacity Warning

Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.

Practitioner Notes

Warn administrators before audit storage reaches capacity. The alert should come early enough to take action — not when you are already out of space.

Example 1: In Splunk, set up an alert that triggers when any index reaches 75% of its configured maximum size. Email the Splunk admin and the ISSO. Create a second alert at 90% that also pages the on-call engineer.

Example 2: On your syslog servers and SIEM appliances, configure disk monitoring that alerts at 70%, 80%, and 90% disk utilization. Use SNMP traps or agent-based monitoring (PRTG, Nagios) and route the alerts to your NOC dashboard and email distribution list.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component