NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-5(4)Shutdown on Failure

Invoke a {{ insert: param, au-05.04_odp.01 }} in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

Practitioner Notes

In the most secure environments, if the audit system fails, the information system should shut down rather than continue operating without logging. No logs means no accountability.

Example 1: On critical servers, configure the Windows Security Event Log to "Shut down the system immediately if unable to log security audits" via GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Audit: Shut down system immediately if unable to log security audits" set to Enabled. This is a DoD STIG requirement for many baselines.

Example 2: In Linux, configure auditd with -f 2 in /etc/audit/auditd.conf (or the audit.rules file) which triggers a kernel panic if the audit system cannot write records. This is extreme but appropriate for systems processing classified or highly sensitive data.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component