NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-6(4)Central Review and Analysis

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.

Practitioner Notes

Review and analyze audit records from a central location. If your team has to log into 20 different systems to review logs, reviews will not happen consistently.

Example 1: Centralize all log review in your SIEM. Create role-specific dashboards: one for the SOC analyst (real-time alerts and investigation), one for the ISSO (compliance posture and weekly trends), and one for leadership (executive summary with KPIs like mean time to detect and respond).

Example 2: In Microsoft Sentinel, use Workbooks to create custom dashboards that pull data from all connected sources. Build a Weekly Audit Review workbook that summarizes: authentication events, privileged access usage, policy violations, and alert trends. Schedule the workbook to render as a PDF and email it to the ISSO every Monday.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component