NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-6(6)Correlation with Physical Monitoring

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.

Practitioner Notes

Correlate audit records with physical security monitoring data. If the badge system says someone is in Building A but their login is from Building B, that is a red flag.

Example 1: Integrate your physical access control system (PACS) logs with your SIEM. Send badge swipe data from Lenel, AMAG, or your PACS vendor to Splunk or Sentinel. Create a correlation rule: if a user's VPN login originates from a city but their last badge swipe was at the office (or vice versa within a short time), alert the security team.

Example 2: For high-security areas (server rooms, SCIFs), correlate physical access logs with system console logon times. If someone badges into the server room but no console login is recorded within 10 minutes, investigate — they should have logged in. If a console login occurs without a corresponding badge swipe, that is also suspicious.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component