NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-6(9) — Correlation with Information from Nontechnical Sources
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions.
Practitioner Notes
Correlate audit data with non-technical information — HR reports, news, insider threat indicators — to get a fuller picture of potential threats.
Example 1: When HR notifies you that an employee has given two weeks notice, immediately pull their recent audit records and check for unusual data access patterns — large downloads, accessing files outside their normal scope, or forwarding emails to personal accounts. Increase monitoring for the remaining time.
Example 2: When a news report indicates a threat actor is targeting your industry sector, review your audit logs for the specific indicators mentioned in the report. Cross-reference CISA advisories with your SIEM data to see if any of the listed IOCs appear in your logs. This turns external intelligence into internal detection.