NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(4)Access by Subset of Privileged Users

Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.

Practitioner Notes

Limit access to audit logs to a small subset of privileged users. Not every admin needs to see or manage audit data — only the security team should have access.

Example 1: In Splunk, create a security_analyst role with read access to security indexes and a splunk_admin role for system management. Regular IT admins should not have any Splunk role. Configure this under Settings → Access Controls → Roles.

Example 2: In Active Directory, restrict the "Manage auditing and security log" user right (via GPO) to only the Administrators group — and then ensure that group contains only your designated security admins, not general IT staff. The Event Log Readers group can be used for read-only access to security logs for authorized auditors.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component