NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-9(5)Dual Authorization

Enforce dual authorization for {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.

Practitioner Notes

Require dual authorization for any action that modifies or deletes audit records. One person alone should not be able to tamper with the logs.

Example 1: Configure your SIEM so that deleting or modifying indexes requires approval from two administrators. In Splunk, restrict the delete capability to a role that requires both the Splunk admin and the ISSO to authorize via a change management ticket.

Example 2: For Windows Security Log management, require a change ticket and two approvals before anyone can clear the Security Event Log. Enforce this procedurally and audit Event ID 1102 (Security Log Cleared) — any occurrence without a corresponding approved ticket is a policy violation.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component