Skip to content
Get A Demo
Free SIEM
    How Blumira Helps With

    Meeting NIST SP 800-53 Security Controls

    With the help of the Blumira SIEM security platform and Blumira Agent for endpoint visibility, your organization can easily meet and exceed NIST 800-53 compliance requirements, including Audit and Accountability controls. NIST 800-53, a part of the broader NIST Cybersecurity Framework, applies to all federal institutions and their information systems. All government entities are required to adhere to NIST 800-53 guidelines for ensuring the security of their infrastructure.

    Audit Requirements

    • AU-1 – AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

      AU-1 – AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

      The organization: 
      • Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
      • An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      • Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;
      • Reviews and updates the current:
        • Audit and accountability policy [Assignment: organization-defined frequency];
        • Audit and accountability procedures [Assignment: organization-defined frequency]
    • AU-2 – AUDIT EVENTS

      AU-2 – AUDIT EVENTS 

      The organization:
      • Determines that the information system is capable of auditing the following events:
        • [Assignment: organization-defined auditable events];
      • Coordinates the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events;
      • Provides a rationale for why the auditable events are deemed to be adequate to support after the-fact investigations of security incidents
      • Determines that the following events are to be audited within the information system:
        • [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
    • AU-3 – CONTENT OF AUDIT RECORDS

      AU-3 – CONTENT OF AUDIT RECORDS

      The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. 
    • AU-4 – AUDIT STORAGE CAPACITY

      AU-4 – AUDIT STORAGE CAPACITY

      The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. 

    AU-1 – AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES

    The organization: 
    • Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    • An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
    • Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;
    • Reviews and updates the current:
      • Audit and accountability policy [Assignment: organization-defined frequency];
      • Audit and accountability procedures [Assignment: organization-defined frequency]

    AU-2 – AUDIT EVENTS 

    The organization:
    • Determines that the information system is capable of auditing the following events:
      • [Assignment: organization-defined auditable events];
    • Coordinates the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events;
    • Provides a rationale for why the auditable events are deemed to be adequate to support after the-fact investigations of security incidents
    • Determines that the following events are to be audited within the information system:
      • [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

    AU-3 – CONTENT OF AUDIT RECORDS

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. 

    AU-4 – AUDIT STORAGE CAPACITY

    The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. 
    • AU-5 – RESPONSE TO AUDIT PROCESSING FAILURES

      AU-5 – RESPONSE TO AUDIT PROCESSING FAILURES

      The information system:

      • Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure;
      • Takes the following additional actions:
        • [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
    • AU-6 – AUDIT REVIEW, ANALYSIS, AND REPORTING

      AU-6 – AUDIT REVIEW, ANALYSIS, AND REPORTING

      The organization:

      • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity];
      • Reports findings to [Assignment: organization-defined personnel or roles]
    • AU-7 – AUDIT REDUCTION AND REPORT GENERATION

      AU-7 – AUDIT REDUCTION AND REPORT GENERATION

      The information system provides an audit reduction and report generation capability that:

      • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents;
      • Does not alter the original content or time ordering of audit records.
    • AU-8 – TIME STAMPS

      AU-8 – TIME STAMPS

      The information system:

      • Uses internal system clocks to generate timestamps for audit records;
      • Records timestamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].

    AU-5 – RESPONSE TO AUDIT PROCESSING FAILURES

    The information system:

    • Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure;
    • Takes the following additional actions:
      • [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

    AU-6 – AUDIT REVIEW, ANALYSIS, AND REPORTING

    The organization:

    • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity];
    • Reports findings to [Assignment: organization-defined personnel or roles]

    AU-7 – AUDIT REDUCTION AND REPORT GENERATION

    The information system provides an audit reduction and report generation capability that:

    • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents;
    • Does not alter the original content or time ordering of audit records.

    AU-8 – TIME STAMPS

    The information system:

    • Uses internal system clocks to generate timestamps for audit records;
    • Records timestamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
    • AU-9 – PROTECTION OF AUDIT INFORMATION

      AU-9 – PROTECTION OF AUDIT INFORMATION

      The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

    • AU-10 – NON-REPUDIATION

      AU-10 – NON-REPUDIATION

      The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. 

    • AU-11 – AUDIT RECORD RETENTION

      AU-11 – AUDIT RECORD RETENTION

      The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. 

    • AU-12 – AUDIT GENERATION

      AU-12 – AUDIT GENERATION

      The information system:

      • Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
      • Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system;
      • Generates audit records for the events defined in AU-2 d. with the content defined in AU-3

    AU-9 – PROTECTION OF AUDIT INFORMATION

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

    AU-10 – NON-REPUDIATION

    The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. 

    AU-11 – AUDIT RECORD RETENTION

    The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. 

    AU-12 – AUDIT GENERATION

    The information system:

    • Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
    • Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system;
    • Generates audit records for the events defined in AU-2 d. with the content defined in AU-3
    • AU-13 – MONITORING FOR INFORMATION DISCLOSURE

      AU-13 – MONITORING FOR INFORMATION DISCLOSURE

      The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

    • AU-14 – SESSION AUDIT

      AU-14 – SESSION AUDIT

      The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

    • AU-15 – ALTERNATE AUDIT CAPABILITY

      AU-15 – ALTERNATE AUDIT CAPABILITY

      The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].

    • AU-16 – CROSS-ORGANIZATIONAL AUDITING

      AU-16 – CROSS-ORGANIZATIONAL AUDITING

      The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

    AU-13 – MONITORING FOR INFORMATION DISCLOSURE

    The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

    AU-14 – SESSION AUDIT

    The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

    AU-15 – ALTERNATE AUDIT CAPABILITY

    The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].

    AU-16 – CROSS-ORGANIZATIONAL AUDITING

    The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

    NIST Compliance: System and Communications Protection & Incident Response Requirements

    • System and communications protection

      System and communications protection

      SC-3 – Security Function Isolation

      Blumira Agent identifies anomalous and threat-like behavior associated with endpoints, and sends alerts to an organization. Blumira Agent’s remediation capabilities enable organizations to isolate the endpoint from the rest of their network to contain the threat and protect their systems from a compromised endpoint.

      .

    • System monitoring: S1-4

      System monitoring: S1-4

      S1-4(4) – Inbound and Outbound Communications Traffic

      S1-4(5) – System-generated Alerts

      S1-4(7) – Automated Response to Suspicious Events

      S1-4(23) – Host-based Devices

      Blumira Agent monitors Windows endpoints (hosts) for attacks and indicators of potential attacks, including unauthorized access.

      Blumira analyzes activity (including inbound and outbound communications traffic) to detect events, anomalies, and unauthorized activity, sending alert notifications to organizations about the threat finding with automated instructions on how to respond, or actions to take upon detection.

      Blumira Agent enables organizations to respond to suspicious events by isolating hosts to cut off network access and prevent lateral movement.

    • Incident handling: IR-4

      Incident handling: IR-4

      IR-4(4) – Information Correlation

      IR-4(7) – Insider Threats

      IR-4(13) – Behavior Analysis

      IR-4(14) – Security Operations Center

      Blumira detects, analyzes and helps guide organizations through response to security incidents.

      Blumira Agent provides a host isolation capability that enables organizations to quickly contain a compromised endpoint, investigate an incident with access to historical log retention, and aid in guided response with a SecOps team available 24/7 for critical priority issues.

      Blumira automates the functionality of a security operations center (SOC) by detecting, analyzing and helping organizations respond to incidents in a timely manner, at scale through its platform.

      The Blumira SIEM platform correlates incident information collected from different sources of telemetry across an organization’s IT environment to provide match stacked evidence (alert stacking), helping by gathering relevant data in the event of an investigation. It also provides the ability to search event logs and generate security reports to help with forensics.

      Blumira security engineers manage detection rules built into the platform that automatically analyze and detect events related to possible insider threats, as well as help with the analysis of anomalous or suspected adversarial behavior.

    System and communications protection

    SC-3 – Security Function Isolation

    Blumira Agent identifies anomalous and threat-like behavior associated with endpoints, and sends alerts to an organization. Blumira Agent’s remediation capabilities enable organizations to isolate the endpoint from the rest of their network to contain the threat and protect their systems from a compromised endpoint.

    .

    System monitoring: S1-4

    S1-4(4) – Inbound and Outbound Communications Traffic

    S1-4(5) – System-generated Alerts

    S1-4(7) – Automated Response to Suspicious Events

    S1-4(23) – Host-based Devices

    Blumira Agent monitors Windows endpoints (hosts) for attacks and indicators of potential attacks, including unauthorized access.

    Blumira analyzes activity (including inbound and outbound communications traffic) to detect events, anomalies, and unauthorized activity, sending alert notifications to organizations about the threat finding with automated instructions on how to respond, or actions to take upon detection.

    Blumira Agent enables organizations to respond to suspicious events by isolating hosts to cut off network access and prevent lateral movement.

    Incident handling: IR-4

    IR-4(4) – Information Correlation

    IR-4(7) – Insider Threats

    IR-4(13) – Behavior Analysis

    IR-4(14) – Security Operations Center

    Blumira detects, analyzes and helps guide organizations through response to security incidents.

    Blumira Agent provides a host isolation capability that enables organizations to quickly contain a compromised endpoint, investigate an incident with access to historical log retention, and aid in guided response with a SecOps team available 24/7 for critical priority issues.

    Blumira automates the functionality of a security operations center (SOC) by detecting, analyzing and helping organizations respond to incidents in a timely manner, at scale through its platform.

    The Blumira SIEM platform correlates incident information collected from different sources of telemetry across an organization’s IT environment to provide match stacked evidence (alert stacking), helping by gathering relevant data in the event of an investigation. It also provides the ability to search event logs and generate security reports to help with forensics.

    Blumira security engineers manage detection rules built into the platform that automatically analyze and detect events related to possible insider threats, as well as help with the analysis of anomalous or suspected adversarial behavior.

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.