Device Class 3: Non-repudiation
Control ID: AU-10 Non-repudiation | Family: Audit and Accountability | Source: NIST 800-53r4 | |||||||||||||||
Control: The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. | |||||||||||||||||
Supplemental Guidance: Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g.,indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related Controls: SC-8, SC-12, SC-13, SC-17, SC-23, SC-16 |
|||||||||||||||||
Control Enhancements: N/A | |||||||||||||||||
References: N/A | |||||||||||||||||
Mechanisms:
|
|||||||||||||||||
Protocol Implementation Conformance Statements:
|