Device Class 3: Non-repudiation

Control ID: AU-10 Non-repudiation Family: Audit and Accountability Source: NIST 800-53r4
Control: The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
Supplemental Guidance:
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g.,indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).

Related Controls: SC-8, SC-12, SC-13, SC-17, SC-23, SC-16
Control Enhancements: N/A
References: N/A
Mechanisms:

  • Device non-repudiation limited to configuration changes, application installation. All such actions shall require the use of digital credentials associated with the user or process.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
AU-10/1 Stores credentials associated with configuration changes for a minimum of one year. M Define time period, space allotted.
AU-10/2 Stores credentials associated with application installation (including updates, patches) for a minimum of one year. M Define time period, space allotted.