>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AU-10Non-repudiation

IL4 High
IL5
IL6

>Control Description

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed organization-defined actions to be covered by non-repudiation.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AU-10 [minimum actions including the addition, modification, deletion, approval, sending, or receiving of data]

>Discussion

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information).

Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

>Related Controls

AU-9
PM-12
SA-8
SC-8
SC-12
SC-13
SC-16
SC-17
SC-23

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AU-10 (Non-Repudiation)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AU-10?
  • How frequently is the AU-10 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AU-10?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AU-10 requirements.
  • What automated tools, systems, or technologies are deployed to implement AU-10?
  • How is AU-10 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AU-10 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AU-10?
  • What audit logs, records, reports, or monitoring data validate AU-10 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AU-10 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AU-10 compliance?

Ask AI

Configure your API key to use AI features.