>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

AU-3 (01)Content of Audit Records | Additional Audit Information

Moderate
High

>Control Description

Generate audit records containing the following additional information: organization-defined additional information.

>FedRAMP Baseline Requirements

Parameter Values

Additional Requirements and Guidance

AU-3 (1) Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

>Discussion

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements.

This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AU-3(1) (Additional Audit Information)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AU-3(1)?
  • How frequently is the AU-3(1) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AU-3(1)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AU-3(1) requirements.
  • What automated tools, systems, or technologies are deployed to implement AU-3(1)?
  • How is AU-3(1) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AU-3(1) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AU-3(1)?
  • What audit logs, records, reports, or monitoring data validate AU-3(1) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AU-3(1) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AU-3(1) compliance?

Ask AI

Configure your API key to use AI features.