AU-10 NON-REPUDIATION

Page last updated:

PCF Compliance

Audit log integrity is supported through logical access controls within the PAS itself, and via the controls in the underlying cloud infrastructure. Within the PCF platform, there are no native provisions to support cryptographic non-repudiation of audit log records using, for example, a digital signature. However, this non-repudiation control will be inherited by PCF when it is provided by the enterprise log management system. This control is not required for compliance for FISMA Moderate.


Control Description

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].

Supplemental Guidance

Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).