AU-10 Non-repudiation
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed au-10_odp.
| Parameter ID | Definition |
|---|---|
| au-10_odp | actions |
Baselines
- L
- M
- H
- P
Guidance
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
References 5
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
- FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
- FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
- SP 800-177 Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1.
Control Enhancements 5
- AU-10(01) Association of Identities L M H P
- AU-10(02) Validate Binding of Information Producer Identity L M H P
- AU-10(03) Chain of Custody L M H P
- AU-10(04) Validate Binding of Information Reviewer Identity L M H P
- AU-10(05) Digital Signatures
Related controls 9
- AU-09 Protection of Audit Information L M H P
- PM-12 Insider Threat Program L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SC-08 Transmission Confidentiality and Integrity L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SC-16 Transmission of Security and Privacy Attributes L M H P
- SC-17 Public Key Infrastructure Certificates L M H P
- SC-23 Session Authenticity L M H P