📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / AU

AU-2 Event Logging

Family AU
Baselines moderate
Mapped KSIs 5

Control statement

a. Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};
    b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
    c. Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};
    d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
    e. Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}.
        Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.
        (e) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-AFR-03Authorization Data Sharing
Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-CMT-01Log and Monitor Changes
Log and monitor modifications to the cloud service offering.
Change Management
KSI-MLA-01Security Information and Event Management (SIEM)
Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.
Monitoring, Logging, and Auditing
KSI-MLA-02Audit Logging
_Persistently_ review and audit logs.
Monitoring, Logging, and Auditing
KSI-MLA-07Event Types
Maintain a list of information resources and event types that will be monitored, logged, and audited, then do so.
Monitoring, Logging, and Auditing