Establishes requirements for creating, protecting, and reviewing audit records to enable monitoring, analysis, investigation, and reporting — covering 9 controls per NIST SP 800-171 Rev 2.
OCSI shall create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. All auditable events shall be logged with sufficient detail to establish accountability.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.3.1 | Create and retain system audit logs and records | PARTIAL. Command Center logs events to localStorage key ocsi_audit_log: login attempts, logouts, lockouts, CRUD operations, exports, session timeouts. However: logs are client-side only (max 500 entries), can be deleted by the user, and have no server-side backup. Retention is browser-dependent, not guaranteed. | Partial |
| 3.3.2 | Ensure that the actions of individual system users can be uniquely traced | PARTIAL. Audit entries include authenticated user email and timestamps. However, only one admin account exists — all users share the same credential. Individual user attribution is impossible without individual accounts. | Partial |
| 3.3.3 | Review and update logged events | NOT IMPLEMENTED. No scheduled audit log review process exists. No evidence of any log review ever being conducted. No external MSSP has been engaged for log analysis. | Not Implemented |
| 3.3.4 | Alert in the event of an audit logging process failure | localStorage availability is checked at session start. If storage is unavailable, a warning banner is displayed to the admin user. Audit write operations include error handling with user notification. | Implemented |
| 3.3.5 | Correlate audit record review, analysis, and reporting processes | PARTIAL. Compliance panel provides audit log viewer with filtering and CSV export. However, no correlation or analysis process exists. No external MSSP receives logs. No regular reporting. | Partial |
| 3.3.6 | Provide audit record reduction and report generation | Audit log viewer supports filtering by event type, date range. Export function generates structured CSV for analysis. Compliance panel provides summary statistics. | Implemented |
| 3.3.7 | Provide a system capability that compares and synchronizes internal system clocks | All timestamps generated by new Date().toISOString() using the system clock, which syncs via OS-level NTP. Consistent timestamp format (ISO 8601) across all log entries. | Implemented |
| 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion | NOT IMPLEMENTED. Audit logs in localStorage can be deleted by the current user (via browser DevTools, clear storage, or the app’s own clear function). No server-side backup. No tamper protection. Any user with browser access can modify or delete all audit records. | Not Implemented |
| 3.3.9 | Limit management of audit logging functionality to a subset of privileged users | NOT IMPLEMENTED. Only one admin account exists (no privilege separation). Audit log clearing is gated behind a confirmation dialog, but any authenticated user is an admin. Browser-level access can bypass all restrictions. | Not Implemented |