Overview
ARS (Acceptable Risk Safeguards) is a compliance requirement established by the Centers for Medicare & Medicaid Services (CMS). The ARS framework sets forth minimum security requirements based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 3. It encompasses a comprehensive set of security standards and controls to ensure the protection of sensitive healthcare information.
For a full list of requirements, refer to the CMS ARS v3.1 publication: https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/info-security-library-items/ars-31-publication.
Netsurion Managed XDR for ARS 3.1 Compliance
Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in ARS v3.1 compliance. With comprehensive monitoring, analysis, and reporting capabilities, healthcare organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents.
By leveraging Netsurion Managed XDR, healthcare organizations can strengthen their security posture, align with CMS information security standards, and achieve compliance with the ARS framework. This enables them to safeguard sensitive healthcare information and ensure the privacy and security of patient data.
Using Netsurion Managed XDR to meet ARS v3.1 Requirements
Access Control (AC)
AC 2 – Account Management
The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts.
Netsurion Open XDR collects all account management activities which get generated in the system. Netsurion Open XDR reports provide easy and standard review of all account management activity and also Netsurion Open XDR Alert can detect any changes to Account Management.
AC 3 – Access Enforcement
The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.
Netsurion Open XDR collects all access activities which get generated in the system. Netsurion Open XDR reports provide easy and independent review of access control settings and enforcement.
AC 4 – Information Flow Enforcement
The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
Netsurion Open XDR incorporates a bi-directional stateful firewall that enforces the flow of data based on physical or logical addressing. Netsurion Open XDR can also be used to create and manage sophisticated protection rules that allow and deny appropriate connections and alert on suspicious behavior with a minimum number of rules and maximum flexibility
AC 5 – Separation of Duties
Separate duties of individuals as necessary to prevent malevolent activity without collusion; documents separation of duties; and implements separation of duties through assigned information system access authorization.
Netsurion Open XDR enables role-based access control (RBAC) and delegated administration to support separation of administrative duties with respect to creating, deploying, and auditing security policy and events that violate the policies.
AC 6 – Least Privilege
The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.
Netsurion Open XDR incorporates a bi-directional stateful firewall that restricts network connections (ports, protocols, etc.) based on organizational policy. Netsurion Open XDR enables role-based access control (RBAC) and delegated administration to support the concept of least privilege and workflow of security response. Open XDR can also be used to create and manage sophisticated protection rules that allow and deny appropriate connections and alert on suspicious behavior with a minimum number of rules and maximum flexibility. Netsurion Open XDR log inspection capabilities provide the ability to monitor and alert on important security events that could indicate suspicious activity. In addition, Netsurion Open XDR integrity monitoring capabilities will detect and raise events whenever critical OS or application files are modified (i.e. Windows system files, Hosts file, registry, etc.)
AC 7 – Unsuccessful Login Attempts
The information system enforces a limit of consecutive invalid access attempts by a user during a time period.
Netsurion Open XDR log inspection capabilities provide the ability to monitor and alert on important security events such as ‘x’ failed login attempts within ‘y’ time period providing administrators with visibility into unsuccessful login attempts.
AC 17 – Remote Access
The organization authorizes, monitors, and controls all methods of remote access to the information system.
Netsurion Open XDR offers controls for securing remote access including:
- The ability to dynamically assign firewall rules
based upon user location for example, remote
users will have a more stringent firewall policies
assigned to reduce the attack surface. - Protection against bridging attacks (wired vs.
wireless), - Enforcing usage of VPN connections for remote
users, etc.
All of the above capabilities are augmented with the IDS/IPS, integrity monitoring, and log inspection capabilities provided by Netsurion Open XDR to facilitate the monitoring and control of remote access methods.
AC 18 – Wireless Access
The organization: Establishes usage restrictions and implementation guidance for Wireless technologies; and authorizes, monitors, controls wireless access to the information system.
Netsurion Open XDR offers controls for securing wireless mobile workers including:
- The ability to dynamically assign firewall rules based upon user location for example, remote users will have a more stringent firewall policies assigned to reduce the attack surface.
- Protection against bridging attacks (wired vs. wireless)
- Enforcing usage of VPN connections for remote users, etc.
All capabilities above are augmented with standard IDS/IPS, integrity monitoring and log inspection capabilities provided by Netsurion.
AC 19 – Access Control for Mobile Device
The organization: Establishes usage restrictions and implementation guidance for organization controlled portable and mobile devices; and authorizes, monitors, and controls device access to organizational information systems.
Netsurion Open XDR entity and network definitions allow for correlation and event monitoring based on location relative to the organizational networks, to determine inbound, outbound, and local network traffic. Remote access and usage activities from mobile devices can be monitored by observation of the logs from authentication systems, security systems and production servers.
Audit and Accountability (AU)
AU 2 – Audit Event
The information system generates audit records for events.
Netsurion Open XDR provides the ability to monitor and alert on important security events that could indicate suspicious activity. In addition, Netsurion Open XDR will log Firewall, IDS/IPS, and Integrity Monitoring events and generate alerts based upon the security policy assigned. Alerts can be delivered via various mechanisms such as email, SNMP, as well as through the Manager interface.
AU 3 – Content of Audit Records
The information system produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.
Netsurion Open XDR event logs contain very granular network information about the event, including the event type, sources of events and can even capture the complete contents of the packet. The Manager also logs all important internal system events such as administrator logins and system errors.
AU 4 – Audit Storage Capacity
The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
Netsurion Open XDR The events and logs are spooled locally at each Netsurion Open XDR agent and sent to Netsurion Open XDR on a scheduled heartbeat. The size of the local spool is configurable and the Manager is limited only by the available disk space assigned to the database.
AU 5 – Response to Audit Processing Failures
The information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
Netsurion Open XDR has several mechanisms to respond to audit processing failures. It will alert when disk space is low or as Agents go offline. It will then overwrite the oldest logs as needed so that the most recent events are available. The Agent will enforce protection even if it cannot generate events.
AU 6 – Audit Review, Analysis, and Reporting
The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, report’s findings to appropriate officials, and takes necessary actions.
Netsurion Open XDR provides a number of features which assist with audit monitoring, analysis, and reporting such as customizable dashboards, alerting, and reporting. It forwards this valuable event information via syslog to a centralized log server or SIEM for further analysis.
AU 7 – Audit Reduction and Report Generation
The information system provides an audit reduction and report generation capability.
Netsurion Open XDR has several out-of-box reports that can be scheduled or produced on demand. Reports can be automatically delivered via email and can be restricted based on role-based administrative access. In addition, event information can be exported for further analysis.
AU 8 – Time Stamps
The information system provides time stamps for use in audit record generation.
All Netsurion Open XDR alerts and logs are time stamped.
AU 9 – Protection of Audit Information
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
The delivery of events to the Netsurion Open XDR is authenticated and encrypted using certificates and SSL encryption. Data at rest in the database is password protected. Open XDR agent log inspection may also be used to forward important security events from operating system and application logs to a centralized logging server to prevent local tampering. Netsurion Open XDR enables role-based access control (RBAC) and delegated administration to support separation of administrative duties to a limited subset of privileged users.
AU 11 – Audit Record Retention
The organization retains audit records to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Netsurion Open XDR supports integration with SIEM solutions for long term archival of security event information. In addition, Netsurion Open XDR can store audit logs and events for an indefinite amount of time, limited only by the available disk space of the database server. Native database tools can be used to back up and archive data as appropriate.
AU 12 – Audit Generation
The information system: provides audit record generation capability for the list of auditable events defined in AU-2; allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and, generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.
Netsurion Open XDR event logs contain very granular network information about the event, including the event type, sources of events and can even capture the complete contents of the packet. The Manager also logs all important internal system events such as administrator logins and system errors. Netsurion Open XDR enables role-based access control (RBAC) and delegated administration to support separation of administrative duties to a limited subset of privileged users. Netsurion Open XDR supports integration with SIEM solutions for long term archival of security event information. In addition, Netsurion Open XDR can store audit logs and events for an indefinite amount of time, limited only by the available disk space of the database server. Native database tools can be used to back up and archive data as appropriate.
Security Assessment and Authorization (CA)
CA 2 – Security Assessments
The organization assesses the security controls in the information system periodically to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Netsurion Open XDR log analysis and reporting capabilities can be leveraged during a security assessment to help ensure implemented controls are functioning as intended and to potentially identify any weaknesses.
CA 7 – Continuous Monitoring
The organization monitors the security controls in the information system on an ongoing basis.
Netsurion Open XDR monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Netsurion Open XDR alerts can detect the use of restricted accounts.
CA 9 – Internal System Interconnections
The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.
Netsurion Open XDR can collect network device logs and also Open XDR’s network connection monitoring feature will identify the network connections established. Netsurion Open XDR’s analysis & reporting capabilities can be used for reviewing network activity to ensure only authorized communications occur. Netsurion Open XDR alerts can be used for detecting unauthorized communications.
Configuration Management (CM)
CM 5 – Access Restrictions for Change
The organization:
- Approves individual access privileges and enforces physical and logical access
- Restrictions associated with changes to the information system; and
- Generates, retains, and reviews record reflecting all such changes.
Netsurion Open XDR collects all access activity and changes to access controls. Netsurion Open XDR reports provide easy and independent review of access control settings and enforcement.
CM 6 – Configuration Settings
The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Netsurion Open XDR collecting and analyzing all configuration change logs. Netsurion Open XDR provide alerting on configuration/policy changes on critical systems. Netsurion Open XDR investigations, reports, and details provide evidence of configuration/policy changes.
CM 11 – User Installed Software
The organization enforces explicit rules governing the installation of software by users.
Netsurion Open XDR monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Netsurion Open XDR alerts can detect the use of restricted accounts.
Identification and Authentication (IA)
IA 2 – Identification and Authentication
(Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Netsurion Open XDR provides support for NIST 800-53 control requirements IA-2 by collecting and analyzing all authentication logs. Netsurion Open XDR provides alerting on authentication failures. Netsurion Open XDR investigations, reports, and tails provide evidence of all account authentication activity.
IA 3 – Device Identification and Authentication
The information system uniquely identifies and authenticates before establishing a connection.
Netsurion Open XDR provides support for control requirements IA-3 by collecting and analyzing all authentication logs. Netsurion Open XDR provide alerting on vendor default account authentications. Netsurion Open XDR investigations, reports, and details provide evidence of all account authentication activity including those from vendor default accounts.
IA 8 – Identification and Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Netsurion Open XDR provides support for control. requirements IA-8 by collecting and analyzing all authentication logs. Netsurion Open XDR provide alerting on vendor or 3rd party account authentication failures. Netsurion Open XDR investigations, reports, and tails provide evidence of all account authentication activity including those from vendor or 3rd party accounts.
Incident Response (IR)
IR 4 – Incident Handling
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Netsurion Open XDR provides support for control enhancement IR-4 by detecting and notifying individuals of activity that may constitute an incident. Netsurion Open XDR’s analysis capabilities provide quick & easy analysis of activity to determine the incidents. Netsurion Open XDR provides correlation, pattern recognition, and behavioral analysis. Netsurion Open XDR’s integrated knowledge base provides information useful in responding to and resolving the incident.
IR 5 – Incident Monitoring
The organization tracks and documents information system security incidents.
Netsurion Open XDR provides direct support for control requirements IR-5 by providing security incident tracking and documentation through the Netsurion Open XDR management interface.
IR 6 – Incident Reporting
The organization promptly reports incident information to appropriate authorities.
Netsurion Open XDR notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. Netsurion Open XDR reports provide summary and detail level reporting of incident based alerts.
IR 7 – Incident Response Assistance
The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident response capability.
Netsurion Open XDR integrated knowledge base provides information useful in responding to and resolving incidents.
Maintenance (MA)
MA 2 – Controlled Maintenance
The organization Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
Netsurion Open XDR provides support for NIST 800-53 control requirement MA-2 by collecting and analyzing all error logs. Netsurion Open XDR provide alerting on critical maintenance errors. Netsurion Open XDR investigations, reports, and tails provide evidence of critical errors, process shutdowns, and system shutdowns which occur after maintenance.
MA 4 – Non-Local Maintenance
The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.
Netsurion Open XDR can identify maintenance related activity for analysis and/or reporting. Netsurion Open XDR reports provide easy review of remotely executed maintenance activity
MA 5 – Maintenance Personnel
The organization allows only authorized personnel to perform maintenance on the information system.
Netsurion Open XDR can identify maintenance related activity for analysis and/or reporting. Netsurion Open XDR reports provide easy review of maintenance activity.
Media Protection (MP)
MP 2 – Media Access
The organization restricts access to organization defined types of digital and non-digital media to organization-defined list of authorized individuals using organization-defined security measures.
Netsurion Open XDR provides support for control requirement MP-2 by utilizing the Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR’s monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running, also monitors and logs the transmission of files to an external storage device. Netsurion Open XDR can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
Physical and Environmental Protection (PE)
PE 3 – Physical Access Control
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Netsurion Open XDR provides support for control requirement PE-3 by collecting log messages from physical access devices (i.e. Card Key) at all physical access points. Netsurion Open XDR provide alerting on suspicious physical access. Netsurion Open XDR investigations, reports, and tails provide evidence of physical access failures/successes.
PE 5 – Access Control for Output Devices
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Netsurion Open XDR provides support for NIST 800-53 control requirement MP-2 by utilizing the Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running, also monitors and logs the transmission of files to an external storage device. Netsurion Open XDR can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
Personnel Security (PS)
PS 4 – Personnel Termination
The organization, upon termination of individual employment, terminates information system access, conducts exit interviews, retrieves all organizational information system related property, and provides appropriate personnel with access to official records created by the terminated employee that are stored on organizational information systems.
Netsurion Open XDR reports provide easy review of terminated personnel to ensure access rights have been removed. Netsurion Open XDR alerts can be used to detect usage of should-be terminated user accounts.
PS 5 – Personnel Transfer
The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions.
Netsurion Open XDR reports provide easy review of transferred personnel to ensure access rights have been terminated and/or appropriately modified.
Risk Assessment (RA)
RA 5 – Vulnerability Scanning
The organization: Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported. Analyzes vulnerability scan reports and results from security control assessments.
Netsurion Open XDR provides support for control requirement RA-5 by collecting vulnerability detection log messages. Netsurion Open XDR provide alerting on high risk vulnerabilities. Open XDR investigations, reports, and details provide evidence of security vulnerabilities from vulnerability detection systems.
System and Communications Protection (SC)
SC 5 – Denial of Service Protection
The information system protects against or limits the effects of the following types of denial of service attacks (organization-defined list of types of denial of service attacks or reference to source for current list).
Netsurion Open XDR provides support for control requirement SC-5 by providing central collection and monitoring of security log messages. Netsurion Open XDR provide alerting on security events like any out of ordinary behavior in the environment. Netsurion Open XDR investigations, reports, and details provide evidence of security events.
SC 7 – Boundary Protection
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Netsurion Open XDR can collect boundary device logs from routers, firewalls, VPN servers, etc. Netsurion Open XDR can alert on unauthorized or suspicious activity. Netsurion Open XDR reports provide a consolidated review of internal/external boundary activity and threats.
SC 15 – Collaborative Protection
The information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users.
Netsurion Open XDR will be able to identify report and/or alert on the initiation of specific collaborative computing activity.
SC 18 – Mobile Code
The organization: Establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously. Authorizes, monitors, and controls the use of mobile code within the information system.
Netsurion Open XDR will be able to identify report and/or alert on specific mobile code activity.
SC 23 – Session Authenticity
The information system protects the authenticity of communications sessions.
Netsurion Open XDR supports and analyzes logs against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
SC 28 – Protection of Information at Rest
The information system protects the confidentiality and integrity of information at rest.
Netsurion Open XDR provides supplemental support for control requirement SC-28 by providing details of changes to information at rest. Netsurion Open XDR can be configured to monitor system file or directory activity, deletions, modification, and permission changes
System and Information Integrity (SI)
SI 2 – Flaw Remediation
Identifies reports and corrects information system flaws.
Netsurion Open XDR complements secure coding initiatives with strong detection and prevention of attacks against technical flaws and vulnerabilities:
- Detection: Even if an application is not susceptible to a specific attack, it is important to identify attackers before they find other potential vulnerabilities.
- Protection: Netsurion Open XDR shields web application vulnerabilities, preventing security breaches until the underlying flaws can be addressed. Netsurion Open XDR systematically monitors a wide range of vulnerability research sources to identify and deliver to customers. The deployment of new security rules can be completely automated so that downloading and installing new security rules to the appropriate systems occur without administrative intervention. Netsurion Open XDR also supports the ability to schedule automatic scans of host systems – one time only, daily, weekly, and so forth – offering recommendations on the appropriate security rules to protect these hosts.
SI 3 – Malicious Code Protection
The information system implements malicious code protection.
Netsurion Open XDR detects and prevents attacks that target data and applications, including activity from malicious code. Netsurion Open XDR alerts personnel the moment an attack has been attempted, and provides detailed logging of the event for audit purposes. For commercial applications which contain known Netsurion Open XDR detects and prevents attacks that target data and applications, including activity from malicious code. Netsurion Open XDR alerts personnel the moment an attack has been attempted, and provides detailed logging of the event for audit purposes. For commercial applications which contain known vulnerabilities targeted by malicious code, Netsurion Open XDR virtual patching capabilities protect systems and data until vendor patches can be deployed.
Netsurion Open XDR systematically monitors a wide range of vulnerability research sources to identify and to customers. The deployment of new security rules can be completely automated so that downloading and installing new security rules to the appropriate systems occur without administrative intervention. Netsurion Open XDR also supports the ability to schedule automatic scans of host systems – one time only, daily, weekly, and so forth – offering recommendations on the appropriate security rules to protect these hosts. Web application protection rules defend against SQL injection attacks, cross-site scripting attacks, and other Web application vulnerabilities, and shield these vulnerabilities until code fixes can be completed.
SI 4 – Information System Monitoring
The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
Netsurion Open XDR collects and analyzes operating system and application logs for security events. Log Inspection rules optimize the identification of important security events buried in multiple log entries. These events are forwarded to a security information and event management (SIEM) system or centralized logging server for correlation, reporting and archiving. Reports can be scheduled to run automatically and alerts can be delivered via SNMP or email, in addition to visibility from the Netsurion Open XDR console.
SI 5 – Security Alerts, Advisories, and Directives
The organization receives, generates, and disseminates security alerts and implements security directives in accordance with established time frames.
Netsurion Open XDR provides alerts that are integral to a security incident response plan. And because it can prevent attacks as well, Netsurion Open XDR reduces the number of incidents requiring a response. The solution’s integration with leading SIEM vendors enables a consolidated view of security incidents. Monitoring the integrity of critical system and application files such as executables, configuration and parameter files, and log and audit files – it includes support for alerting, dashboards, and reporting on events created. Netsurion Open XDR enables collection of important security events from operating system and application log files, including the ability to forward all events – or only events relevant – to centralized logging servers or SIEMs via syslog in real time, in addition to sending these events to Netsurion Open XDR.
SI 6 – Security Function Verification
The information system verifies the correct operation of security when anomalies are discovered.
Netsurion Open XDR monitors the Agents to ensure that it is in constant communication and creates an alert if an Agent terminates communication for any reason.
SI 7 – Software, Fireware, and Information Integrity
The information system detects and protects against unauthorized changes to software and information.
Netsurion Open XDR’s change audit module provides the ability to monitor critical operating system files, registry keys and values, and application files for changes and generate alerts on detected changes. These events are sent to Netsurion Open XDR which supports dashboards, alerts, and reporting. In addition, these events can also be sent to a SIEM for additional correlation and analysis.
SI 8 – Spam Protection
The organization employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means.
Netsurion Open XDR provides support for control requirement SI-8 by collecting and analyzing SPAM logs. Netsurion Open XDR investigations, reports, and tails provide evidence of SPAM protection activity.
SI 11 – Error Handling
The information system identifies potentially security-relevant error conditions.
Netsurion Open XDR provides support for control requirement SI-11 by collecting and analyzing all error logs. Netsurion Open XDR provide alerting on security related critical errors. Netsurion Open XDR investigations, reports, and tails provide evidence of security related errors, process shutdowns, and system shutdowns.
SI 6 – Security Function Verification
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Netsurion Open XDR completely automates the process and requirement of collecting and retaining audit logs. Netsurion Open XDR retains logs in compressed archive files, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations.