AU 11 AUDIT RECORD RETENTION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Retain audit records for [ Assignment: organization-defined time period consistent with records retention policy ] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Discussion: Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

Related Controls: AU-2, AU-4, AU-5, AU-6, AU-9, AU-14, MP-6, RA-5, SI-12.

Control Enhancements:

• (1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY
  Employ [ Assignment: organization-defined measures ] to ensure that long-term audit records generated by the system can be retrieved.

  Discussion: Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records.

  Related Controls: None.

References: [OMB A-130].