Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization retains audit records for [FedRAMP Assignment: (L)(M) at least ninety days; (H) at least one (1) year] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-11 Additional FedRAMP Requirements and Guidance: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.
NIST 800-53 (r4) Supplemental Guidance:
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6.
References: None.
NIST 800-53 (r5) Discussion:
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.
38North Guidance:
Meets Minimum Requirement:
Cloud Service Offering (CSO) Audit record retention is required to be stored online for at least 90 days and offline for a period of at least a year and in accordance to NARA requirements.
Best Practice:
Ensure that online storage capacity can retain audit records from all system components within the boundary online for at least 90 days.
Ensure that offline storage capacity can retain audit records from all system components within the boundary offline for at least 1 year.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots of logs within the Security Information and Event Management (SIEM) with timestamps of at least 90 days or older for online storage.
Screen shots of offline storage of audit logs that demonstrates that all audit logs are retained for at least 1 year.
Polices & Procedures that document the online & offline audit log storage processes.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse