Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
NIST 800-53 (r4) Supplemental Guidance:
Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4.
NIST 800-53 (r5) Discussion:
Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.
38North Guidance:
Meets Minimum Requirement:
Validate data storage capacity meets CSP and customer NARA retention requirements. This will provide the CSP the ability to support after-the-fact investigations when potential incidents are detected.
Retain at least 90 days of online records and three (3) years in long-term storage to support archival.
Best Practice:
The U.S. National Archives and Records Administration, Records Schedule: https://www.archives.gov/about/records-schedule
Unofficial FedRAMP Guidance: None
Assessment Evidence:
CSP and customer requirements applicable to information handling, retention, and destruction of customer data. Storage capacity configurations for audit log storage and other storage solutions showing that logs and data can be retained in accordance with CSP and customer requirements.
Audit logs and data dating back to required retention period.
CSP Implementation Tips:
Amazon Web Services (AWS): Amazon S3 and Amazon Glacier
Microsoft Azure: Azure Blob storage
Google Cloud Platform: TBD
Page updated
Report abuse