The National Archives and Records Administration (NARA) today published an update to the government’s records retention rules, which provides Federal agencies with new instructions on how long to hang on to cybersecurity logs.
The General Records Schedule (GRS) establishes instructions for the types of records agencies must keep and how long before they’re deleted or otherwise destroyed. The new rules that the GRS section on Information Systems Security Records are the first since it was established in 2014.
NARA’s GRS update clarifies how long those records must be saved and codifies the retention policies. The new instructions requirements are for two types of cybersecurity logging records – full packet capture data (PCAP), and cybersecurity incident logs.
PCAPs are a rundown of all data packets that move through a network, which is data critical for conducting cybersecurity forensics, as it logs the story of all data movement across all connected devices on a network. According to the new instructions, PCAPs must be kept for at least 72 hours.
Cybersecurity event logs are used to record all data and actions taken for “detection, investigation, and remediation of cyber threats,” the updated document states. Cybersecurity incident logs are to be kept for up to 30 months, according to the new instructions.
The update emphasizes that rules for both records only apply to electronic versions of these records. The new instructions also make clear that only the logs are covered under the retention policy and not the underlying data logged.