The US National Archives and Record Administration (NARA) has updated its General Records Schedule (GRS), which establishes rules for record retention. The update includes new requirements for how long government entities must retain cybersecurity logs and other network data. The updates GRS mandates that federal agencies must keep full capture packet data for at least 72 hours and cybersecurity event logs for 30 months.
Note
- Both Packet Capture (PCAP) and event logs are important data sources for forensic teams investigating a cyber breach. While some cybersecurity professionals might question maintaining PCAP data for a minimum 72 hours, it’s a reasonable balance between storage requirements and equipping the cyber defender.
- This only applies to the logs, not the data or content on systems that generated those logs. This means keep logs on centralized logging infrastructure, so you don’t miss retention requirements with lifecycle activities of the systems generating logs. This ties back to directives contained in the May 2021 Cyber Security Executive Order (EO 14028).
- Enterprises should consider similar retention rules to facilitate both routine management and necessary forensics.
Read more in