NARA publishes first update to cybersecurity records rules since 2014
The agency is issuing an update to the General Records Schedule, including new rules for packet capture and cybersecurity incident logs.
The National Archives and Records Administration will publish an update to the government’s records retention rules Wednesday establishing new mandates for how long federal agencies must hang on to cybersecurity logs and other network data.
The General Records Schedule, or GRS, establishes the types of records agencies must keep and how long before they can be deleted or otherwise destroyed—known as disposition instructions.
The new disposition instructions in Transmittal 33—set to publish Wednesday on NARA’s website and in the Federal Register—include retention requirements for two types of cybersecurity logging records: full packet capture data—which must be kept for at least 72 hours—and cybersecurity event logs, which must be kept for up to 30 months. Both types of records can be stored longer, according to NARA, as “authorized for business use.”
The new rules are the first update to the GRS section on Information Systems Security Records since it was established in 2014.
Packet capture data, also known as PCAP, is a rundown of all data packets that move through a network. This data is critical for conducting cybersecurity forensics, as it logs the story of all data movement across all connected devices on a network.
Cybersecurity event logs are even more granular, as those are used to record all data and actions taken for “detection, investigation and remediation of cyber threats,” the transmittal document states.
Both records were initially called out in a wide-ranging May 2021 executive order on cybersecurity. The EO was followed up in an August 2021 memo instructing agencies to work with the Cybersecurity and Infrastructure Security Agency and the FBI after a security incident, including sharing key security logs.
NARA’s new transmittal clarifies how long those records must be saved and codifies the retention policies.
The update notes both records are “not media neutral” and the rule only applies to electronic versions of these records. The transmittal was also clear that only the logs are covered under the retention policy and not the underlying data that was being logged.
“This schedule covers records created and maintained by federal agencies related to protecting the security of information technology systems and data, and responding to computer security incidents,” the document states. “This schedule does not apply to system data or content.”