AU-11 AUDIT RECORD RETENTION
Page last updated:
Compliance with this requirement is primarily a deployer responsibility. All implied technical control requirements are satisfied by the PCF platform. Definition of an appropriate retention policy, and the associated procedural controls, are the responsibility of the deployer. The PCF platform simply inherits the operational controls that have been defined by the organization.
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.