CCI-000167

Retain audit records for an organization-defined time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Implementation Guidance

The organization being inspected/assessed will take action to ensure it retains audit records for 5 years for SAMI; otherwise for at least 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year.

Validation Procedures

The organization conducting the inspection/assessment reviews the information system audit records and any other relevant documents or records to ensure the organization being inspected/assessed retains its audit records for 5 years for SAMI; otherwise for at least 1 year. DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year.

Compelling Evidence

1.) Signed and dated audit and accountability policy 2.) After action reports which include audit logs

The controls below (if any) were marked by NIST as being related to CCI-000167.