NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-11 — Audit Record Retention
Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
Supplemental Guidance
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.
Practitioner Notes
Keep your audit records long enough to support investigations and meet regulatory requirements. If you delete logs after 30 days and a breach is discovered after 60 days, you have lost the evidence.
Example 1: Configure your SIEM to retain logs for at least 1 year — 90 days online (hot/warm storage) for active analysis, and the remainder in archive (cold/frozen storage) for investigations. For DFARS/CMMC, the requirement is typically 1 year minimum. Document your retention policy.
Example 2: In M365, ensure Unified Audit Log retention is configured appropriately. E5 licenses retain audit logs for 1 year by default (extendable to 10 years with the Audit Log 10-year retention add-on). E3 licenses retain for 180 days. If you have E3, set up a process to export audit logs before the 180-day window closes.