Log Retention

Log retention refers to how long you keep audit logs and security event records before they're archived or deleted. Retention policies balance storage costs against the need to have historical data available for incident investigation, compliance verification, and forensic analysis.

For defense contractors, DFARS 7012 requires preserving security monitoring data for at least 90 days following a cyber incident. Many frameworks and best practices recommend retaining security logs for at least one year, with some organizations maintaining them for longer based on their risk assessment and regulatory requirements.

Why It Matters

CMMC requires audit log retention sufficient to support incident investigation and compliance verification. If a breach is discovered months after it occurred, you need the historical logs to understand what happened. Define and document your log retention policy.