NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-11(1)Long-term Retrieval Capability

Employ {{ insert: param, au-11.01_odp }} to ensure that long-term audit records generated by the system can be retrieved.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records.

Practitioner Notes

Maintain the ability to retrieve archived audit records months or years after they were written. It is not enough to store them — you must be able to read and search them when needed.

Example 1: Periodically test your audit log restoration process. Every quarter, select a random archived log file from 6+ months ago, restore it, and verify you can search it. Document the test and the time it took to retrieve the data. If retrieval takes too long, improve your archival process.

Example 2: In Splunk, use frozen bucket restoration to bring archived data back into a searchable state. Maintain documentation on how to thaw frozen buckets so that any trained analyst can do it during an investigation. Store archive data in a format that your SIEM can re-ingest (raw log files, not proprietary binary formats).

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component