Frequently Asked Questions about GRS 3.2, Information Systems Security Records
Updated: April 2024
DEFINITIONS
Information system. The organized collection, processing, transmission, and dissemination of information by defined automated or manual procedures. (36 CFR 1220.18)
Information systems security records. Records about protecting security of information technology systems and data. Includes responding to computer security incidents.
Information technology infrastructure (item 010). The basic systems and services that provide access to computers and data communications. It includes hardware and software, as well as the services to design, install, test, validate, and maintain these components.
Master files (item 050 and 051). The content of an electronic records series or system. It is the recordkeeping copy of an electronic record or system. Master files may consist of data, scanned text, PDFs, digital images, or some other form of electronic information. Related records within a single master file are not always the same format.
Public Key Infrastructure (PKI) related records (items 060, 061, 062). A type of digital identity authentication record. The term “digital identity authentication” covers a wide range of technologies. These technologies make sure that people or organizations are who and what they say they are. See also NARA Bulletin 2015-03, Guidance on Managing Digital Identity Authentication Records.
QUESTIONS
1. In item 031, how do you know if a system requires special accountability for access?
Systems requiring special accountability for access contain highly sensitive information and are potentially vulnerable to attack. Agencies determine which of their information systems need special accountability. NARA does not make this determination.
2. What is the relationship between OMB Memo M-21-31 and items 035 and 036?
OMB issued OMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, on August 21, 2021. The requirements outlined in the OMB Memo apply to most of the federal government. NARA issued a GRS for these records to support the retention requirements in the OMB Memo.
Table 5 in Appendix C of the memo specifies retention periods for categories of logging records. The OMB Memo itself does not, however, provide legal authority to dispose of the records. The authority to dispose of records can only come from a NARA-approved record schedule, such as the GRS.
GRS disposition authorities often support record retentions established by oversight agencies.
3. Why is the retention in OMB Memo M-21-31 and items 035 and 036 different?
The retention requirements in Table 5 of Appendix C in OMB Memo M-21-31 and this GRS are not that different. The most common record retention in both documents totals 30 months. The main difference is the GRS does not separate active and cold storage retention periods. It combines the 12 and 18 month periods into a single 30 month retention.
Agencies must still follow the active and cold storage requirements outlined in the OMB Memo. There was only one log type in the memo with a shorter retention (Cloud CGP, 24 months total). Agencies that want to use the shorter retention for this specific log type need to schedule the records themselves.