FAQs for GRS 3.2, Information Systems Security Records
(Updated June 2023)
Download all Frequently Asked Questions of Individual GRS Schedules in a PDF
1. What are the definitions of terms used in GRS 3.2?
Information system means the organized collection, processing, transmission, and dissemination of information in accordance with defined procedures, whether automated or manual. (36 CFR 1220.18)
Information systems security records are records created and maintained by Federal agencies related to protecting the security of information technology systems and data and responding to computer security incidents.
Information technology infrastructure (item 010) means the basic systems and services used to supply the agency and its staff with access to computers and data communications. Components include hardware such as printers, desktop and laptop computers, network and web servers, routers, hubs, and network cabling, as well as software such as operating systems and shared applications (e.g., word processing). The services necessary to design, implement, test, validate, and maintain such components are also considered part of an agency's IT infrastructure.
Master files (items 050 and 051) are the actual content of the electronic records series or system, or in other words the recordkeeping copy of an electronic record or system. Master files may consist of data, scanned text, PDFs, digital images, or some other form of electronic information. They may include the information content of an entire system or that of a group of related files. Related records within a single master file are not always the same format.
Public Key Infrastructure (PKI) related records (items 060, 061, and 062)
are a type of digital identity authentication record. The term “digital identity authentication” covers a wide range of technologies. These technologies help agencies ensure that people or organizations are who and what they say they are. Agencies use identity authentication to validate electronic business transactions; limit access to only those who are authorized to receive and retrieve specific information; and certify that records are legitimate, have not been altered, and that the creation, access, and use of records are limited to authorized individuals. For more information, see NARA Bulletin 2015-03, Guidance on Managing Digital Identity Authentication Records.
QUESTION RELATED TO GRS 3.2, ITEM 031
2. What designates a system as requiring special accountability for access?
As stated in the schedule, systems requiring special accountability for access are those that are highly sensitive and potentially vulnerable. It is up to individual agencies to determine which of their information systems require special accountability. NARA does not make this determination.
QUESTION RELATED TO GRS 3.2, ITEMS 035-036
3. What is the relationship between OMB Memo M-21-31 and GRS 3.2, items 035 and 036?
OMB issued OMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, on August 21, 2021. The records requirements outlined in the OMB Memo apply to most of the federal government, so NARA issued disposition authority for these records through a GRS to support the retention requirements in the OMB Memo.
Although Table 5 in Appendix C of the memo specified retention periods for categories of logging records, the OMB Memo itself does not provide legal authority to dispose of the records. It is not unusual for GRS disposition authorities to support retention requirements established in guidance or regulations by other oversight agencies, but the legal authority to dispose of records can only come from a NARA-approved record schedule, such as the GRS.
4. Why is the retention in OMB Memo M-21-31 and GRS 3.2, items 035 and 036 different?
The retention requirements in Table 5 of Appendix C in OMB Memo M-21-31 and this GRS are not substantively different. The most common record retention in both documents totals 30 months. The main difference is the GRS does not specify active and cold storage retention periods. Instead, it combines the 12 and 18 month periods into a single 30 month retention. Agencies still can and should follow the active and cold storage requirements outlined in the OMB Memo. The GRS also simplified the retention to the longest and most common retention (30 months), as there was only one log type in the memo with a shorter retention (Cloud CGP, 24 months total). Agencies wishing to use the shorter retention for this specific log type would have to schedule the records on an agency-specific schedule.