National Archives and Records Administration
General Records Schedules

1. Oversight and Compliance Files

Records in offices with agency-wide or bureau-wide responsibility for managing IT operations relating to compliance with IT policies, directives, and plans including recurring and special reports, responses to findings and recommendations, and reports of follow-up activities.

a. Performance measurements and benchmarks.

Destroy/delete when 5 years old or 1 year after responsible office determines that there are no unresolved issues, whichever is longer.

b. All other oversight and compliance records, including certification and accreditation of equipment, quality assurance reviews and reports, reports on implementation of plans, compliance reviews, and data measuring or estimating impact and compliance.

Destroy/delete when 3 years old or 1 year after responsible office determines that there are no unresolved issues, whichever is longer.

2.   IT Facility, Site Management, and Equipment Support Services

Records.

Records maintained by offices responsible for the control and operation of buildings and rooms where IT equipment, systems, and storage media are located, including files identifying IT facilities and sites, and files concerning implementation of IT facility and site management and equipment support services provided to specific sites, including reviews, site visit reports, trouble reports, equipment service histories, reports of follow-up actions, and related correspondence.

Destroy/delete when 3 years old, or when superseded or obsolete, whichever is longer.

3.   IT Asset and Configuration Management Files.

a.   Inventories of IT assets, network circuits, and building or circuitry diagrams, including equipment control systems such as databases of barcodes affixed to IT physical assets.

Destroy/delete 1 year after completion of the next inventory.

b.   Records created and retained for asset management, performance and capacity management, system management, configuration and change management, and planning, follow-up, and impact assessment of operational networks and systems. Includes, but is not limited to:

(1)   Data and detailed reports on implementation of systems, applications and modifications; application sizing, resource and demand management; documents identifying, requesting, and analyzing possible changes, authorizing changes, and documenting implementation of changes; documentation of software distribution and release or version management.

Destroy/delete 1 year after termination of system.

(2)   Records of routine IT maintenance on the network infrastructure documenting preventative, corrective, adaptive and perfective enhancement) maintenance actions, including requests for service, work orders, service histories, and related records.

Destroy/delete when 3 years old or 1 year after termination of system, whichever is sooner.

NOTE:   If any maintenance activities have a major impact on a system or lead to a significant change, those records should be maintained as part of the item 3b(1).

Maintenance IT assets: Inventories of assets, Equipment control systems; Databases of barcodes; Bar code reports; Maintenance service histories; Asset management guides, Service; Requisitions for equipment maintenance; Change orders; Purchase orders for maintenance; Property transfer control systems; Flow reconfiguration requests; Standardization requests and justifications.

4.   System Backups and Tape Library Records.

a.   Backup tapes maintained for potential system restoration in the event of a system failure or other unintentional loss of data.

(1)   Delete/destroy incremental backup tapes when superseded by a full backup, or when no longer needed for system restoration, whichever is later.

(2)   Delete/destroy full backup tapes when second subsequent backup is verified as successful or when no longer needed for system restoration, whichever is later.

[Note:  See GRS 20, item 8, for backups of master files and databases.]

b.   Tape library records including automated files and manual records used to control the location, maintenance, and disposition of magnetic media in a tape library including list of holdings and control logs.

Destroy/delete when superseded or obsolete.

Location vault lists;
Offsite storage facilities;
Bin location

5.   Files Related to Maintaining the Security of Systems and Data.

a.   System Security Plans and Disaster Recovery Plans.

Destroy/delete 1 year after system is superseded.

b.   Documents identifying IT risks and analyzing their impact, risk measurements and assessments, actions to mitigate risks, implementation of risk action plan, service test plans, test files and data.

Destroy/delete 1 year after system is superseded.

a.   Systems requiring special accountability, e.g., those containing information that may be needed for audit or investigative purposes and those that contain classified records.

Destroy/delete inactive file 6 years after user account is terminated or password is altered, or when no longer needed for investigative or security purposes, whichever is later.

b.   Routine systems, i.e., those not covered by item 6a.

7.   Computer Security Incident Handling, Reporting and Follow-up Records

Destroy/delete 3 years after all necessary follow-up actions have been completed.

8.   IT Operations Records

a.   Workload schedules, run reports, and schedules of maintenance and support activities.

Destroy/delete when 1 year old.

b.   Problem reports and related decision documents relating to the software infrastructure of the network or system.

Destroy/delete 1 year after problem is resolved.

c.   Reports on operations, including measures of benchmarks, performance indicators, and critical success factors, error and exception reporting, self-assessments, performance monitoring; and management reports.

Cycle time reports; Maintenance schedules; Run reports; Workload schedules

Software problem reports

9. Financing of IT Resources and Services

[Note: Copies of records needed to support contracts should be in procurement files, which are scheduled under GRS 3.]

a.   Agreements formalizing performance criteria for quantity and quality of service, including definition of responsibilities, response times and volumes, charging, integrity guarantees, and non-disclosure agreements.

Destroy/delete 3 years after agreement is superseded or terminated.

b.   Files related to managing third-party services, including records that document control measures for reviewing and monitoring contracts and procedures for determining their effectiveness and compliance.

Destroy/delete 3 years after control measures or procedures are superseded or terminated.

c.   Records generated in IT management and service operations to identify and allocate charges and track payments for computer usage,

data processing and other IT services EXCLUDING records that are part of the agency's cost accounting system, which are covered in GRS 8, items 6 and 7.

Destroy/delete records with no outstanding payment issues when 3 years old.

10. IT Customer Service Files

a.   Records related to providing help desk information to customers, including pamphlets, responses to "Frequently Asked Questions," and other documents prepared in advance to assist customers.

Destroy/delete 1 year after record is superseded or obsolete.

b.   Help desk logs and reports and other files related to customer query and problem response; query monitoring and clearance; and customer feedback records; and related trend analysis and reporting.

Destroy/delete when 1 year old or when no longer needed for review and analysis, whichever is later.

11. IT Infrastructure Design and Implementation Files

Records of individual projects designed to provide and support new agency IT infrastructure (see Note), systems, and services. Includes records documenting (1) requirements for and implementation of functions such as maintaining network servers, desktop computers, and other hardware, installing and upgrading network operating systems and shared applications, and providing data telecommunications; (2) infrastructure development and maintenance such as acceptance/ accreditation of infrastructure components, analysis of component options, feasibility, costs and benefits, and work associated with implementation, modification, and troubleshooting; (3) models, diagrams, schematics, and technical documentation; and (4) quality assurance reviews and test plans, data, and results.

a.   Records for projects that are not implemented.

Destroy/delete 1 year after final decision is made.

b.   Records for projects that are implemented.

Destroy/delete 5 years after project is terminated.

c.   Installation and testing records.

Destroy/delete 3 years after final decision on acceptance is made.

[Note: IT Infrastructure means the basic systems and services used to supply the agency and its staff with access to computers and data telecommunications. Components include hardware such as printers, desktop computers, network and web servers, routers, hubs, and network cabling, as well as software such as operating systems (e.g., Microsoft Windows and Novell NetWare) and shared applications (e.g., electronic mail, word processing, and database programs). The services necessary to design, implement, test, validate, and maintain such components are also considered part of an agency's IT infrastructure. However, records relating to specific systems that support or document mission goals are not covered by this item and must be scheduled individually by the agency by submission of an SF 115 to NARA.]

13. PKI Records

a. PKI Administrative Records.

Records are PKI-unique administrative records that establish or support authentication by tying the user to a valid electronic credential and other administrative non-PKI records that are retained to attest to the reliability of the PKI transaction process. Included are policies and procedures planning records; stand-up configuration and validation records; operation records; audit and monitor records; and termination, consolidation, or reorganizing records. Policies and procedures planning records relate to defining and establishing PKI systems. Records relate to such activities as determining that a PKI should be established; creating project implementation plans; creating the certificate policy (CP), certification practice statement (CPS), and other key operating documents; developing procedures in accordance with the CP and CPS; conducting risk analyses; developing records management policies (including migration strategies); and selecting the entity that will serve as registration authority (RA). Stand-up configuration and validation records relate to installing and validating both the Certification Authority (CA) and Registration Authority (RA), obtaining final approval or rejection from the agency's oversight or authorizing body, creating and generating a CA signature key, testing security procedures for the CA and RA, validating certification revocation procedures, and establishing back-up and storage for the PKI system. Operation records relate to the certification application; certificate issuance and key generation (including key pair generation and private key loading and storage of private keys and components of private keys); certificate acceptance, validation, revocation, suspension, replacement, and renewal; creating and maintaining an event log; and installing and validating software updates. Audit and monitor records relate to conducting periodic internal and external reviews of auditable events specified in the Federal Bridge Certification Authority (FBCA) X.509 Certificate Policy and other Entity CA policies, monitoring compliance with security requirements specified in the CPS and other operating procedures, investigating internal fraud or misconduct, and conducting internal and external audits of software and systems security. Termination, consolidation, or reorganization records relate to terminating, consolidating, or reorganizing a PKI; notifying subscribers of decisions, transferring inactive keys and revocation certificate lists to storage repositories, transferring consenting subscribers' and certificates and related materials to a new Certificate Authority, destroying sensitive records involving privacy (in accordance with an authorized records schedule), and shutting down and disposing of RA hardware and CA software.

(1) FBCA CAs

Destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the CA, or when no longer needed for business, whichever is later.

(2) Other (non-FBCA et. al.) CAs

Destroy/delete when 7 years 6 months to 20 years 6 months old, based on the maximum level of operation of the CA, or when no longer needed for business, whichever is later.

[NOTE: Select PKI administrative records serve as transaction records that must be retained as part of the trust documentation set with transaction-specific records. Agencies must determine which PKI administrative records are embedded with transaction-specific records as transaction records. These administrative records may vary from transaction-to-transaction.]

b. PKI Transaction-specific Records.

Records relate to transaction-specific records that are generated for each transaction using PKI digital signature technology. Records are embedded or referenced within the transaction stream and may be appended to the transaction content or information record. Along with PKI administrative and other administrative records, transaction-specific records are part of the PKI trust documentation set that establish or support the trustworthiness of a transaction. They may vary from transaction-to-transaction and agency-to-agency. When retained to support the authentication of an electronic transaction content record (information record), PKI digital signature transaction records are program records.

Destroy/delete when 7 years 6 months to 20 years 6 months old, based on the maximum level of operation of the appropriate CA and after the information record the PKI is designed to protect and/or access is destroyed according to an authorized schedule, or in the case of permanent records, when the record is transferred to NARA legal custody. Longer retention is authorized if the agency determines that transaction-specific PKI records are needed for a longer period.

[NOTE: Extreme care must be taken when applying the GRS-PKI to transaction records. Destruction of the transaction-specific and administrative records embedded in the transaction stream prior to the authorized retention of the information record that they access/protect will render the PKI incapable of performing what it is designed to do-protect and provide access to the information record. Due to the relative newness of PKI technology, both from an implementation and a litigation perspective, it is recommended that agencies identify all PKI transaction records (including PKI select administrative records embedded in the transaction stream and transaction-specific records) to be retained as part of the trust documentation for the records the PKI is designed to protect and or access and link the retention of the transaction records with that of the information record it protects/accesses. Transaction records must be retained as trust documentation set records together with the content/information record.]

Policies and Procedures Planning Records:

CPs and CPSs: CP identification files and background information: the Subscriber/Signer Agreement, Relying Party Agreement, System Security Plan (SSP), Privacy Practices and Procedures (PPP) Plan, Memorandum of Agreement (MOA), and other PKI SOPs, reports, agreements, and evaluations relating to physical, procedural, personnel, and technical security controls, system design, cross-certification, interoperability testing, and/or contractual obligations: certificates or Certification Revocation Lists (CRLs) relating to managing electronic records, such as audit trails and files.

Stand-up Configuration and Validation Records:

Analyses/approval of CAs and RAs and procedures for set up, configuration and start-up: analyses/approval of third-party CAs, RAs, and CPSs: approval of a certificate repository; establishment of a certificate archive: and records that relate to trusted role user identity credentials, trusted CA certificates, digital credential requirements, and profile restrictions.

Operation Records:

Identity proofing records; subscriber agreements and enrollment forms: records of issuance, renewal, suspension, or rejection of digital certificates, including those that generate, deliver, prove possession of, and validate public keys; cross- certification agreements; Certificate Revocation Lists (CRLs); update/audit trail of CRL changes; policy mapping records; technical interoperability test records; border directory technical specification records; and training for trusted role personnel.

Audit and Monitor Records:

Audit event logs relating to certificate revocations and renewals, RA renewals, and/or invalid validation responses; compliance audit review and regulatory oversight records relating to services provided, authorized access and physical security, and hardware and software failure.

Termination, Consolidation, or reorganization Records:

Plans to reorganize or dismantle subscriber transfer documentation and notices, and approval of termination and destruction of cryptographic modules for CA private key.

Transaction-specific Records:

Digital signature, the public key certificate, certificate validation responses (for the relying party's public key certificate and possibly for the CAs that authenticated the certificate), the time stamp, and acknowledgment of receipt (where provided by the Relying Party); 'summary trust record' to provide proof that the PKI transaction process complied with agency policy and procedure; and all records that ensure the PKI trust documentation set and maintain the transaction data stream, including PKI administrative records such as the subscriber agreement, the Certificate Policy, the Certification Practices Statement Policy, the Certificate Revocation List, the audit event log for invalid certificates, identity proofing records, PKI configuration or setup of signer's application and verifier/relying party client/browser and/or server records, and PKI-related documentation related to the electronic transaction application.