SI-12 Information Management and Retention

Baselines

Guidance

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

References 2

• USC 2901 United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012.
• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.

Control Enhancements 3

• SI-12(01) Limit Personally Identifiable Information Elements L M H P
• SI-12(02) Minimize Personally Identifiable Information in Testing, Training, and Research L M H P
• SI-12(03) Information Disposal L M H P

Related controls 31

• AC-16 Security and Privacy Attributes L M H P
• AU-05 Response to Audit Logging Process Failures L M H P
• AU-11 Audit Record Retention L M H P
• CA-02 Control Assessments L M H P
• CA-03 Information Exchange L M H P
• CA-05 Plan of Action and Milestones L M H P
• CA-06 Authorization L M H P
• CA-07 Continuous Monitoring L M H P
• CA-09 Internal System Connections L M H P
• CM-05 Access Restrictions for Change L M H P
• CM-09 Configuration Management Plan L M H P
• CP-02 Contingency Plan L M H P
• IR-08 Incident Response Plan L M H P
• MP-02 Media Access L M H P
• MP-03 Media Marking L M H P
• MP-04 Media Storage L M H P
• MP-06 Media Sanitization L M H P
• PL-02 System Security and Privacy Plans L M H P
• PL-04 Rules of Behavior L M H P
• PM-04 Plan of Action and Milestones Process L M H P
• PM-08 Critical Infrastructure Plan L M H P
• PM-09 Risk Management Strategy L M H P
• PS-02 Position Risk Designation L M H P
• PS-06 Access Agreements L M H P
• PT-02 Authority to Process Personally Identifiable Information L M H P
• PT-03 Personally Identifiable Information Processing Purposes L M H P
• RA-02 Security Categorization L M H P
• RA-03 Risk Assessment L M H P
• SA-05 System Documentation L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SR-02 Supply Chain Risk Management Plan L M H P