How long must event logs be retained under CIP requirements?

Under the NERC CIP standards, specifically CIP-007-6 and its successor versions, the requirement states that event logs must be retained for at least the last 90 days. This retention period ensures that entities have sufficient historical logs available for monitoring, auditing, and investigation purposes.

Maintaining logs for this duration supports the identification of potential security incidents and assists in compliance audits, ensuring that organizations can analyze trends over a substantial timeframe. This retention requirement is a critical aspect of promoting cybersecurity and operational reliability within the electrical reliability organization's infrastructure.

The other options do not meet the established standards. Retaining logs for only 30 days is insufficient for thorough analysis, and allowing a retention period determined solely by management could result in inadequate log history retention, as it varies widely by organization. Lastly, retaining logs until new ones are generated does not create a reliable historical archive and would often lead to the loss of valuable data when the logs roll over.