Experts Question Value of Federal Cybersecurity Data Capture Mandate>
Next Gov – Aaron Boyd
New federal requirements to log every data packet that crosses agency networks—called packet capture or PCAP—have raised concerns among cybersecurity experts in and out of government, who say the new rule is unclear, resource intensive and of little value during a real-world breach investigation.

By August 2021, the Office of Management and Budget issued a memo on “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” which included new requirements for agencies to create and maintain certain data for use in post-breach forensics That requirement was followed up by new guidance last month from the National Archives and Records Administration—its first update to cybersecurity records rules since 2014—that formally established the retention rules: 30 months for cybersecurity logs and 72 hours for PCAP data.

Asked for clarification, an OMB official, speaking on background, would only confirm the government’s official policy: “Storing PCAPs for 72 hours is required by M-21-31; CISA and OMB work with agencies to provide technical assistance on log retention and management.”
Link: https://www.nextgov.com/cybersecurity/2023/02/experts-question-value-federal-cybersecurity-data-capture-mandate/382738/