What must be retained for 90 days as per physical access requirements?

The requirement to retain physical access logs for 90 days is rooted in the need for maintaining accountability and oversight within organizations, particularly those that are critical to the reliability of the electric grid and other essential services. These logs serve as an official record of who accessed a physical location, at what time, and potentially for how long they were present.

Keeping physical access logs for this duration allows organizations to conduct audits and investigations if needed, providing insight into security breaches, unauthorized access, or other incidents that could affect the security and operation of critical infrastructure. By tracking physical access, organizations can better ensure that only authorized personnel have access to sensitive areas, enhancing the overall security posture in compliance with NERC CIP standards.

While access to software systems, vendor contracts, and employee credentials are all important components of a robust security framework, they do not specifically align with the 90-day retention requirement for physical access as stipulated in the physical access control standards of NERC CIP.