Audit-Log Retention Now Maps to Every Framework in NSAuditor AI EE 0.31.6 — and CIS Controls v8 Moves

MobNS

The newest release of NSAuditor AI Enterprise Edition, 0.31.6, makes a quiet but consequential change to how cloud audit evidence is scoped: a single below-baseline audit-log retention finding now reaches every compliance framework that cares about it, not just two. The change moves the CIS Controls v8 coverage matrix for the first time since the 0.13.1 release.

Retention is a duration question — and it now reaches every framework

NSAuditor AI reads each Amazon RDS instance’s CloudWatch Logs retention and flags retention set below the institutional baseline. Previously that finding routed only to SOC 2 (CC7.2) and HIPAA (§164.312(b)). The practical consequence: a team generating a PCI DSS, NIST CSF, ISO 27001 or CIS-only evidence pack could read clean over a database whose audit logs were being discarded early — even though PCI DSS Requirement 10.5.1 explicitly mandates retaining audit-log history.

EE 0.31.6 maps the retention finding to each framework’s retention control: PCI DSS 10.5.1, NIST CSF PR.PS-04, ISO 27001 A.8.15, and CIS Controls v8 Safeguard 8.10 (Retain Audit Logs), alongside the existing SOC 2 and HIPAA controls. The separate question of whether the log groups exist at all stays mapped to its own floor controls — presence and duration are different compliance questions, and the release keeps them distinct.

The matrix move: CIS Safeguard 8.10

Because Safeguard 8.10 had been out of scope, routing retention to it moves it to partial — and the CIS Controls v8 matrix shifts from 17/22/114 to 17/23/113. The Implementation Group 1 cyber-insurance baseline most underwriters key on is unchanged at 23 of 56, because 8.10 is an IG2 Safeguard; IG2-cumulative substrate rises to 38 of 130 and IG3-cumulative to 40 of 153. Every other framework matrix — SOC 2, HIPAA, NIST CSF, PCI DSS, ISO 27001, and GDPR Article 32 — is unchanged, as is the 28-plugin count.

Truncation no longer reads as clean

The same release hardens the four paginated RDS enumerators — snapshots, live databases, clusters, and audit-log groups — against silent truncation. When an account holds more resources than a single enumeration pass returns, the un-enumerated tail now fails closed into an explicit, framework-routed evidence gap instead of contributing to a clean verdict. An unencrypted or publicly-shared backup sitting beyond the page cap is reported as a coverage gap, never an affirmative pass.

An honest partial

The retention classifier flags below the 30-day baseline and does not yet evaluate framework-specific durations such as PCI DSS’s twelve-month bar, because audit logs are frequently archived to S3/Glacier in ways CloudWatch’s retention setting cannot see. The release ships PCI DSS 10.5.1 as an honest partial control and records the archival-aware, cardholder-data-scoped depth as a deferred follow-up.

@nsasoft/nsauditor-ai-ee@0.31.6 pairs with Community Edition nsauditor-ai@0.2.20 and agent-skill 0.2.18, runs entirely on your own infrastructure under Zero Data Exfiltration, and upgrades in place. See the Enterprise overview and the CIS Controls v8 matrix for the full breakdown.

Related Posts:

  • nsauditor-ai-ee-0-31-5-rds-cluster-snapshot-detection
  • nsauditor-ai-ee-0-30-0-seven-framework-parity
  • nsauditor-ai-ee-093-soc2-evidence-sufficiency
  • nsauditor-ai-ee-0-13-0-cis-controls-v8
  • nsauditor-ai-ee-0-3-7-0-3-8-cloudtrail-cc72-cc73