NARA shows gaps in cybersecurity, GAO says

The National Archives and Record Administration should improve its cybersecurity programs and use better management to safeguard official records, according to two new reports from the Government Accountability Office.

NARA is in charge of preserving official documents and electronic records from federal agencies. Its workload is growing, as holdings requiring preservation grew from about 2.4 million cubic feet in 2008 to about 2.6 million cubic feet in 2009, not including digital documents, GAO said.

However, the agency has gaps in achieving its goals, due to shortcomings in cybersecurity and management, the GAO said in two reports, both released Oct. 27.

NARA to lift veil on archives.gov redesign

National Archivist David Ferriero said in a statement that he welcomed the audits.

“I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year,” Ferriero said. “I also agree with GAO that more work needs to be done, both internally at the archives and across the records management community in the federal government.”

In the cybersecurity report, GAO said NARA hasn't deployed sufficient information security controls to ensure the integrity of the data it stores. Despite use of encryption, access controls and other protections, there were gaps related to policies and procedures, including inconsistent network monitoring, spotty user authentication, weak access controls and deficient physical security, among other problems, the report states. Overall, there were 142 weaknesses identified in the audit.

“Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss,” the GAO report warned.

GAO made 11 recommendations for improvement, including updating inventories, revising policies and procedures for access controls, testing controls at least once a year, and performing a risk assessment of physical security. Management officials agreed with the recommendations.

However, Ferriero disagreed with the GAO’s criticism on three points: on risk assessments allegedly failing to meet federal information processing criteria, on NARA policies allegedly not being consistent with Commerce Department standards, and on NARA’s application of a policy on ownership of information. GAO defended those findings and said they were valid.

In the  report on NARA’s management, the GAO urged the agency to take more strategic actions to fulfill its mission.

NARA has problems preserving permanent records largely because of their volume and the limited budgets available for the work, as well as from the technological challenges posed by electronic records, GAO said. Although NARA has been dealing with those risks, it needs to establish an enterprise risk management capability and implement a strategic human capital plan, GAO concluded.

GAO made six recommendations to NARA for improvements, including doing a gap analysis to ensure its staff has all necessary skills, improving the processes to validate agencies' self-assessments, and creating a plan for enhanced inspections.

Agency officials agreed with the recommendations.