NARA shows gaps in cybersecurity, GAO says

Significant weaknesses found in information security controls

The National Archives and Record Administration should improve its cybersecurity programs and use better management to safeguard official records, according to two new reports from the Government Accountability Office.

NARA is in charge of preserving official documents and electronic records from federal agencies. Its workload is growing, as holdings requiring preservation grew from about 2.4 million cubic feet in 2008 to about 2.6 million cubic feet in 2009, not including digital documents, GAO said.

However, the agency has gaps in achieving its goals, due to shortcomings in cybersecurity and management, the GAO said in two reports, both released Oct. 27.

Related stories:

NARA to lift veil on redesign

Agencies get advice on record retention in the cloud

National Archivist David Ferriero said in a statement that he welcomed the audits.

“I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year,” Ferriero said. “I also agree with GAO that more work needs to be done, both internally at the archives and across the records management community in the federal government.”

In the cybersecurity report, GAO said NARA hasn't deployed sufficient information security controls to ensure the integrity of the data it stores. Despite use of encryption, access controls and other protections, there were gaps related to policies and procedures, including inconsistent network monitoring, spotty user authentication, weak access controls and deficient physical security, among other problems, the report states. Overall, there were 142 weaknesses identified in the audit.

“Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss,” the GAO report warned.

GAO made 11 recommendations for improvement, including updating inventories, revising policies and procedures for access controls, testing controls at least once a year, and performing a risk assessment of physical security. Management officials agreed with the recommendations.

However, Ferriero disagreed with the GAO’s criticism on three points: on risk assessments allegedly failing to meet federal information processing criteria, on NARA policies allegedly not being consistent with Commerce Department standards, and on NARA’s application of a policy on ownership of information. GAO defended those findings and said they were valid.

In the  report on NARA’s management, the GAO urged the agency to take more strategic actions to fulfill its mission.

NARA has problems preserving permanent records largely because of their volume and the limited budgets available for the work, as well as from the technological challenges posed by electronic records, GAO said. Although NARA has been dealing with those risks, it needs to establish an enterprise risk management capability and implement a strategic human capital plan, GAO concluded.

GAO made six recommendations to NARA for improvements, including doing a gap analysis to ensure its staff has all necessary skills, improving the processes to validate agencies' self-assessments, and creating a plan for enhanced inspections.

Agency officials agreed with the recommendations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.