NARA shows gaps in cybersecurity, GAO says

Significant weaknesses found in information security controls

The National Archives and Record Administration should improve its cybersecurity programs and use better management to safeguard official records, according to two new reports from the Government Accountability Office.

NARA is in charge of preserving official documents and electronic records from federal agencies. Its workload is growing, as holdings requiring preservation grew from about 2.4 million cubic feet in 2008 to about 2.6 million cubic feet in 2009, not including digital documents, GAO said.

However, the agency has gaps in achieving its goals, due to shortcomings in cybersecurity and management, the GAO said in two reports, both released Oct. 27.

Related stories:

NARA to lift veil on redesign

Agencies get advice on record retention in the cloud

National Archivist David Ferriero said in a statement that he welcomed the audits.

“I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year,” Ferriero said. “I also agree with GAO that more work needs to be done, both internally at the archives and across the records management community in the federal government.”

In the cybersecurity report, GAO said NARA hasn't deployed sufficient information security controls to ensure the integrity of the data it stores. Despite use of encryption, access controls and other protections, there were gaps related to policies and procedures, including inconsistent network monitoring, spotty user authentication, weak access controls and deficient physical security, among other problems, the report states. Overall, there were 142 weaknesses identified in the audit.

“Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss,” the GAO report warned.

GAO made 11 recommendations for improvement, including updating inventories, revising policies and procedures for access controls, testing controls at least once a year, and performing a risk assessment of physical security. Management officials agreed with the recommendations.

However, Ferriero disagreed with the GAO’s criticism on three points: on risk assessments allegedly failing to meet federal information processing criteria, on NARA policies allegedly not being consistent with Commerce Department standards, and on NARA’s application of a policy on ownership of information. GAO defended those findings and said they were valid.

In the  report on NARA’s management, the GAO urged the agency to take more strategic actions to fulfill its mission.

NARA has problems preserving permanent records largely because of their volume and the limited budgets available for the work, as well as from the technological challenges posed by electronic records, GAO said. Although NARA has been dealing with those risks, it needs to establish an enterprise risk management capability and implement a strategic human capital plan, GAO concluded.

GAO made six recommendations to NARA for improvements, including doing a gap analysis to ensure its staff has all necessary skills, improving the processes to validate agencies' self-assessments, and creating a plan for enhanced inspections.

Agency officials agreed with the recommendations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.