NARA shows gaps in cybersecurity, GAO says

Significant weaknesses found in information security controls

The National Archives and Record Administration should improve its cybersecurity programs and use better management to safeguard official records, according to two new reports from the Government Accountability Office.

NARA is in charge of preserving official documents and electronic records from federal agencies. Its workload is growing, as holdings requiring preservation grew from about 2.4 million cubic feet in 2008 to about 2.6 million cubic feet in 2009, not including digital documents, GAO said.

However, the agency has gaps in achieving its goals, due to shortcomings in cybersecurity and management, the GAO said in two reports, both released Oct. 27.

Related stories:

NARA to lift veil on redesign

Agencies get advice on record retention in the cloud

National Archivist David Ferriero said in a statement that he welcomed the audits.

“I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year,” Ferriero said. “I also agree with GAO that more work needs to be done, both internally at the archives and across the records management community in the federal government.”

In the cybersecurity report, GAO said NARA hasn't deployed sufficient information security controls to ensure the integrity of the data it stores. Despite use of encryption, access controls and other protections, there were gaps related to policies and procedures, including inconsistent network monitoring, spotty user authentication, weak access controls and deficient physical security, among other problems, the report states. Overall, there were 142 weaknesses identified in the audit.

“Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss,” the GAO report warned.

GAO made 11 recommendations for improvement, including updating inventories, revising policies and procedures for access controls, testing controls at least once a year, and performing a risk assessment of physical security. Management officials agreed with the recommendations.

However, Ferriero disagreed with the GAO’s criticism on three points: on risk assessments allegedly failing to meet federal information processing criteria, on NARA policies allegedly not being consistent with Commerce Department standards, and on NARA’s application of a policy on ownership of information. GAO defended those findings and said they were valid.

In the  report on NARA’s management, the GAO urged the agency to take more strategic actions to fulfill its mission.

NARA has problems preserving permanent records largely because of their volume and the limited budgets available for the work, as well as from the technological challenges posed by electronic records, GAO said. Although NARA has been dealing with those risks, it needs to establish an enterprise risk management capability and implement a strategic human capital plan, GAO concluded.

GAO made six recommendations to NARA for improvements, including doing a gap analysis to ensure its staff has all necessary skills, improving the processes to validate agencies' self-assessments, and creating a plan for enhanced inspections.

Agency officials agreed with the recommendations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.