NARA shows gaps in cybersecurity, GAO says

Significant weaknesses found in information security controls

The National Archives and Record Administration should improve its cybersecurity programs and use better management to safeguard official records, according to two new reports from the Government Accountability Office.

NARA is in charge of preserving official documents and electronic records from federal agencies. Its workload is growing, as holdings requiring preservation grew from about 2.4 million cubic feet in 2008 to about 2.6 million cubic feet in 2009, not including digital documents, GAO said.

However, the agency has gaps in achieving its goals, due to shortcomings in cybersecurity and management, the GAO said in two reports, both released Oct. 27.


Related stories:

NARA to lift veil on archives.gov redesign

Agencies get advice on record retention in the cloud



National Archivist David Ferriero said in a statement that he welcomed the audits.

“I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year,” Ferriero said. “I also agree with GAO that more work needs to be done, both internally at the archives and across the records management community in the federal government.”

In the cybersecurity report, GAO said NARA hasn't deployed sufficient information security controls to ensure the integrity of the data it stores. Despite use of encryption, access controls and other protections, there were gaps related to policies and procedures, including inconsistent network monitoring, spotty user authentication, weak access controls and deficient physical security, among other problems, the report states. Overall, there were 142 weaknesses identified in the audit.

“Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss,” the GAO report warned.

GAO made 11 recommendations for improvement, including updating inventories, revising policies and procedures for access controls, testing controls at least once a year, and performing a risk assessment of physical security. Management officials agreed with the recommendations.

However, Ferriero disagreed with the GAO’s criticism on three points: on risk assessments allegedly failing to meet federal information processing criteria, on NARA policies allegedly not being consistent with Commerce Department standards, and on NARA’s application of a policy on ownership of information. GAO defended those findings and said they were valid.

In the  report on NARA’s management, the GAO urged the agency to take more strategic actions to fulfill its mission.

NARA has problems preserving permanent records largely because of their volume and the limited budgets available for the work, as well as from the technological challenges posed by electronic records, GAO said. Although NARA has been dealing with those risks, it needs to establish an enterprise risk management capability and implement a strategic human capital plan, GAO concluded.

GAO made six recommendations to NARA for improvements, including doing a gap analysis to ensure its staff has all necessary skills, improving the processes to validate agencies' self-assessments, and creating a plan for enhanced inspections.

Agency officials agreed with the recommendations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.