In a report released this week, the GAO said that the National Archives and Records Administration (NARA) “has not effectively implemented information security controls to sufficiently protect the confidentiality, integrity and availability of the information and systems that support its mission,” adding that “significant weaknesses pervade its systems”.
The government watchdog identified six lapses in information access control. The agency did not protect the boundaries of its networks with adequate firewalls, enforce strong policies for identifying and authenticating users, limit users’ access to systems required to perform official duties, ensure that sensitive information was encrypted, keep logs of network activity or monitor all parts of its network for security incidents, or implement physical controls on access to its networks and data.
These shortcomings are the result of NARA not fully implementing its information security program, according to the GAO.
“Specifically, the agency did not adequately assess risks facing its systems, consistently prepare and document security plans for its information systems, effectively ensure that all personnel were given relevant security training, effectively test systems’ security controls, consistently track security incidents, and develop contingency plans for all its systems. Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss.”
The GAO offered a number of recommendations to improve NARA's information security environment. The watchdog advised the agency to conduct physical security risk assessments of buildings and facilities, align information controls with National Institute of Standards and Technology (NIST) guidance, clarify roles and responsibilities for information security planning, improve information security training for personnel, test systems annually, and improve incident tracking. In a separate report with limited distribution, the GAO is proposing a whopping 213 recommendations for NARA to improve information access controls.
In its response, NARA said that it disagreed with three of the GAO’s findings: that NARA’s risk assessments were incorrectly applied, that its information security policies and procedures were inconsistent with NIST guidance, and that the information owner roles were not identified in each system security plan. However, in a statement, David Ferriero, the Archivist of the United States, said that he is “looking forward to working with” the NARA staff in implementing the GAO’s recommendations.