National Archives rapped for weak document security

The risk of loss or damage to archived federal documents remains unacceptably high despite the National Archives and Records Administration's progress in digitizing, securing and easing access to information across government, according to a pair of Government Accountability Office reports released on Wednesday.

Sen. Charles Grassley, R-Iowa, requested the studies in part because of the loss in 2009 of a computer hard drive containing Social Security numbers of Clinton White House staff. GAO praised the Archives' own investigations using self-assessment surveys to measure progress on its digital transformation effort. But even those revealed "almost 80 percent of agencies were at moderate to high risk of unlawful destruction of records," GAO said. (The day before the reports were released, Archives officials and U.S. Marshals raided the home of a retired NARA official in search of undisclosed materials.)

In a report on Archives management and oversight, GAO auditors faulted the pace of NARA in whittling down a backlog of paper that grew some 200,000 cubic feet from 2008 to 2009 alone. Digital preservation of those documents has stalled at 65 percent of total holdings. Also criticized was an absence of risk management plans and sufficient implementation of a strategic human capital initiative to collaborate with agencies on training staff in specialized electronic preservation.

For a separate report on the Archive's information security controls, auditors tested networks and interviewed staff and determined that "NARA has not effectively implemented information security controls to sufficiently protect the confidentiality, integrity and availability of the information and systems that support its mission." Collectively, the report continued, "these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss."

Noting delays in correcting security deficiencies, GAO said, "NARA has not updated its badge and access system security plan since 2003, despite replacing the system in 2007. NARA had scheduled to correct this weakness by the end of 2009, but as of September 2010, it had not been corrected."

In a set of recommendations, GAO advised the Archives to improve training, beef up physical inspections of document centers, update systems to reflect accurate Federal Information Processing Standard categories, set security processes that identify which office or individual is the "owner" of a set of documents, and align information controls with National Institute of Standards and Technology guidance.

In a response published with the reports, NARA said it accepted the general criticisms but disagreed with several technical points. Officials rejected the notion that risk assessments were incorrectly applied, its procedures are out of compliance with NIST guidance, and the "owner role" of each system of documents always must be identified in security plans.

"The National Archives safeguards billions of records," Archivist of the United States David Ferriero said in a statement on Wednesday. "It is an enormous and complex undertaking made even more challenging by the proliferation of electronic records created and stored on multiple platforms and in an ever evolving variety of formats. … I welcome these audits by GAO, and I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year. I also agree with GAO that more work needs to be done, both internally at the Archives and across the records management community in the federal government."

Patrice McDermott, director of the transparency advocacy group OpenTheGovernment.org, said both the bulging backlog and the risk of mishandling documents "are issues that NARA is aware of and is dealing with." NARA is in the process of hiring a new chief information officer, she added, and "solving these concerns awaits a new CIO."

Grassley's office said on Thursday in a written statement, "according to GAO, the agency's failure to fully implement its information security programs is impairing its ability to fulfill its mission. The agency needs to commit to fixing its problems and follow through."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

    Download
  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

    Download
  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

    Download
  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

    Download
  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

    Download

When you download a report, your information may be shared with the underwriters of that document.