This is the accessible text file for GAO report number GAO-05-802 entitled 'Information Management: Acquisition of the Electronic Records Archives Is Progressing' which was released on July 15, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: July 2005: Information Management: Acquisition of the Electronic Records Archives Is Progressing: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-802]: GAO Highlights: Highlights of GAO-05-802, a report to congressional committees: Why GAO Did This Study: Since 2001, the National Archives and Records Administration (NARA) has been working to acquire the Electronic Records Archives (ERA) system. In August 2004, NARA awarded two contracts to design the ERA system. The agency plans to select one of the resulting designs for the development of the system in August 2005. Conference Report 108-792 directed GAO to report on ERA’s costs, schedule, and performance. Our objectives were to determine * the extent to which NARA has achieved the ERA program’s cost, schedule, and performance objectives and the extent to which the agency has identified risks to future objectives and * the status of NARA’s efforts to address prior GAO recommendations on the acquisition. GAO is not making any recommendations at this time because NARA has plans in place to address identified weaknesses. What GAO Found: The ERA program is meeting its cost, schedule, and performance objectives and has identified risks to the program’s objectives. For example, the program has * achieved all major milestones to date on or ahead of schedule, * accepted three major contractor deliverables that met the program’s performance standards, and * identified risks to the program including the lack of an integrated schedule that encompasses agency projects related to ERA. NARA continues to make progress in addressing recommendations from prior GAO reports: the agency has implemented one recommendation by hiring two key ERA personnel and has partially implemented the other recommendations (see table). For example, NARA has addressed one of the two security weaknesses by bringing classified systems under the central control and protection of the chief information officer, and it has completed corrective action on five of nine security weaknesses in systems operating on its network. However, the Office of the Inspector General has identified additional security weaknesses, including * the lack of a formal, documented, and tested agency disaster recovery plan and * inadequate physical and logical security in areas such as password and systems configuration management. Until NARA fully addresses all prior recommendations, risks remain to the successful implementation of the system. Summary Status of NARA’s Progress in Addressing GAO Recommendations: [See PDF for image] [End of table] www.gao.gov/cgi-bin/getrpt?GAO-05-802. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda D. Koontz at (202) 512-6240 or koontzl@gao.gov. [End of section] Contents: Letter: Appendixes: Appendix I: Briefing Slides: Appendix II: Comments from the National Archives: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: ASC: American Systems Corporation: ERA: Electronic Records Archives: ICE: Integrated Computer Engineering, Inc. IEEE: Institute of Electrical and Electronics Engineers, Inc. NARA: National Archives and Records Administration: Letter July 15, 2005: The Honorable Christopher S. Bond: Chairman: The Honorable Patty Murray: Ranking Minority Member: Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies: Committee on Appropriations: United States Senate: The Honorable Joe Knollenberg: Chairman: The Honorable John W. Olver: Ranking Minority Member: Subcommittee on the Departments of Transportation, Treasury, and Housing and Urban Development, the Judiciary, and District of Columbia, and Independent Agencies: Committee on Appropriations: House of Representatives: The National Archives and Records Administration (NARA) is responsible for the oversight of government records management and archiving, which increasingly involves dealing with documents that are created and stored electronically. Since 2001, the agency has been working to acquire the Electronic Records Archives (ERA) system. NARA selected the standards of the Institute of Electrical and Electronics Engineers, Inc. (IEEE) to guide the overall acquisition of the system. In December 2003, the agency released a request for proposals for the design of ERA, and in August 2004, NARA awarded two firm fixed-price contracts[Footnote 1] for the design phase that totaled about $20 million--one to Harris Corporation and the other to Lockheed Martin Corporation. The agency plans to select a winning design from Harris and Lockheed Martin submissions by August 2005. We previously issued three reports assessing NARA's efforts to establish the capabilities to acquire major information systems and the ERA system acquisition.[Footnote 2] In these reports, we made nine recommendations. We previously reported that NARA had implemented four, and these five remained to be addressed: * fill vacant key positions, * develop an enterprise architecture,[Footnote 3] * improve information security, * design and implement a process to ensure that recommendations from verification and validation reviews[Footnote 4] are addressed and incorporated into acquisition policies and plans, and: * revise policies and plans to conform to IEEE standards. Conference Report 108-792 directed GAO to report on ERA's program costs, schedule, and performance by May 25, 2005. Our objectives were to determine (1) the extent to which NARA has achieved the ERA program's cost, schedule, and performance objectives and the extent to which the agency has identified risks to future objectives and (2) the status of NARA's efforts to address prior GAO recommendations on the acquisition. We performed our work from January 2005 to May 2005 at NARA's College Park, Maryland, location in accordance with generally accepted government auditing standards. Details of our methodology are in appendix I. In May 2005 we provided your staff with a briefing on the results of our study, which are included as appendix I. The purpose of this report is to officially transmit the published briefing slides to you. In summary, our briefing made the following points: * ERA is meeting its cost, schedule, and performance objectives and has identified risks to the program's objectives. * NARA's cost objectives associated with the Lockheed Martin and Harris design contracts are for $9.5 million and $10.6 million, respectively. The program is meeting these cost objectives; the contracts for this phase are firm fixed-price and cost variations are expected to be at the contractors' expense. * The program has also achieved all major milestones on or ahead of schedule and the three major deliverables that NARA has received from the contractors--the systems requirements specifications from Lockheed Martin and system architecture and design documents from both Lockheed Martin and Harris--were reviewed by NARA and, according to the agency, met the program's performance standards and were accepted. * ERA has identified four risks to the acquisition: (1) lack of an integrated schedule that encompasses agency projects related to ERA; (2) the level of preservation and access required for current and future electronic records has not yet been determined; (3) NARA may build to the wrong specifications in terms of size and scalability if the agency is unable to forecast the expected volume of records to be processed by the system with any reliability; and (4) NARA will lose more than $20 million in single year funds if it does not award the development contract by September 30, 2005. NARA continues to make progress in addressing our prior recommendations. * The agency has fully implemented our recommendation to hire two key personnel--the quality assurance specialist and security officer-- which should strengthen the program's capability to manage the acquisition. * The agency has partially implemented four other recommendations that are essential for the successful management of the acquisition. It has (1) improved the baseline architecture, but has not completed, the target architecture; (2) improved information security, but has not addressed, all weaknesses; (3) designed, but has not finalized, the document review process; and (4) significantly revised the program's policies and plans, but has not made them fully compliant with IEEE standards. Until NARA fully addresses all prior recommendations, risks remain to the successful implementation of the system. Because the agency recognizes these weaknesses and has plans in place to address them, we are not making further recommendations at this time. However, it will be important for NARA to continue its efforts to resolve these weaknesses in a timely manner. The Archivist stated that the written comments on our briefing submitted on May 20, 2005, represent NARA's response to the draft report. In those comments, he indicated appreciation for the insight provided into the progress remaining to be made toward addressing our recommendations. In addition, he stated that NARA will complete the recommendations identified in our report as "partially implemented." The Archivist's written comments on the briefing are reproduced in appendix II. We are sending copies of this report to the Chairmen and Ranking Minority Members of the Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies, Senate Appropriations Committee, and the Subcommittee on the Departments of Transportation, Treasury, and Housing and Urban Development, the Judiciary, and District of Columbia, and Independent Agencies, House Appropriations Committee. We are also sending copies to the Archivist of the United States. We will make copies available to others on request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, please call me at 202-512-6240; I can also be reached by e-mail at [Hyperlink, koontzl@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: Linda D. Koontz: Director, Information Management Issues: [End of section] Appendixes: Appendix I: Briefing Slides: The National Archives and Records Administration's Acquisition of the Electronic Records Archives Is Progressing: Briefing for Staff Members of the Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies: Committee on Appropriations: United States Senate: and the Subcommittee on the Departments of Transportation, Treasury, and Housing and Urban Development, the Judiciary, and District of Columbia, and Independent Agencies: Committee on Appropriations: House of Representatives: May 25, 2005: Introduction: Objectives, Scope, and Methodology: Results in Brief: Background: Review of Cost, Schedule, Performance, and Risks: Implementation Status of GAO Recommendations: * Staffing: * Enterprise Architecture: * Information Security: * Document Review Process: * Acquisition Policies and Plans: Summary: Agency Comments and Our Evaluation: Appendix: Introduction: The National Archives and Records Administration (NARA) is responsible for oversight of records management and archiving, which increasingly involves dealing with documents that are electronically created and stored. Accordingly, the Archivist established the Electronic Records Archives (ERA) program to acquire a major information system to address critical issues in receiving, preserving, and accessing electronic records. In 2001, the agency hired a contactor to develop policies and plans to support and guide the acquisition of the ERA system. NARA selected the standards of the Institute of Electrical and Electronics Engineers, Inc. (IEEE) to guide the overall acquisition of the system. In December 2003, the agency released a request for proposals for the design of ERA, and in August 2004, NARA awarded two firm fixed-price contracts [NOTE 1] for the design phase totaling about $20 million; one to Harris Corporation and the other to Lockheed Martin Corporation. The agency plans to select a winning design from Harris and Lockheed Martin submissions by August 2005. We have issued three reports assessing NARA's efforts to establish the capabilities to acquire major information systems and the ERA system acquisition. [NOTE 2] In these reports, we made nine recommendations. We previously reported that NARA had implemented four, and these five remained to be addressed: * fill vacant key positions, * develop an enterprise architecture, [NOTE 3] * improve information security, * design and implement a process to ensure that recommendations from verification and validation reviews [NOTE 4] are addressed and incorporated into acquisition policies and plans, and: * revise policies and plans to conform to IEEE standards. Objectives, Scope, and Methodology: Conference Report 108-792 directed GAO to report on ERA's program costs, schedule, and performance by May 25, 2005. As agreed with staff of the Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies, Senate Committee on Appropriations, and the Subcommittee on the Departments of Transportation, Treasury, and Housing and Urban Development, the Judiciary, and District of Columbia, and Independent Agencies, House Appropriations Committee, our objectives were to determine: * the extent to which NARA has achieved the ERA program's cost, schedule, and performance objectives and the extent to which NARA has identified risks to future objectives and: * the status of NARA's efforts to address prior GAO recommendations on the ERA acquisition. Scope and methodology: To accomplish our objectives, we: * reviewed reports on the cost status of the two design contractors to determine to what extent ERA was achieving its cost goals, * reviewed and assessed the project schedule to determine to what extent the program was meeting its schedule goals, * reviewed the program's plans and other documentation such as quality assurance checklists to determine what process exists for assessing the performance and quality of the design contractors' deliverables, * reviewed assessments of the program's risk management processes and practices, plans of action and milestones, and interviewed ERA and NARA officials responsible for risk management to determine the status of risk management, * interviewed the senior managers responsible for hiring ERA staff and reviewed the staffing plan to determine if efforts to hire key government positions were complete, * obtained and evaluated the agency's enterprise architecture plans and products, an information security assessment and plan, and conducted interviews of senior NARA officials to determine the status of the agency's efforts to develop an enterprise architecture and strengthen the agency's information security program, * reviewed seven key policies and plans, the contractor's verification and validation reports associated with the documents, and interviewed ERA officials to determine what progress the program had made in addressing our recommendation that policies and plans conform to industry standards, * assessed the program's process for reviewing and finalizing policies and plans and interviewed ERA officials responsible for the review process to determine the extent to which the review process was developed and implemented, and: * performed our work from January 2005 to May 2005 at NARA's College Park, Maryland location in accordance with generally accepted government auditing standards. Results in Brief: Cost, Schedule, and Performance and Risks: The program is currently achieving its cost, schedule, and performance objectives, and it recently provided us with a list of risks to these objectives. * ERA is meeting its cost objectives; the contracts for this phase are firm fixed-price and cost variations are expected to be at the contractors' expense. * The design contractors have completed the initial major milestones for the design phase on or ahead of schedule and, to date NARA has reviewed three major deliverables: the system requirements specifications from Lockheed Martin and system architecture and design documents from both Lockheed Martin and Harris. * According to NARA, these met the program's performance standards and were accepted. * ERA has identified risks to the program's cost and schedule objectives. For example, NARA identified the lack of an integrated schedule that encompasses agency projects related to ERA to be a risk to the program. Results in Brief: Status of Recommendations: NARA has made progress towards implementing our prior recommendations (table 1). Table 1: Summary Status of NARA's Progress in Implementing GAO Recommendations: [See PDF for image] [End of table] The Archivist of the United States provided written comments on a draft of these briefing slides and planned to implement our prior recommendations. We have reproduced the written comments in the appendix. Background: Acquisition Strategy: NARA envisions ERA to be a major information system with the ability to authentically preserve and provide access to massive volumes of all types and formats of electronic records that are free from dependency on any specific type of hardware or software. The agency is seeking a system that balances the use of commercial off-the-shelf with new software development. However, as agency officials have indicated, there is no single commercial solution available today that meets the full end-to-end requirements for ERA. As a result, NARA decided to develop an advanced architecture for the conversion and preservation of electronic records. To guide the acquisition of the system, NARA has adopted IEEE standards for the software life cycle processes. [NOTE 5] The standards establish a common framework for the acquisition of software products and services and define processes and activities that are to be tailored and applied during the acquisition, supply, development, and operation and maintenance of a system. Through fiscal year 2004, the ERA program had completed three major acquisition milestones: * defining the concept on January 3, 2003, * releasing a request for proposal and completing high-level system requirements on December 5, 2003, and: * awarding design contracts on August 4, 2004. The program entered the systems analysis and design phase at the end of fiscal year 2004. This phase is expected to conclude in fiscal year 2005 with the selection of one of the two design contractors to develop the system. The developer is to begin building the system in the first of five increments at the end of fiscal year 2005. The first increment is planned for completion in 2007 (figure 1) and the expected completion date of the system is 2011. Figure 1: ERA Acquisition Schedule: [See PDF for image] Source: GAO analysis of agency data. [End of figure] Background: Program Management: The ERA Program Management Office is responsible for the development of policies and plans for the ERA acquisition. * In 2001, NARA hired a contractor, Integrated Computer Engineering (ICE), Inc., [NOTE 6] to assist in developing the capability to design, acquire, and manage the ERA system. * ICE is responsible for developing policies and plans and for validating and verifying that they conform to IEEE standards for content and structure. ICE has also performed independent verification and validation of products delivered by the design contractors for conformance to applicable industry standards. * In fiscal year 2005, the agency also intends to hire an independent verification and validation contractor to assess ERA policies and plans and work performed by the development contractor. Review of Cost, Schedule, and Performance and Risks: Costs: NARA's cost objectives associated with the Lockheed Martin and Harris design contracts are for $9.5 million and $10.6 million, respectively. ERA is meeting these cost objectives; the contracts for this phase are firm fixed-priced and cost variations are expected to be at the contractors' expense. Review of Cost, Schedule, and Performance and Risks: ERA Program Schedule and Performance Objectives: ERA has defined six major milestones that are planned for completion in fiscal year 2005 (table 1). Table 1: ERA System Acquisition Schedule: Design Phase: [See PDF for image] [Footnote 7 contained within table information] Source: NARA. [End of figure] ERA has completed all major milestones on or ahead of schedule. To date, NARA has received three major deliverables: the system requirements specifications from Lockheed Martin, and system architecture and design documents from both Lockheed Martin and Harris. NARA assessed these deliverables using IEEE and other industry standards, quality assurance checklists, and reviews by subject matter experts. NARA has completed its review of these deliverables. According to the agency, these deliverables met the program's performance standards and were accepted. Review of Cost, Schedule, and Performance and Risks: Risks: Risk management is a process to identify potential problems and adjust the acquisition to mitigate problems and decrease the chance of their occurring. It is a critical tool for continuously determining the feasibility of project plans, for improving the search for and identification of potential problems that can affect project activities and the quality and performance of products, and for improving the active management of software projects. [NOTE 8] ERA has identified these risks to the acquisition: * Schedule-NARA lacks an integrated schedule that encompasses agency projects related to ERA. * Preservation-NARA has not yet determined the level of preservation and access [NOTE 9] required for its current and future electronic records. * Volume-If NARA is unable to forecast the expected volume of records to be processed by the system, with any reliability, it may build to the wrong specifications in terms of size and scalability. * Funds-If NARA does not award the development contract by September 30, 2005, it will lose more than $20 million in single year funds. According to NARA, this could have cascading effects that could result in program termination. By identifying project risks, NARA should be able to better achieve its cost, schedule, and performance goals. Implementation Status of GAO Recommendations: ERA Staffing: We reported in our September 2004 report that, while NARA had made progress in staffing ERA, two of the key government positions remained vacant-quality assurance specialist and the security officer. We noted that, until the agency filled these key positions, the program might not have the resources necessary to manage the acquisition. NARA has filled the two vacant key government positions. The quality assurance specialist was hired in July 2004 and the security officer in May 2005. These positions are important to the quality and completeness of program processes and practices. By hiring key staff, the program has improved its capability for managing the acquisition. Implementation Status of GAO Recommendations: Enterprise Architecture: We previously reported that, while NARA has taken action to develop an enterprise architecture, its efforts were incomplete. We recommended that the agency strengthen its IT management capabilities by developing an enterprise architecture. Although not fully complete, NARA has made progress in addressing our recommendation. An enterprise architecture provides a description-in useful models, diagrams, and narrative-of the mode of operation for an agency. It describes the agency in logical terms, such as interrelated business locations and users, and in IT operational terms, such as hardware, software, data, communications, and information security attributes and standards. It provides these perspectives both for the baseline and target environments and a plan for transitioning from the baseline to the target. NARA has added sections on information security and IT operations to its baseline enterprise architecture. However, the target architecture is only a framework, and therefore, is incomplete. The agency plans to complete high priority items, such as business process specifications, by September 2005. Until the target enterprise architecture is complete, NARA may have difficulty ensuring that the ERA system is defined according to the requirements of the target enterprise architecture. Implementation Status of GAO Recommendations: Information Security: We previously reported that NARA had improved its information security, having recognized that it had weaknesses, which included: * classified systems were not centrally controlled and the agency did not have the necessary assurance that these systems were adequately protected and: * systems compliance testing by a contractor revealed nine security weaknesses in the systems operating on NARA's network, and the agency did not develop plans of action to address those security weaknesses. Federal legislation and guidance for information security require organizations to, among other things, establish an information security program that includes the following activities: develop information security policy and procedures; develop system security plans for networks, facilities, and systems or groups of information systems; perform risk assessments; determine the sensitivity and criticality of systems; and establish certification and accreditation programs for information systems. Since our report last year, NARA has fully addressed one of the previously identified security weaknesses by bringing classified systems under the central control and protection of the chief information officer and has partially addressed the second by developing plans of actions and milestones for the nine weaknesses and completing corrective action on five of the nine. For example, in the past year, the agency has implemented and improved its security awareness program and reported that it had certified and accredited its information systems according to government standards. Implementation Status of GAO Recommendations: Information Security: However, the Office of Inspector General identified additional security weakness, including: * the lack of a formal, documented, and tested agency disaster recovery plan and: * inadequate physical and logical security in areas such as password and systems configuration management. The agency has developed plans of action and milestones to address these weaknesses, which it expects to complete by September 2005. As a result, NARA has considered information security to be a material weakness since 2000. [NOTE 10] Until information security is fully addressed, it remains a risk to ERA's cost, schedule, and performance objectives. Implementation Status of GAO Recommendations: Document Review Process: In our September 2004 report, we recommended that the Archivist direct the ERA program director to design and implement a process to ensure that recommendations from verification and validation reviews are addressed and incorporated into acquisition policies and plans to reduce the risk associated with efforts to acquire ERA. NARA has made progress in addressing our recommendation by designing a process to ensure that reviewers' recommendations are addressed in the final version. However, this document review process has not been finalized and implemented. Agency officials indicated that the recommendation will be fully addressed by June 2005. A process to ensure that verification and validation recommendations from internal assessments are addressed and incorporated reduces the risk that acquisition policies and plans do not meet industry standards. Without the process, NARA cannot ensure that reviewers' comments are integrated into final versions. Until the agency fully designs and implements a process to ensure recommendations are addressed and incorporated into the final versions of documents, the program may not have accurate acquisition policies and plans to guide the system development. Implementation Status of GAO Recommendations: Acquisition Policies and Plans: We previously reported that ERA had developed key acquisition policies and plans to guide its acquisition, but that the documents did not conform to the IEEE standards selected by the agency. These policies and plans are essential for managing the acquisition and providing critical guidance to the contractor who will be developing the system. As a result, we recommended that ERA revise these policies and plans to conform to industry standards. While the program has revised the seven policies and plans, none fully complies with IEEE standards. These six were significantly improved: * Acquisition Strategy, * Concept of Operations, * Life Cycle, * Configuration Management Plan, Risk Management Plan, and: Program Management Plan. According to program officials, these policies and plans will be updated to conform to IEEE standards during the next phase of the acquisition. The remaining plan-the Quality Management Plan-while it has been revised, has not undergone verification and validation. Officials indicated that this plan will undergo verification and validation for compliance to IEEE standards and will be revised in July 2005. [NOTE 11] Until these policies and plans are revised to meet IEEE standards, the program may not have the information needed to manage the acquisition and the contractor may lack the information needed to develop the system. Summary: ERA is meeting its cost, schedule, and performance objectives and has identified risks to the program's objectives. NARA continues to make progress in addressing our prior recommendations. It has implemented one recommendation by hiring two key ERA personnel, the quality management specialist and security officer, which should strengthen the program's capability to manage the acquisition. NARA has partially implemented other recommendations that are essential for the successful management of the acquisition. Specifically, ERA has: * improved baseline architecture but has not completed target architecture, * improved information security but it remains a material weakness despite five years of effort by NARA to strengthen it, * revised the policies and plans to more fully comply with IEEE standards, and * designed but has not finalized the document review process. Because the agency recognizes these weaknesses and has plans in place to address them, we are not making further recommendations at this time. However, it will be important for NARA to continue its efforts to resolve these weaknesses in a timely manner. Agency Comments and Our Evaluation: In written comments on a draft of our briefing slides, the Archivist of the United States indicated appreciation for the insight we provided into the progress remaining to be made toward addressing our recommendations. The Archivist also provided an update on steps the agency has taken and plans to take to address our recommendations, including strengthening the enterprise architecture and information security, and stated that NARA would complete all recommendations. In regard to our discussion of the agency's Risk Management Plan, the Archivist stated that the verification and validation assessment found the plan to be of high quality and 86 percent compliant with standards. We have revised our briefing slides to clarify our characterization of the plan's status. The Archivist also provided technical comments that were incorporated into the briefing slides as appropriate. The Archivist's written comments are reproduced in appendix II. NOTES: [1] According to the Federal Acquisition Regulation, a firm fixed-price contract provides for a price that is not subject to any adjustment on the basis of the contractor's cost experience in performing the contract. This type of contract places maximum risk and full responsibility for all costs and resulting profit or loss on the contractor(s). [2] GAO, Information Management. Challenges in Managing and Preserving Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and GAO, Records Management. National Archives and Records Administration's Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.: Aug. 22, 2003) and GAO, Records Management. Planning for the Electronic Records Archives Has Improved, GAO-04-927 (Washington, D.C.: Sept. 23, 2004). [3] An enterprise architecture provides a description-in useful models, diagrams, and narrative-of the mode of operation for an agency. It describes the agency in logical terms, such as interrelated business locations and users, and in IT operational terms, such as hardware, software, data, communications, and information security attributes and standards. It provides these perspectives both for the baseline and target environments and a plan for transitioning from the baseline to the target. [4] Verification and validation reviews are performed by internal contractors to ensure that ERA policies and plans conform to industry standards, such as those established by IEEE. [5] The Institute of Electrical and Electronics Engineers, 12207.0 Standard for Information Technology-Software Life Cycle Processes; 12207.1 Standard for Information Technology-Software Lifecycle Processes-Life Cycle Data; and 12207.2 Standard for Information Technology-Software Life Cycle Processes-Implementation Considerations. [6] On January 15, 2002, American Systems Corporation (ASC) announced the acquisition of ICE, Inc. According to the ERA project manager, this change does not affect the status of NARA's contract with ICE, Inc. [7] Harris Corporation's milestones for delivery and acceptance of system requirements specifications that were included in its contract were revised to accommodate delays to the project caused by a hurricane that struck company headquarters soon after the design contract was signed. The revision to Harris's schedule did not affect the planned date for selecting the development contractor. [8] The Institute of Electrical and Electronics Engineers, IEEE Standard for Software Life Cycle Processes-Risk Management. IEEE Standard 1540-2001 (Mar. 17, 2001). [9] For example, a basic level of preservation and access might entail saving the original electronic file in its original format. An enhanced level might be achieved by migrating records from their original format to a newer one for which better access software is available. [10] Fiscal Year 2000 Federal Managers' Financial Integrity Assurance (FMFIA) Report to the President. [11] In comments on a draft of these briefing slides, NARA reported that the Quality Management Plan underwent verification and validation on May 11, 2005, and is 85 percent compliant with IEEE standards. [End of section] Appendix II: Comments from the National Archives: National Archives at College Park: 8601 Adelphi Road: College Park, Maryland 20740-6001: Mr. Joel C. Willemssen: Managing Director of Information Technology Team: Government Accountability Office: 441 G Street, NW #4T31: Washington, DC 2054$: Dear Mr. Willemssen: Thank you for the opportunity to review and comment on the draft presentation entitled National Archives and Records Administration's Acquisition of the Electronic Records Archives is Progressing before it is briefed to the staff members of the Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies, of the Senate Appropriations Committee and the Subcommittee on Transportation, Treasury and Housing and Urban Development, the Judiciary and District of Columbia, and independent Agencies, of the House Appropriations Committee. We are pleased to note the recognition of the progress made toward implementing the recommendations provided in GAO's report of September 23, 2004, Records Management: Planning for the Electronic Records Archives Has Improved (GAO-04-927). We also appreciate the insight into the progress remaining to be made toward addressing GAO's recommendations. For NARA to carry out its mission into the future we have to be successful implementing the Electronic Records Archives (ERA) system. To ensure we are successful, we will complete those recommendations identified in your presentation as "partially implemented." We would like to take this opportunity to update you on the status of those efforts. Enterprise Architecture. GAD observed that "NARA has added sections on information security and IT operations to its baseline enterprise architecture. However, the target architecture is only a framework, and therefore, is incomplete." GAO also indicates that "Until the target enterprise architecture is complete, NARA may have difficulty ensuring that the ERA system is defined according to the requirements of the target enterprise architecture." By September 2005, NARA's Target Architecture will have progressed well beyond the addition of business process specifications. This version of the Enterprise Architecture will include: * Specifications of all business processes related to records lifecycle. This includes data inputs and outputs, security and privacy constraints, identification of business rules and policies, technology enablers and support from current systems for each lifecycle business prates. * A set of business information flows. These are developed using the business process, the data inputs and outputs, and the enterprise data model. * A set of conceptual business information systems. These are developed using the business information flows and applying technological and security constraints. * A revised sequencing plan that shows a high-level implementation strategy for the set of conceptual business information systems. The revised sequencing plan is an important input into specifying an updated business transformation plan. These additions to our Enterprise Architecture represent a major step forward in the definition and maturity of NARA's Target Architecture. The necessary specifications will be in place by September 2005, when development of ERA's increment one starts, to ensure that the ERA requirements will be defined according to NARA's Target Architecture. IT Security Program. GAO observed in the report that the agency has developed plans of action and milestones to address the Office of Inspector General weaknesses by September 2005. GAO also indicates that "As a result, NARA has considered information security to be a material weakness since 2000. Until information security is fully addressed, it remains a risk to ERA's cost, schedule and performance objectives." We are very pleased GAO noted the progress on the NARA security program, we want to address additional concerns GAO raised resulting from its review of NARA's Office of Inspector General audits. First, to address the lack of a formal, documented, and tested agency disaster recovery plan, we want to stress that ERA itself has a comprehensive information security plan, developed in collaboration with the National Security Agency, that has integrated contingency and disaster recovery plans as part of its requirements. Recent system design reviews with both competing contractors confirm that these requirements are being incorporated into the final ERA system design, Also, our Plan of Action and Milestones for completing an agency-wide disaster recovery plan addresses one of the material weaknesses identified in the 2004 Federal Manager's Financial Integrity Act report. That disaster recovery plan will incorporate the contingency plans that have been developed and tested for each NARA system, including ERA and NARAnet. The NARAnet disaster recovery plan also addresses the data recovery capabilities needed to support the ERA Program Management Office. Second, addressing the general concern related to physical and logical security weaknesses, we want to assure GAO that the completion of the specific audit action items comprising this deficiency will be resolved by September 30, 2005. We believe that completing these audit action items when development of ERA's increment one starts will mitigate the risks to ERA's cost, performance, and schedule objectives. Cost, Schedule, and Performance and Risks, GAO indicates in its report that "the contracts for this phase are firm-fixed-priced and cost variations are expected to be at the contractor's expense." We want to clarify that not only is ERA meeting its cost objectives for the Analysis and Design (A&D) phase, but both contractors expect to complete the A&D phase within budget. No variations from the planned budget are anticipated. If any averages occur, they would be at the contractor's expense. Document Review Process. GAO observed that "NARA has made progress in addressing our recommendation by designing a process to ensure that reviewer's recommendations are addressed in the final version. However, this document review process has not been finalized and implemented." We have a process in place which ensures that comments from all reviewers as well as the Independent Verification and Validation staff, when required, are addressed. Comments and responses to comments are tracked by the Quality Management (QM) staff. All documents submitted to the Program Manager for approval are required to be accompanied by a report from the QM staff on the resolution of all comments. Acquisition Policies and Plan, GAO states in the report that "the Quality Management Plan - while it has been revised, has not undergone verification and validation." The Quality Management Plan, Version 2.6, December 16, 2004, underwent verification and validation on May 11, 2005. It was found to be 85% compliant with the IEEE standards. It should be noted that the IEEE standard has been tailored for the Quality Management Plan to incorporate industry best practices derived from the Project Management Institute's Project Management Body of Knowledge (PMBOK). The items noted as non-compliant were primarily in the area of format; these recommendations will be taken into consideration during the next revision of the plan, which should be completed by July 2005. GAO also states that "the Risk Management Plan - has significant weaknesses." The Risk Management Plan, Version 3.0, August 25 2004 underwent verification and validation on August 26, 2004. It was found to be 86% compliant with the IEEE standard. The overall quality of the Risk Management Plan was rated as high. The remaining items will be addressed during the next revision of the Risk Management Plan scheduled for August 2005. The level of IEEE compliance for the documents reviewed is directly related to the system's life cycle. Most documents show a small number of partially compliant items that we will make fully compliant as information becomes available with the start of system development. Again, we thank you for this opportunity to comment and look forward to our future interactions as we continue the ERA acquisition process. If you have any questions, please contact Carmen Colon, Program Support Division at (301) 837-0445. Sincerely, Signed by: ALLEN WEINSTEIN: Archivist of the United States: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Linda Koontz, (202) 512-7487: Staff Acknowledgments: In addition to the contact named above, Timothy Case, Nancy Glover, and Teresa Neven made key contributions to this report. (310740): FOOTNOTES [1] According to the Federal Acquisition Regulation, a firm fixed-price contract provides for a price that is not subject to any adjustment on the basis of the contractor's cost experience in performing the contract. This type of contract places maximum risk and full responsibility for all costs and resulting profit or loss on the contractor(s). [2] GAO, Information Management: Challenges in Managing and Preserving Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and GAO, Records Management: National Archives and Records Administration's Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.: Sept. 23, 2004). [3] An enterprise architecture provides a description--in useful models, diagrams, and narrative--of the mode of operation for an agency. It describes the agency in logical terms, such as interrelated business locations and users, and in IT operational terms, such as hardware, software, data, communications, and information security attributes and standards. It provides these perspectives both for the baseline and target environments and a plan for transitioning from the baseline to the target. [4] Verification and validation reviews are performed by internal contractors to ensure that ERA policies and plans conform to industry standards, such as those established by IEEE. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: