This is the accessible text file for GAO report number GAO-11-20 entitled 'Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls' which was released on October 27, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Ranking Member, Committee on Finance, U.S. Senate: United States Government Accountability Office: GAO: October 2010: Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls: GAO-11-20: GAO Highlights: Highlights of GAO-11-20, a report to the Ranking Member, Committee on Finance, U.S. Senate. Why GAO Did This Study: The National Archives and Records Administration (NARA) is responsible for preserving access to government documents and other records of historical significance and overseeing records management throughout the federal government. NARA relies on the use of information systems to receive, process, store, and track government records. As such, NARA is tasked with preserving and maintaining access to increasing volumes of electronic records. GAO was asked to determine whether NARA has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over NARA’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at nine sites. What GAO Found: NARA has not effectively implemented information security controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems that support its mission. Although it has developed a policy for granting or denying access rights to its resources, employed mechanisms to prevent and respond to security breaches, and made use of encryption technologies to protect sensitive data, significant weaknesses pervade its systems. NARA did not fully implement access controls, which are designed to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Specifically, the agency did not always (1) protect the boundaries of its networks by, for example, ensuring that all incoming traffic was inspected by a firewall; (2) enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords; (3) limit users’ access to systems to what was required for them to perform their official duties; (4) ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by potentially malicious individuals; (5) keep logs of network activity or monitor all parts of its networks for possible security incidents; and (6) implement physical controls on access to its systems and information, such as securing perimeter and exterior doors and controlling visitor access to computing facilities. In addition to weaknesses in access controls, NARA had mixed results in implementing other security controls. For example: * NARA did not always ensure equipment used for sanitization (i.e., wiping clean of data) and disposal of media (e.g., hard drives) was tested to verify correct performance. * NARA conducted appropriate background investigations for employees and contractors to ensure sufficient clearance requirements have been met before permitting access to information and information systems. * NARA did not consistently segregate duties among various personnel to ensure that no one person or group can independently control all key aspects of a process or operation. The identified weaknesses can be attributed to NARA not fully implementing key elements of its information security program. Specifically, the agency did not adequately assess risks facing its systems, consistently prepare and document security plans for its information systems, effectively ensure that all personnel were given relevant security training, effectively test systems’ security controls, consistently track security incidents, and develop contingency plans for all its systems. Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss. What GAO Recommends: GAO is making 11 recommendations to the Archivist of the United States to implement elements of NARA’s information security program. In commenting on a draft of this report, the Archivist generally concurred with GAO’s recommendations but disagreed with some of the report’s findings. GAO continues to believe that the findings are valid. View [hyperlink, http://www.gao.gov/products/GAO-11-20] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov and Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov. [End of section] Contents: Letter: Background: Control Weaknesses Threaten Record Retention: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: NARA Organizational Chart: Appendix III: Comments from the National Archives and Records Administration: Appendix IV: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Major NARA Divisions: Table 2: Examples of Key NARA Systems: Table 3: Positions with Key Security Responsibilities in the Office of Information Services: Figures: Figure 1: Simplified NARA Network Diagram: Figure 2: User Completion of NARA Security Awareness Training: Abbreviations: CIO: Chief Information Officer: ERA: Electronic Records Archives: FIPS: Federal Information Processing Standard: FISMA: Federal Information Security Management Act: IT: information technology: NARA: National Archives and Records Administration: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: POA&M: plan of action and milestones: US-CERT: United States Computer Emergency Readiness Team: [End of section] United States Government Accountability Office: Washington, DC 20548: October 21, 2010: The Honorable Charles E. Grassley: Ranking Member: Committee on Finance: United States Senate: Dear Senator Grassley: The National Archives and Records Administration (NARA) is responsible for managing and archiving government records, which increasingly involves dealing with documents that are created and stored electronically. In 2001, NARA responded to the challenge of preserving, managing, and providing access to electronic records by initiating the development of the Electronic Records Archives (ERA). As the nation's record keeper, NARA is responsible for significant amounts of sensitive information. In 2009 NARA experienced a data breach wherein a hard drive containing data from the Clinton Administration was lost. The hard drive reportedly contained classified information and Social Security numbers of former White House staffers and visitors. In response to your request, we conducted an evaluation of NARA's information security program. Our objective was to determine whether NARA has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To accomplish this objective, we examined computer security controls over networks supporting nine sites to determine whether information was safeguarded and protected from unauthorized access. We also reviewed and analyzed NARA's security policies, plans, and reports and interviewed key agency officials. We performed this performance audit from December 2009 to October 2010, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. See appendix I for a complete description of our objective, scope, and methodology. Background: Information security is a critical consideration for any organization reliant on information technology (IT) and especially important for government agencies, such as NARA, where maintaining the public's trust is essential. The dramatic expansion in computer interconnectivity and the rapid increase in the use of the Internet have changed the way our government, the nation, and much of the world communicate and conduct business. Although this expansion has created many benefits for agencies in achieving their missions and providing information to the public, it also exposes federal networks and systems to various threats. Without proper safeguards, systems are unprotected from attempts by individuals and groups with malicious intent to intrude and use the access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. This concern is well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, the steady advance in the sophistication and effectiveness of attack technology, and the dire warnings of new and more destructive attacks to come. Over the past few years, federal agencies have reported an increasing number of security incidents, many of which involved sensitive information that has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to the loss of privacy, identity theft, and other financial crimes. NARA Is a Key Steward of Federal Records: NARA is the nation's record keeper. It was created by statute as an independent agency in 1934. On July 1, 1949, the Federal Property and Administrative Services Act transferred the National Archives to the General Services Administration, and its name was changed to National Archives and Records Services. It attained independence again as an agency in October 1984 (effective April 1, 1985) and became known as the National Archives and Records Administration. NARA's mission is to ensure continuing access to essential documentation of the rights of American citizens and the actions of their government. NARA also publishes the Federal Register, stores classified materials, and plays a role in the declassification of these classified records. The Archivist of the United States is NARA's chief administrator and has responsibilities that include providing federal agencies with guidance and assistance for records management and establishing standards for records retention. The Archivist also has overall responsibility for ensuring the confidentiality, integrity, and availability of the information and information systems that support the agency and its operations. The Assistant Archivist for Information Services has the responsibilities of NARA's Chief Information Officer. In fiscal year 2009, NARA's appropriation was about $459 million, while its fiscal year 2010 appropriation is about $470 million. NARA is composed of six major divisions (see table 1) that include 44 facilities such as the headquarters locations in Washington, D.C., and College Park, Maryland; presidential libraries; and regional archives nationwide. Table 1: Major NARA Divisions: Division: Office of Records Services, Washington, D.C.; Description of function: Accessions, preserves, describes, and provides access to the historically valuable records of the three branches of the federal government in the Washington, D.C., area. The office has agencywide responsibility for records appraisal. In addition, its conservation staff serves the entire agency and also operate the Washington National Records Center at Suitland, Maryland. Division: Office of Regional Records Services; Description of function: Accessions, preserves, describes, and provides access to the archival records of federal executive agencies that were created outside the Washington, D.C., area and the archival records of the U.S. District Courts within 13 regional archives centers nationwide, plus provides targeted assistance program to aid federal agencies with records management. The office serves as NARA liaison for the eight affiliated archives that hold NARA-owned records on behalf of NARA in their repositories around the country. Division: Office of Presidential Libraries; Description of function: Administers a nationwide network of presidential libraries documenting each administration beginning with the Herbert Hoover Administration. Currently, the system includes 13 Presidential Libraries, Nixon Presidential Materials Staff, and Presidential Materials Staff. These are not traditional libraries, but rather repositories for preserving and making accessible the papers, records, and other historical materials of U.S. presidents. A museum is an important component of each library. Division: Office of the Federal Register; Description of function: Publishes public laws, coordinates the functions of the Electoral College, administers the constitutional amendment process, and provides access to the official text of federal laws, presidential documents, administrative regulations, and notices. Division: Office of Information Services; Description of function: Provides information technology services agencywide. Also manages the development of the ERA system. Division: Office of Administration; Description of function: Operates and maintains physical security, including the transfer of classified information. Source: NARA. [End of table] NARA Relies on Information Systems to Accomplish Its Mission: NARA depends on a number of key information systems to conduct its daily business functions and support its mission. These systems include networks, telecommunications, and specific applications. As of fiscal year 2009, NARA reported having 39 IT systems and 4 externally hosted systems. According to NARA, as part of its key transformation initiative, in 2001 the agency responded to the challenge of preserving, managing, and assessing electronic records by beginning the development of the modern Electronic Records Archives (ERA) system. This major information system is intended to preserve and provide access to massive volumes of all types and formats of electronic records, independent of their original hardware or software. NARA plans for the system to manage the entire life cycle of electronic records, from their ingestion through preservation and dissemination to customers. We have previously made numerous recommendations to NARA to improve its acquisition and monitoring of the system.[Footnote 1] Table 2 lists examples of key NARA systems. Table 2: Examples of Key NARA Systems: System: Electronic Records Archives (ERA); System location: Allegany Ballistics Laboratory; Description: Plans to authentically preserve electronic records and provide discovery and delivery of archived records. A component of ERA, the Executive Office of the President system, receives, archives, and disseminates presidential holdings. System: NARANET; System location: NARA-wide; Description: Provides data transport and processing environment for NARA's IT and application support services. System: Archives Declassification Review and Redaction System (ADRRES); System location: Archives II; Description: Indexes classified documents that have been withdrawn from records transferred to NARA and processes Freedom of Information Act requests for nonclassified material. System: Archival Electronic Records Inspection and Control System (AERIC); System location: Archives II; Description: Verifies the adequacy of the accompanying documentation for the electronic data files transferred by federal agencies to NARA. System: Archival Preservation System (APS); System location: Archives II; Description: Copies files from one volume to another, supports the business process of providing reference services, and provides management support for a variety of electronic records. System: Archival Research Catalog (ARC); System location: Archives II; Description: Provides an online catalog of NARA's holdings. System: Archives and Records Centers Information System (ARCIS); System location: Archives II; Description: Processes core transactions such as records transfers, accessions, dispositions, reference requests, refiles, and interfiles. System: Badging and Access (B&A); System location: Archives II; Description: Provides a means of transferring user information to a badge and physically reading the badge allowing or denying access depending on user access rights. System: Case Management and Reporting System (CMRS); System location: Archives II; Description: Automates the processing of military personnel records. System: Presidential Electronic Records Library System (PERL); System location: Archives II; Description: Provides a repository for electronic records produced during presidential administrations. Source: NARA. [End of table] The Office of Information Services at the Archives II facility provides centralized management and control of NARA's IT resources and services, including NARANET, the primary general support system of NARA. As shown in figure 1, NARANET is centrally located at Archives II and connects to other government and academic entities. NARANET is extended to field sites via a private network, operated by a service provider. In addition, at locations where the public has research access, NARA provides access to the Internet through the use of public access computers. Figure 1: Simplified NARA Network Diagram: [Refer to PDF for image: illustration] Internet (network): Feeds: * Military Personnel Records Center, St. Louis, MO; * NARANET (Located at Archives II, College Park, MD); includes public access computers (network); * Defense Research Engineering Network. NARANET: Feeds: * University of Maryland (network); * General Services Administration (network); * Defense Research Engineering Network (network); * NARANET Private (Virtual) (network). NARANET Private (Virtual): Feeds: * Allegany Ballistics Laboratory Rocket Center, WV (includes ERA network) (also fed by Defense Research Engineering Network); * Military Personnel Records Center, St. Louis, MO; * Civilian Personnel Records Center, St. Louis, MO; * Nat’l Personnel Records Center Annex, Valmeyer, IL; * Archives I, Washington, DC; * Washington Nat’l Records Center, Suitland, MD; * Clinton Presidential Library, Little Rock, AR (includes public access computers). Allegany Ballistics Laboratory Rocket Center: Feeds: * Contractor, Greenbelt, MD. Source: GAO analysis of agency data as of July, 2010. [End of figure] NARA's Information System Security Program: The Federal Information Security Management Act of 2002 (FISMA) [Footnote 2] requires each federal agency to develop, document, and implement an agencywide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by other agencies, contractors, or other sources. FISMA requires the Chief Information Officer or comparable official at federal agencies to be responsible for developing and maintaining an information security program. The Office of Information Services centrally administers NARA's IT security program at the Archives II facility. The Assistant Archivist for Information Services, who also serves as the Chief Information Officer (CIO), is the head of the Office of Information Services. As described in table 3, NARA has designated certain senior managers or divisions at headquarters to fill the key roles in IT security designated by FISMA and agency policy. Table 3: Positions with Key Security Responsibilities in the Office of Information Services: Position: Deputy CIO; Key responsibilities: Assists the CIO in leading the agencywide IT program and carrying out the provisions of enacted IT legislation. In coordination with the CIO, manages all day-to-day functions of the IT and information resources management program divisions and staffs. Position: Chief Information Security Officer; Key responsibilities: Reports to the CIO and has day-to-day oversight of NARA's information security program. Position: IT Security Staff; Key responsibilities: Develops and implements NARA's IT Security Program Plan and the Computer Security Response Program. Position: Chief Technology Officer; Key responsibilities: Directs the planning, architecture, design, and configuration management of all agencywide hardware, software, database management systems, telecommunications, data and local area and wide area networks, and related equipment and approves systems development methodologies and configuration changes to NARA's technology infrastructure. Position: Information Technology Services Division Director; Key responsibilities: Administers the operation of NARA's IT infrastructure, including voice and data communications systems, by NARA staff and contractors. Position: IT Services Branch Manager; Key responsibilities: Provides contracting officer's representative services for the Information Technology Support Systems contract, NARA's nationwide network operations contract. Position: IT Operations Branch Manager; Key responsibilities: Operates, maintains, and manages NARA's IT network infrastructure, voice and data communications systems, and IT security operations (in conjunction with IT security staff). Also monitors NARA network and desktop environments for performance. Source: NARA. [End of table] FISMA also requires the National Institute of Standards and Technology (NIST) to provide standards and guidance to agencies on information security. NARA has a directive in place to establish its policy and guidance for information security, delineate its security program structure, and assign security responsibilities. Control Weaknesses Threaten Record Retention: NARA has taken steps to safeguard the information and systems that support its mission. For example, it has developed a policy for granting or denying access rights to its resources, employs mechanisms to prevent and respond to security breaches, and makes use of encryption technologies to protect sensitive data. However, security control weaknesses pervaded NARA's systems and networks, thereby jeopardizing the agency's ability to sufficiently protect the confidentiality, integrity, and availability of its information and systems. These deficiencies include those related to access controls, as well as other controls such as configuration management and segregation of duties. A key reason for these weaknesses is that NARA has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. These weaknesses could affect NARA's ability to collect, process, and store critical information and records, and protect that information from risk of unauthorized use, modification, and disclosure. NARA Did Not Fully Implement Access Controls: A basic management objective for any organization is to protect the resources that support its critical operations from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Inadequate access controls diminish the reliability of computerized information and increase the risk of unauthorized disclosure, modification, and destruction of sensitive information and of disruption of service. Access controls include those related to (1) protection of system boundaries, (2) user identification and authentication, (3) authorization, (4) cryptography, (5) audit and monitoring, and (6) physical security. NARA did not implement effective controls in these areas. NARA Did Not Always Protect Network Boundaries: Boundary protection controls logical connectivity into and out of networks and controls connectivity to and from network connected devices. Unnecessary connectivity to an organization's network increases not only the number of access paths that must be managed and the complexity of the task, but the risk of unauthorized access in a shared environment. NIST guidance states that boundary protection devices should monitor and control communications at the external boundary of the system and at key internal boundaries within the system. Organizations use boundary protection devices such as proxies, gateways, routers, and firewalls to monitor and control such communications and to separate network segments that require a higher level of control than other segments of the network. NARA has established network boundaries, but did not always adequately enforce those boundaries to secure connectivity into and out of its networks. For example, at one location, network boundaries were not adequately segregated or segmented since NARA's network was not separated from a contractor network. In addition, several internal network routers allowed direct network connections from outside the network. Similarly, firewalls at two locations were not adequately configured to control traffic into those networks, which could also allow traffic to bypass the firewalls and enter those networks. We also discovered several devices connected to a network that NARA network engineers were not aware of that could result in unidentified attacks on the network by using those devices. As a result, NARA's networks were vulnerable to unnecessary and potentially undetectable access at multiple points. Users Were Not Always Properly Identified and Authenticated: A computer system must be able to identify and authenticate different users so that activities on the system can be linked to specific individuals. Assigning unique user accounts enables a system to distinguish one user from another (identification), while requesting specific information, such as a password, known only by a specific user allows a system to establish the validity of a user's claimed identity (authentication). The combination of identification and authentication--such as user account-password combinations--provides the basis for maintaining individual accountability and controlling access to a system. NIST states that information systems uniquely identify and authenticate users by, among other things, establishing complex (i.e., not easily guessed) passwords to reduce the likelihood of unauthorized access. While NARA has developed a policy for identification and authentication that is based on NIST guidance, NARA has not always adequately implemented its policy. For example, multiple database systems at one location were not adequately configured to identify users and authenticate their identities when users logged in remotely. At one location, NARA also established shared, or "generic," accounts with administrator privileges on multiple systems. This practice diminishes NARA's ability to establish individual accountability and attribute system activity to a specific individual. In addition, NARA does not always enforce policies for establishing complex passwords on multiple systems and applications. As a result, increased risk exists that individuals may guess passwords and use them to gain unauthorized access to NARA's systems and networks. Authorizations Provided Users with More Access than Necessary for Their Jobs: Authorization is the process of granting or denying access rights and permissions to a protected resource, such as a network, a system, an application, a function, or a file. A key concept for granting or denying access rights is that of "least privilege," which means that users should be granted only those access rights and permissions that they need to perform their official duties. NIST states that federal agencies should grant users only the access rights and privileges to information and information systems that are necessary for them to perform their jobs. Although NARA has established an access control methodology based on least privilege and need-to-know principles, it has not always limited users' access rights and permissions to those necessary for them to perform their official duties. At one location, NARA provided all users on a system with read-only access to a file containing system passwords. NARA also allowed remote root[Footnote 3] (e.g., "super-user") logins to multiple servers. NARA did not disable source routing[Footnote 4] on network devices. In addition, at two locations in our review, NARA granted administrator-level roles and privileges to normal user accounts for databases, which could lead to compromise of database servers. The result of these weaknesses is an increased risk of unauthorized access to NARA systems and information. NARA Did Not Always Use Encryption to Effectively Protect Sensitive and Critical Information: Cryptography is a fundamental mechanism used to protect the confidentiality and integrity of critical and sensitive information. Encryption, a basic element of cryptology, involves the conversion of data into a form (cipher text) that cannot be easily understood by unauthorized individuals. This is done by transforming plain text into cipher text using a special value (a "key") and a mathematical process known as an algorithm. NIST states that federal organizations should use encryption to protect the confidentiality of remote access sessions and encrypt sessions between host systems. In addition, NIST states that organizations should encrypt passwords in storage and transmission. For encryption employed on stored information such as passwords as part of an access enforcement mechanism, the cryptography used should comply with the Federal Information Processing Standard (FIPS) 140-2, as amended, Security Requirements for Cryptographic Modules.[Footnote 5] NARA did not always use encryption when sensitive information was stored or transmitted. For example, at two locations, NARA used unencrypted protocols for remote management of its network, which exposed sensitive authenticating session data. In another example, unencrypted passwords for authenticating users were transmitted across NARA's network. For several systems, NARA used weak password encryption that could be easily compromised and was not compliant with FIPS 140-2 algorithms for password encryption. NARA also allowed keys (the values used to transform plain text into cipher text) to be stored unencrypted. These weaknesses unnecessarily expose critical and sensitive information to risk of unauthorized access, modification, or destruction. Network Monitoring Was Not Consistently Implemented: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. To do this, organizations implement system or security software that provides an audit trail, or log, of system activity that can be used to determine the source of a transaction or attempted transaction and to monitor users' activities. Audit and monitoring technologies include network-and host-based intrusion detection systems, audit logging, security event correlation tools, and computer forensics. NIST guidance and NARA policy state that audit logs should be retained to allow monitoring of key activities, provide support for after-the-fact investigations of security incidents, and meet organizational information retention requirements. Although NARA has many useful mechanisms at its disposal to help prevent and respond to security breaches, such as firewalls and intrusion detection systems, it has not consistently implemented integrated and responsive auditing and monitoring. At one location, audit logs for network devices did not capture sufficient levels of information and were not in compliance with NARA's 1-year retention policy for system logs. For example, over 100 network devices were not configured for remote logging, and about 65 devices did not capture information such as logs of access control lists or successful and failed login attempts. At two locations, NARA had not adequately configured auditing on several systems supporting major applications, and database systems did not archive logs in conformity with NARA's retention policy. NARA also did not have an operational program in place for detecting "rogue" access points on its wireless networks, which could allow for undetected access. As a result, NARA is limited in its ability to establish accountability, ensure compliance with security policies, and investigate violations. Deficient Physical Security and Environmental Safety Controls Reduced Their Effectiveness: Physical security controls are a key component of limiting unauthorized access to sensitive information and information systems. These controls are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft. They involve restricting physical access to computer resources and sensitive information, usually by limiting access to the buildings and rooms in which the resources are housed and periodically reviewing access rights granted to ensure that access continues to be appropriate based on established criteria. NIST states that federal organizations should implement physical security and environmental safety controls to protect employees and contractors, information systems, and the facilities in which they are located. NARA policy also requires controls for deterring and restricting physical access to areas housing sensitive IT equipment and information. NARA effectively secured several of its sensitive areas and computer equipment and took other steps to provide physical security and environmental safety. For example, NARA issued electronic badges to help control access to many of its sensitive and restricted areas. The agency also drafted policies and procedures to guide staff in securing sensitive information and IT resources. In addition, the agency implemented several environmental and safety controls, such as temperature and humidity controls, as well as fire protection to protect its staff and sensitive IT resources. However, NARA has not effectively: * secured interior areas with IT equipment and sensitive information and enforced physical security safeguards; * secured perimeter and exterior doors and controlled keys to facility doors; * prevented and controlled unauthorized removal of sensitive information and IT components; * authorized, authenticated, and controlled visitors to its facilities and areas containing sensitive IT equipment; * secured locations that support computer operations; and: * environmentally protected areas containing sensitive IT equipment. * These weaknesses in NARA's physical security and environmental safety controls put sensitive information and IT resources at risk. As such, NARA facilities may be vulnerable to attack or access by unauthorized individuals, and sensitive information could be stolen, damaged, or otherwise compromised. Also, because areas containing sensitive IT and support equipment are not adequately protected, NARA has less assurance that computing resources are protected from inadvertent or deliberate misuse including sabotage, vandalism, theft, and destruction. Weaknesses in Other Controls Increase Risk: In addition to access controls, other important controls should be in place to ensure the confidentiality, integrity, and availability of an organization's information. These controls include policies, procedures, and techniques for securely configuring information systems, sufficiently disposing of media, implementing personnel security, and segregating incompatible duties. Weaknesses in these areas increase the risk of unauthorized use, disclosure, modification, or loss of sensitive information and information systems supporting NARA's mission. Configuration Management Controls Were Not Sufficient: One of the purposes of configuration management is to establish and maintain the integrity of an organization's work products. It involves identifying and managing security features for all hardware, software, and firmware components of an information system at a given point and systematically controlling changes to that configuration during the system's life cycle. By implementing configuration management and establishing and maintaining baseline configurations and monitoring changes to these configurations, organizations can better ensure that only authorized applications and programs are placed into operation. NARA policy requires the most restrictive mode possible of the security settings of information technology products. NIST standards state and NARA policy requires system changes to be controlled. Patch management is an additional component of configuration management, and is an important factor in mitigating software vulnerability risks. Up- to-date patch installation can help diminish vulnerabilities associated with flaws in software code. NIST states that organizations should promptly install newly released security relevant patches, service packs, and hot fixes and test them for effectiveness and potential side effects on the organization's information systems. NARA had not securely configured several of its systems. For example, network configurations were not always restricted in accordance with best practices; additionally, Web applications and operating systems were not always restricted in accordance with NIST guidance. While NARA has maintained and tracked configuration changes for its ERA system, it has not consistently documented the status of those changes. NARA documented, maintained, and tracked approvals for ERA's system change requests in its meeting minutes as well as in a system for managing those change requests, but the information in meeting minutes and the change repository were inconsistent. For example, change requests agreed to in meeting minutes from October 2009 to March 2010 did not always match those entered in the repository storing those changes. Specifically, some change requests were approved for implementation in the meeting, but were listed in the repository as closed. Others were reflected as being on hold, but were actually listed as canceled in the repository. According to ERA configuration management staff, these inconsistencies exist because the configuration control board status represents a single point in time of each change request. Subsequent changes to the system related to each change request are handled by release management staff. Therefore, the status in the repository will continue to change. Configuration management staff have the responsibility to document updates to changes in status at various points in the process. In addition, NARA had not implemented an effective patch management program for the systems we reviewed. For example, patches had not been consistently applied to critical systems or applications in a timely manner. Specifically, several critical systems had not been patched or were out of date, some of which had known vulnerabilities. Additionally, NARA used out-of-date or unsupported software and products in some instances. As a result of these control deficiencies, increased risk exists that the integrity of NARA systems could be compromised. NARA Did Not Consistently Test Equipment Used to Sanitize Media: Media destruction and disposal is key to ensuring confidentiality of information. Media can include magnetic tapes, optical disks (such as compact disks), and hard drives. Organizations safeguard used media to ensure that the information they contain is appropriately controlled. Media that is improperly disposed of can lead to the inappropriate or inadvertent disclosure of an agency's sensitive information or the personally identifiable information of its employees and customers. NARA uses degaussers[Footnote 6] to remove sensitive information from hard drives and tapes before reuse or destruction. This equipment should then be certified that it was tested and that it performed correctly. NIST recommends that organizations test sanitization[Footnote 7] equipment and procedures to verify correct performance. NARA's policy for protection of media requires that sanitization equipment be tested annually. However, NARA has not always ensured that equipment used for removing sensitive information was tested annually. For example, while the degausser located at one location was certified annually, one at another location was not. Specifically, one degausser was certified on January 2010, while the other had not been certified since July 2008, about 20 months prior to our on-site visit. By not testing and certifying its degausser, NARA has reduced assurance that the equipment is performing according to certified requirements. Personnel Security Controls Are in Place: The greatest harm or disruption to a system comes from the actions, both intentional and unintentional, of individuals. These intentional and unintentional actions can be reduced through the implementation of personnel security controls. According to NIST, personnel security controls help organizations ensure that individuals occupying positions of responsibility (including third-party service providers) are trustworthy and meet established security criteria for those positions. For employees and contractors assigned to work with confidential information, confidentiality, nondisclosure, or security access agreements specify required precautions, acts of unauthorized disclosure, contractual rights, and obligations during employment and after termination. NARA's security policy for personnel screening states that the type of investigation is based on the sensitivity of the position to be held. NARA conducted the appropriate background investigations for the employees and contractors we reviewed. These individuals also had appropriate nondisclosure agreements signed when applicable to their position. However, at one location contractors had not signed nondisclosure agreements for the ERA system. NARA staff acknowledged the issue and subsequently had the contractors sign the nondisclosure agreements. Incompatible Duties Were Not Always Effectively Segregated: Segregation of duties refers to the policies, procedures, and organizational structures that help ensure that no single individual can independently control all key aspects of a process or computer- related operation and thereby gain unauthorized access to assets or records. Often, organizations achieve segregation of duties by dividing responsibilities among two or more individuals or organizational groups. This diminishes the likelihood that errors and wrongful acts will go undetected, because the activities of one individual or group will serve as a check on the activities of the other. Effective segregation of duties includes segregating incompatible duties and maintaining formal operating procedures, supervision, and review. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes implemented, and computer resources damaged or destroyed. For systems categorized as high or moderate impact, [Footnote 8] NIST states that incompatible duties should be segregated, such as, by not allowing security personnel who administer system access control functions to administer audit functions. NARA also has a policy requiring segregation of duties. NARA did not always implement effective segregation of duties controls. For example, two staff members were each assigned security and system administration roles and responsibilities, as either a primary or backup for the ERA system (a high impact system). In addition, those individuals had privileges that allowed them to delete logs generated by the system used for auditing and logging security events. According to NARA staff, periodic reviews of the administrators' access were performed using checklists that require administrators to review each other's access activities. However at the time of our review, NARA had not documented its oversight process to ensure controls for separation of duties were implemented appropriately. As a result, NARA may face an increased risk that improper program changes or activities could go unnoticed. NARA Has Not Fully Implemented All Elements of Its Information Security Program: A key reason for the weaknesses in information security controls intended to protect NARA's systems is that the agency has not yet fully implemented its agencywide information security program to ensure that controls are effectively established and maintained. FISMA requires each agency to develop, document, and implement an information security program that, among other things, includes: * periodic assessments of the risk and the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; * policies and procedures that (1) are based on risk assessments, (2) cost-effectively reduce risks, (3) ensure that information security is addressed throughout the life cycle of each system, and (4) ensure compliance with applicable requirements; * plans for providing adequate information security for networks, facilities, and systems; * security awareness training to inform personnel of information security risks and of their responsibilities for complying with agency policies and procedures, as well as training personnel with significant security responsibilities for information security; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, which is to be performed with a frequency depending on risk, but no less than annually, and which includes testing the management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in its information security policies, procedures, or practices; * procedures for detecting, reporting, and responding to security incidents; and: * plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. Although NARA has developed and documented a framework for its information security program, key components of the program have not been fully or consistently implemented. NARA Developed Risk Assessments but Inconsistently Implemented Risk- Related Procedures: In order for agencies to determine what security controls are needed to protect their information resources, they must first identify and assess their information security risks. FIPS publication 199 provides risk-based criteria to identify and categorize information and information systems based on their impact to the organization's mission.[Footnote 9] In addition, the Office of Management and Budget (OMB) states that a risk-based approach is required to determine adequate security, and it encourages agencies to consider major risk factors, such as the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards. By increasing awareness of risks, these assessments can generate support for policies and controls. NIST states that organizations should also assess physical security risks to their facilities when they perform required risk assessments of their information systems. Federal standards[Footnote 10] require that NARA conduct vulnerability risk assessments at least every 3 years for the buildings and facilities we visited. NARA has developed and conducted risk assessments, but has not consistently documented risk or assessed risk in a timely manner at its facilities. For example, NARA had developed risk assessments for all 10 of the systems in our review, but other system documentation for 4 of the 10 systems cited FIPS 199 impact levels that did not match those listed in NARA's systems inventory. Documents for 3 systems reflected impact ratings higher than those listed in the systems inventory and the fourth one reflected a lower rating. Similarly, while NARA had conducted physical security risk assessments for the sites we reviewed, several had not been conducted within the required 3-year time frame. As a result, NARA may not have assurance that adequate controls are in place to protect its information and information systems. NARA's Policies and Procedures Were Not Always Consistent with Federal Guidance: Another key element of an effective information security program is to develop, document, and implement risk-based policies, procedures, and technical standards that govern security over an agency's computing environment. FISMA requires agencies to develop and implement policies and procedures to support an effective information security program. If properly implemented, policies and procedures should help reduce the risk that could come from unauthorized access or disruption of services. Developing, documenting, and implementing security policies are the primary mechanisms by which management communicates its views and requirements; these policies also serve as the basis for adopting specific procedures and technical controls. NARA has developed information security policies and procedures that are based on NIST guidelines. For example, NARA has developed individual policy documents that address all of the families of controls listed in NIST Special Publication 800-53.[Footnote 11] To illustrate, NARA has developed information security methodologies that correspond to the controls required by NIST in the areas of access controls, configuration management, contingency planning, and security awareness training. However, NARA's policies and procedures were not always consistent with NIST guidance. For example, NARA has not always prescribed controls based on the system's impact. NIST requires organizations to determine their information systems' impact using the security objectives of confidentiality, integrity, and availability and states that this information system impact level must be determined prior to the consideration of minimum security requirements and the selection of security controls for those information systems. Instead, NARA prescribed controls based on individual security objectives without taking into consideration the predetermined impact level (based on the three security objectives) of an individual system. To illustrate, NARA's access control policy only specifies controls for systems with moderate or high confidentiality, rather than suggesting controls according to the impact of the system, as determined by all three security objectives. Similarly, NARA's certification and accreditation and contingency planning methodologies prescribed controls for systems with moderate or high integrity and availability, respectively, and not based on the impact level of the system. As a result, NARA's policy may not provide the information needed to ensure that appropriate systems controls are selected that protect its information systems. Security Plans Contained Varying Levels of Information and Did Not Always Address Required Controls: An objective of system security planning is to improve the protection of information technology resources. A system security plan provides an overview of the system's security requirements and describes the controls that are in place--or planned--to meet those requirements. OMB Circular No. A-130 requires that agencies develop system security plans for major applications and general support systems, and that these plans address policies and procedures for providing management, operational, and technical controls.[Footnote 12] NIST Special Publication 800-53 states that the security plan should be updated to address changes to the system, its environment of operation, or problems identified during plan implementation or security control assessments. One of the controls recommended by NIST Special Publication 800-53 is the development of an inventory of an information system's components. This inventory should, among other things, accurately reflect the current information system, be consistent with the authorized boundary of the system, and be available for review. NARA's Security Architecture Planning Methodology also outlines security responsibilities, including responsibilities for information system owners and information owners to carry out related to system security plans. This methodology in turn mandates the use of baseline controls identified by NIST in Special Publication 800-53.[Footnote 13] NARA prepared and documented security plans for the 10 systems and networks we reviewed. All system security plans that we reviewed, with the exception of NARANET's wireless plan, identified management, technical, and operational controls, in accordance with NIST guidance and NARA policy. However, NARA did not always include required controls in its system security plans. For example, 7 of the 13 system security plans [Footnote 14] reviewed did not include a system component inventory or address where that inventory could be found. In addition, NARA has not updated its badge and access system security plan since 2003, despite replacing the system in 2007. NARA had scheduled to correct this weakness by the end of 2009, but as of September 2010 it had not been corrected. Further, NARA system security plans varied in documenting security roles and responsibilities for key individuals. Some plans were missing one or more assignments for these roles. Specifically, 6 of the 13 plans did not have the required information system owner role identified, and none of the plans reviewed had the information owner role identified or assigned. By not addressing inventory control and assigning key security responsibilities in the system security plan, NARA increases the risk that critical information may not be available to those responsible for implementing system security plans, potentially causing a misapplication of controls to the system. Security Awareness Training and Specialized Security Training Were Not Effectively Tracked: According to FISMA, an agencywide information security program must include security awareness training for agency personnel, contractors, and other users of information systems that support the agency's operations and assets. This training must cover (1) information security risks associated with users' activities and (2) users' responsibilities in complying with agency policies and procedures designed to reduce these risks. FISMA also includes requirements for training personnel with significant responsibilities for information security. In addition, OMB requires that personnel be trained before they are granted access to systems or applications. The training is intended to ensure that personnel are aware of the system or application's rules, their responsibilities, and their expected behavior. Further, NARA policy requires that managers and users of NARA information systems be made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of NARA information systems. The policy also states that NARA must ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. NARA has a security awareness training program in place and maintains records of this training in its Learning Management System. Users are required to complete a Web-based course and, after completion, acknowledge they have reviewed and understand their security responsibilities. According to NARA's fiscal year 2009 FISMA report, the CIO reported that 100 percent of NARA's employees had received security awareness training. NARA's Inspector General concurred with this assessment. The CIO also reported that 50 employees had significant security responsibilities, and that all 50, had received specialized training. NARA's Inspector General reported a higher number stating that 114 employees had significant security responsibilities, and that 83 (73 percent) received specialized training. However, records from NARA's training system indicated that not all users had both completed the training and acknowledged that they reviewed and understood their security responsibilities in fiscal year 2009. According to NARA's records, as of August 20, 2009, 563 of 4,536 [Footnote 15] individuals had completed only the class portion (12 percent) and 369 individuals (8 percent) had completed only the acknowledgment portion (although in many cases had at least started the class portion). Seven hundred and forty-nine individuals (17 percent) had not completed either portion (see figure 2). Figure 2: User Completion of NARA Security Awareness Training: [Refer to PDF for image: pie-chart] Only acknowledgment portions: 8%; Only class portions: 12%; Both portions: 63%; None: 17%. Source: GAO analysis of NARA data. [End of figure] According to NARA's Chief Information Security Officer, limitations in the training tracking system led NARA to give credit for a user interacting with the system in some way, meaning that a user who had at least started the training course received credit for the security awareness training. In addition, records of specialized security training provided by NARA indicated that 115 individuals were required to take specialized security training; of these 115, 48 (42 percent) had no record of taking specialized training. NARA officials stated that these individuals were provided with an alternate form of training to ensure their compliance with FISMA, such as a one-on-one review or an opportunity to review briefing slides. Without an effective method for tracking that employees and contractors fully complete security awareness training, NARA has less assurance that staff are aware of the information security risks and responsibilities associated with their activities. In addition, without ensuring that all employees with specialized security responsibilities receive adequate specialized training, NARA's ability to implement security measures effectively could be limited. NARA Did Not Fully Test Controls: A key element of an information security program is to test and evaluate policies, procedures, and controls to determine whether they are effective and operating as intended. This type of oversight is fundamental because it demonstrates management's commitment to the security program, reminds employees of their roles and responsibilities, and identifies and mitigates areas of noncompliance and ineffectiveness. FISMA requires that the frequency of tests and evaluations of management, operational, and technical controls be based on risks and occur no less than annually. OMB requires that systems be authorized for processing at least every 3 years. NARA's policy for testing is consistent with FISMA and requires that certification testing be conducted in support of system authorizations or accreditations. NARA had conducted tests for each of the 10 systems we reviewed; however, it had not sufficiently tested controls for 2 systems. For example, the management and operational controls for 1 system were not tested at least annually. Although NARA tested technical controls and documented test results for that system, it did not test and document the results for the system's management and operational controls. Another system had not been tested to support its accreditation since 2003. While an annual assessment was conducted in 2009 for that system, NARA's 2007 security accreditation memorandum stated that certification testing had not been performed. As a result, NARA may have reduced assurance that controls over its information and information systems are adequately implemented and operating as intended. Remedial Action Plans Were Not Reliably Maintained: Remedial action plans, also known as plans of action and milestones (POA&M), help agencies identify and assess security weaknesses in information systems, set priorities, and monitor progress in correcting the weaknesses. NIST guidance states that each federal civilian agency must report all incidents and internally document remedial actions and their impact. POA&Ms should be updated to show progress made on current outstanding items and to incorporate the results of the continuous monitoring process. In addition, FISMA and NARA policy require the agency CIO to report annually to the agency head on the effectiveness of the agency information security program, including progress on remedial actions. NARA has implemented a remedial action process to assess and correct security weaknesses. The format for its system-level POA&Ms includes the types of information specified in NIST and OMB guidance, such as a description of the weakness, resources required to mitigate it, scheduled completion date, the review that identified the weakness, and the status of corrective actions (ongoing or completed). Although NARA has developed POA&Ms to address known weaknesses, the agency does not always update these plans or complete remedial actions in a timely manner. For example, a POA&M for a system designed to receive, preserve, and provide access to electronic records is dated December 2008. None of the remedial actions described in this plan were marked as completed as of April 2010. Additionally, 8 of 10 POA&Ms that we assessed contained blank entries or "to be determined" notations for some required information. These 8 did not provide all of the information for resources needed, scheduled completion dates, milestones, or the security review that identified the weakness. In addition, a POA&M maintained by the Office of Information Services did not include information about resources required to correct these weaknesses. This lack of information about resource requirements may inhibit the agency's efforts to correct the security weaknesses. Outdated and incomplete POA&Ms compromise the ability of the CIO and other NARA officials to track, assess, and report accurately the status of the agency's information security. Security Incident Tracking Was Inconsistent: Although strong controls may not block all intrusions and misuse, agencies can reduce the risks associated with such events if they take steps to detect and respond to them before significant damage occurs. Accounting for and analyzing security problems and incidents are also effective ways for an agency to improve its understanding of threats and the potential costs of security incidents, and doing so can pinpoint vulnerabilities that need to be addressed so that they are not exploited again. FISMA requires that each federal agency implement an information security program that includes procedures for detecting, reporting, and responding to security incidents. When incidents occur, agencies are to notify the federal information security incident center--the United States Computer Emergency Readiness Team (US-CERT). NARA has an incident response methodology and maintains an incident database with information about the categorization and analysis of incidents. However, NARA was not able to locate all of its weekly reports for incidents and did not consistently apply its criteria for incident categorization. According to the NARA incident response methodology, incidents involving the disclosures of personally identifiable information, even if the disclosure did not involve an IT system, should be categorized under "Investigation" (Category 6). While the records indicate that NARA reported these disclosures to US- CERT, NARA did not list them as Category 6. NARA also categorized many of its computer security incidents inconsistently. Of 640 total incidents, 139 were classified as "Explained Anomaly" (Category 7). According to the NARA incident response methodology, this category is usually reserved for false positives and other explained anomalies. However, NARA classified a number of incidents in this category, even when the incident was not a false positive or could have been placed into another category. For example, NARA experienced site-redirection events--where a user was unwittingly directed to a malicious Web site while trying to access a legitimate site. This is a form of social engineering, which is categorized in the NARA incident response methodology under a separate category (Category 5). In addition, incidents where encrypted laptops were stolen were included in the "Explained Anomaly" category, though the NARA incident response methodology indicates that they should have been placed in Category 1, which indicates that unauthorized access may have occurred. NARA policy requires that staff be assigned and trained for the incident response team. While NARA tracks information security incidents and their resolution, it has not formally tracked training held for incident response. NARA officials have stated that they are in the process of formalizing this training program. Without ensuring that incident response personnel have received appropriate training, NARA's ability to implement security measures effectively could be limited. Further, without categorizing incidents appropriately, NARA's ability to analyze incidents for follow-on actions could be diminished, and corrective actions for protecting agency resources may not be taken. Contingency Plans Were Developed for Most Systems: Contingency planning is a critical component of information protection. If normal operations are interrupted, network managers must be able to detect, mitigate, and recover from service disruptions while preserving access to vital information. Therefore, a contingency plan details emergency response, backup operations, and disaster recovery for information systems. It is important that these plans be clearly documented, communicated to potentially affected staff, updated to reflect current operations, and regularly tested. Moreover, if contingency planning controls are inadequate, even relatively minor interruptions can result in lost or incorrectly processed data, which can lead to financial losses, expensive recovery efforts, and inaccurate or incomplete information. FISMA requires each agency to develop, document, and implement plans and procedures to ensure continuity of operations for information systems that support the agency's operations and assets. Both NIST and NARA require that contingency plans be developed and tested for information systems. NARA developed contingency plans for 9 of the 10 systems we reviewed. Further, NARA had tested each of the contingency plans. However, a contingency plan was not developed for a system key to tracking physical records. NARA identified this weakness, but had not corrected it during the time of our review. Although all the systems in our review were tested for contingencies, NARA has less assurance that it can appropriately recover a key system in a timely manner from certain service disruptions. Conclusions: NARA has taken important steps in implementing controls to protect the information and systems that support its mission. However, significant weaknesses in access controls and other information security controls exist that impair its ability to ensure the confidentiality, integrity, and availability of the information and systems supporting its mission. The key reason for many of the weaknesses is that NARA has not yet fully implemented elements of its information security program to ensure that effective controls are established and maintained. Effective implementation of such a program includes establishing appropriate policies and procedures, providing security awareness training, responding to incidents, and ensuring continuity of operations. Ensuring that NARA implements key information security practices and controls also requires effective management oversight and monitoring. However, until NARA implements these controls, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, disclosure, modification, or loss. Recommendations for Executive Action: To help establish an effective information security program for NARA's information and information systems, we recommend that the Archivist of the United States take the following 11 actions: * Update NARA's system documentation and inventory to reflect accurate FIPS 199 categorizations. * Conduct physical security risk assessments of NARA's buildings and facilities based on facility-level and federal requirements. * Revise NARA's IT security methodologies, including those for access controls, certification and accreditation, and contingency planning, to include NIST's minimum system control requirements. * Include inventory information and roles and responsibilities assignments in system security plans. * Improve NARA's training process to ensure that all required personnel meet security awareness training requirements. * Implement a process that ensures all required NARA personnel with significant security responsibilities meet specialized training requirements. * Test management, operational, and technical controls for all systems at least annually. * Conduct certification testing when authorizing systems to operate. * Update remedial action plans in a timely manner and include required resources necessary for mitigating weaknesses, scheduled completion dates, milestones, and how weaknesses were identified. * Improve the incident tracking process to ensure that incidents are appropriately categorized and that personnel responsible for tracking and reporting incidents are trained. * Develop a contingency plan for the system that tracks physical records. In a separate upcoming report with limited distribution, we plan to make 213 recommendations to enhance NARA's access controls to address the 142 weaknesses identified during this audit. Agency Comments and Our Evaluation: In providing written comments on a draft of this report (reprinted in app. III), the Archivist of the United States stated that he was pleased with the positive recognition of NARA's efforts and that he generally concurred with our recommendations. NARA also provided technical comments, which we have incorporated as appropriate. In addition, the Archivist in his comments disagreed with three of the report's findings. First, he disagreed that NARA's risk assessments in its systems inventory were incorrectly applied. However, our finding does not state that the risk assessments were incorrectly applied. Rather, as we discuss in the report, NARA system documentation and system inventories do not consistently reflect the FIPS 199 impact levels of its systems. These inconsistencies may reduce NARA's assurance that adequate controls are in place to protect its information and information systems. Thus, we continue to believe our finding is appropriate. Secondly, the Archivist disagreed that NARA policies and procedures were not always consistent with NIST guidance. As we discuss in our report, NIST states that an agency must first determine the security category of its information systems and then apply the appropriately tailored set of baseline security controls. However, NARA's policy prescribed controls based on the individual security objectives of confidentiality, integrity, and availability instead of applying controls based on a prior determination of the system's impact. We believe that without first identifying the impact of the system, NARA's policy may not provide the information needed to ensure that appropriate systems controls are selected that protect its information systems. Thus, we continue to believe our finding is valid. Lastly, the Archivist disagreed that the information owner role must be identified in each system security plan. However, NARA's policy as discussed in the report outlines key individual roles and responsibilities, including the information owner, which should be assigned for each system. By not clearly and consistently assigning these roles, NARA increases the risk that critical information may not be available to those responsible for implementing system security plans. Thus, we continue to believe our finding is valid. As we agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution of it until 30 days from the date of this letter. At that time, we will send copies of this report to interested congressional committees and to the Archivist of the United States. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact Gregory C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512- 4499. We can also be reached by e-mail at wilshuseng@gao.gov or barkakatin@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. Sincerely yours, Signed by: Gregory C. Wilshusen: Director, Information Security Issues: Signed by: Dr. Nabajyoti Barkakati: Chief Technologist: [End of section] Appendix I: Objective, Scope, and Methodology: The objective of our review was to determine whether the National Archives and Records Administration (NARA) has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To determine the effectiveness of security controls, we gained an understanding of the overall network control environment, identified interconnectivity and control points, and examined controls for NARA's networks and facilities. Using our Federal Information System Controls Audit Manual[Footnote 16] which contains guidance for reviewing information system controls that affect the confidentiality, integrity, and availability of computerized information; National Security Agency guidance; National Institute of Standards and Technology (NIST) standards and guidance; and NARA's policies, procedures, practices, and standards, we evaluated these controls by: * reviewing network access paths to determine if boundaries were adequately protected; * reviewing the complexity and expiration of password settings to determine if password management was enforced; * analyzing users' system authorizations to determine whether they had more permission than necessary to perform their assigned functions; * observing methods for providing secure data transmissions across the network to determine whether sensitive data were being encrypted; * reviewing software security settings to determine if modifications of sensitive or critical system resources were monitored and logged; * observing physical access controls over unclassified and classified areas to determine if computer facilities and resources were being protected from espionage, sabotage, damage, and theft; * examining configuration settings and access controls for routers, network management servers, switches, and firewalls; * inspecting key servers and workstations to determine if critical patches had been installed and/or were up to date; * reviewing media handling policy, procedures, and equipment to determine if sensitive data were cleared from digital media before media were disposed of or reused; * reviewing nondisclosure agreements at select locations to determine if they are required for personnel with access to sensitive information; and: * examining access roles and responsibilities to determine whether incompatible functions were segregated among different individuals. Using the requirements identified by the Federal Information Security Management Act of 2002 (FISMA), which establishes key elements of an agencywide information security program, and associated NIST guidelines and NARA requirements, we evaluated the effectiveness of NARA's implementation of its security program by: * reviewing NARA's risk assessment process and risk assessments for 10 systems to determine whether risks and threats were documented consistent with federal guidance; * analyzing NARA policies, procedures, practices, and standards to determine their effectiveness in providing guidance to personnel responsible for securing information and information systems; * analyzing security plans for 10 out of 43 systems to determine if management, operational, and technical controls were in place or planned and whether security plans reflected the current environment; * examining the security awareness training process for employees and contractors to determine if they received training prior to system access; * examining training records for personnel with significant responsibilities to determine if they received training commensurate with those responsibilities; * analyzing NARA's procedures and results for testing and evaluating security controls to determine whether management, operational, and technical controls were sufficiently tested at least annually and based on risk; * evaluating NARA's process to correct weaknesses and determining whether remedial action plans complied with federal guidance; * reviewing incident detection and handling policies, procedures, and reports to determine the effectiveness of the incident handling program; * examining contingency plans for 10 systems to determine whether those plans were developed and tested; and: * reviewing three IT contracts to determine if security requirements were included. We also discussed with key security representatives and management officials whether information security controls were in place, adequately designed, and operating effectively. To establish the reliability of NARA's computer-processed data we performed an assessment. We evaluated the materiality of the data to our audit objectives and proceeded to assess the data by various means including: reviewing related documents, interviewing knowledgeable agency officials, and reviewing internal controls. Through a combination of methods we concluded that the data were sufficiently reliable for the purposes of our work. We conducted this performance audit from December 2009 to October 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: NARA Organizational Chart: [Refer to PDF for image: organizational chart] Top level: Archivist of the United States: * Deputy Archivist of the United States; * Chief of Staff. Second level: Staff offices: * Congressional Affairs Staff; * General Counsel; * EEO and Diversity Programs; * Public Affairs and Communications Staff; * Policy and Planning Staff. Independent offices that report directly to the Archivist: * Information Security Oversight Office; * National Historical Publications and Records Commission; * Office of Government Information Services; * Office of the Inspector General. Major offices: * Office of Records Services, Washington, D.C. * Office of Regional Records Services; * Office of Presidential Libraries; * Office of the Federal Register; * Office of Information Services; * Office of Administration. Source: NARA. [End of section] Appendix III: Comments from the National Archives and Records Administration: National Archives: Archivist of the United States: David S. Ferriero: National Archives and Records Administration: 700 Pennsylvania Avenue, NW: Washington, DC 20408-0001: [hyperlink, http://www.archives.gov] Via messenger: October 5, 2010: Gregory C. Wilshusen: Director, Information Security Issues: United States Government Accountability Office: 44 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: Thank you for the opportunity to review and comment on the draft report entitled Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls. We are pleased to note the positive recognition of our efforts by the audit staff for this engagement. We also appreciate their willingness to work with us on fine tuning some of the language in the draft report, specifically regarding technical nuances. Finally, we agree that more action is needed. We disagree with certain findings in this report, specifically: * that our risk assessments in systems inventory are incorrectly applied (see page 26); * that our policies and procedures are not always consistent with NIST guidance (see page 27); and; * that the "owner role" must be identified in each system security plan (see page 31). In each case, we believe that we have demonstrated good faith efforts to keep these current, and acknowledge that sometimes things get missed. Nonetheless, we generally concur with each of the eleven recommendations. Many changes are underway at NARA, including a staff reorganization that will help us more effectively address these and other challenges we face. We will create an action plan for internal use and provide semi-annual updates on our progress. If you have questions regarding this information, please contact Mary Drak by email at mary.drak@nara.gov or by phone at 301-837-1668. Signed by: David S. Ferriero: Archivist of the United States: [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov. Dr. Nabajyoti Barkakati, (202) 512-4499, barkakatin@gao.gov. Staff Acknowledgments: In addition to the individuals named above, Edward Alexander, Lon Chin, West Coile, Anjalique Lawrence, and Chris Warweg (Assistant Directors); Gary Austin; Angela Bell; Larry Crosland; Saar Dagani; Kirk Daubenspeck; Denise Fitzpatrick; Fatima Jahan; Mary Marshall; Sean Mays; Lee McCracken; Jason Porter; Michael Redfern; Richard Solaski; and Jayne Wilson made key contributions to this report. [End of section] Footnotes: [1] GAO, Electronic Records Archives: Status Update on the National Archives and Records Administration's Fiscal Year 2010 Expenditure Plan, [hyperlink, http://www.gao.gov/products/GAO-10-657] (Washington, D.C.: June 11, 2010). [2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [3] Root accounts have special privileges beyond normal accounts for access to files and programs. Allowing remote login to root accounts decreases individual accountability because the root account is not tied to a specific user. [4] Source routing is a feature that allows a packet to specify its own route, which can be helpful in several kinds of attack and should be disabled. [5] FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). [6] A degausser is a device that generates a magnetic field used to sanitize magnetic media. [7] The process of removing sensitive information from computer media is often referred to as sanitization. It includes removing all labels, markings, and activity logs. NIST Guidelines for Media Sanitization, Special Publication 800-88 (Gaithersburg, Md., September 2006), provides guidance on appropriate sanitization equipment, techniques, and procedures. [8] NIST Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, defines three impact levels where the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect (low), a serious adverse effect (moderate), or a severe or catastrophic adverse effect (high) on organizational operations, organizational assets, or individuals. [9] NIST, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199 (Gaithersburg, Md., February 2004). [10] According to the Federal Interagency Security Committee Standard "Facility Security Level Determinations for Federal Facilities," federal organizations are required to perform risk assessments at least every 3 to 5 years, depending on the level of the facility. Facilities visited at NARA were rated at a level requiring a frequency of at least 3 years. [11] NIST, Recommended Security Controls for Federal Information Systems and Organizations, Special Publication 800-53, Revision 3 (Gaithersburg, Md., August 2009). [12] OMB, Management of Federal Information Resources, Circular No. A- 130 (Nov. 28, 2000). [13] NIST, Recommended Security Controls for Federal Information Systems and Organizations, Special Publication 800-53, Revision 3 (Gaithersburg, Md., August 2009). [14] NARANET has system security plans for four subcomponents: (1) the General Support System (GSS) Application Servers; (2) desktops; (3) enterprise architecture wireless; and (4) GSS file, print, and e-mail. [15] 4,536 is the total number of employees and contractors who are required to complete the security awareness training. [16] GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington D.C.: February 2009). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: