As has been widely reported, last month the Government Accountability Office released the long-awaited reports on two audits of the National Archives and Records Administration’s oversight and management and information security. The results are a mixed bag, but indicate that NARA is continuing to learn from its past mistakes.
Here are some of the highlights:
Oversight and Management
- The Good: NARA has resumed agency inspections, has begun regular self-assessments as well as surveys of agency information and records management (IRM) practices across the government, and is actively seeking out opportunities for interagency collaboration.
- The Bad: Despite being singled out by OMB as a high-priority project with potential for improvement, the Electronic Records Archive (ERA) is not only in danger of missing the target date for completion of the all-important preservation module, but is at risk of failure altogether. (See also “NARA’s new ‘ERA’: 40 years in the making” on the Active Voice blog)
- The Ugly: 80 percent of federal agencies are at “moderate to serious risk” of destroying electronic and paper records out of compliance with applicable schedules, partly as a result of insufficient oversight, enforcement, or guidance by NARA.
- The Good: Steps have been taken to implement rights access controls, response protocols for security breaches, and encryption of sensitive data.
- The Bad: NARA’s network is still not very secure from unauthorized access, and staff are generally ill-trained in information security policies and practices. Remedial actions to known issues haven’t been taken, and software patches have not been implemented consistently.
- The Ugly: Unencrypted transmissions of sensitive information and the use of unencrypted logins to access the network from remote sites are almost routine among NARA staff at Archives I and II and throughout the regional records facilities.
The NARA strategic plan through 2016 specifies six strategic goals:
- improving IRM leadership and services
- improving preservation and processing
- solving the electronic records crisis
- ensuring records are accessible and secure
- contribute to national literacy through educational programs, grants and outreach
- upgrade the agency’s infrastructure nationally
However, the GAO audits have found that the strategic plan continues to lack “clear lines of responsibility” for management and implementation of ERA, response to changing IRM needs of federal customers and the public, and agency-wide systems procurement and training. These, coupled with the weaknesses in access and information security controls, are crucial shortcomings.
Unless these shortcomings are addressed candidly and aggressively, NARA will continue to miss critically important oversight, management, and information security milestones — to the detriment of not only the smooth operation of the federal government, but also the history and heritage of the nation.