Open Recommendations

The CIO should conduct the consolidation/virtualization analysis to investigate the impact of consolidating or virtualizing two major application domains (NISP and ERA) and the General Support System (NARANET) as planned, or evaluate other alternatives to increase the average server utilization rate.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) ensure all classified system authorization packages are updated in accordance with NARA policy.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) establish a timeline for review and approval of authorization documents.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) obtain authorizations to operate for each of the classified systems or disallow them in accordance with NARA and Federal policy.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

The Archivist of the United States should demonstrate a commitment to the development, implementation, and operation of NARA’s ICP by ensuring Risk management responsibilities are included in the performance plans for program and function owners.

The Chief Innovation Officer and Executives for Research Services and Legislative Archives, Presidential Libraries and Museum Services should ensure comprehensive preservation policies and procedures for each of their organizations are developed and/or updated.

We recommend the Executive for Research Services should ensure An analysis is performed to determine if additional risk assessments for the Washington Area Archives and Presidential Libraries, including older holdings, should be completed.  Identify the risks for not completing the assessments.

The Chief Operating Officer should ensure a plan is developed, including a timeline, for when the archival storage facility reviews will be completed.  As a part of the reviews, identify facilities with (1) areas of non­-compliance, associated costs, risk if the actions are not completed, and an action plan, (2) structural, environmental control, fire safety, preservation, and security deficiencies that could be severe enough to permanently damage records.

The Chief Operating Officer should ensure an accurate listing of facilities currently non-compliant with the Standards, along with the area of deficiencies is identified and communicated.

The Chief Operating Officer should ensure resources needed to make all archival storage facilities compliant by 2016 are identified.  If the facility cannot be brought into conformance with the Standards, determine and document what mitigating actions have been or will be taken to minimize threats to the holdings.

The Chief Operating Officer should ensure PMRS is updated to accurately reflect percentage of archival holdings in appropriate space.

The Executive for Legislative Archives, Presidential Libraries, and Museum Services should Work with the Performance and Accountability Office to develop a performance measure for tracking the processing of electronic presidential records.

The Executive for Legislative Archives, Presidential Libraries, and Museum Services should determine the true backlog of electronic presidential records and determine if additional resources are needed and can be obtained to handle the increased workload.

We recommend the Executive for Business Support Services establish formal assessment criteria and future savings analysis for use in determining whether to cancel Energy Savings Performance Contracts.

We recommend NARA’s Chief Operating Officer (COO) ensure NARA IT investments do not bypass NARA’s CPIC process.

To ensure NARA IT investments do not bypass NARA’s CPIC process we recommend NARA’s Chief Operating Officer ensure the training guide for purchase card holders is updated to include a discussion of the requirements of NARA’s CPIC process.

We recommend that NARA incorporate the wireless network into its RMF process by performing the following SA&A tasks: authorize network operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

The CIO develop a process for managing access to shared user accounts.

The CIO should implement the annual compliance check required by the User Account Management Standard Operating Procedure for Administrator accounts to the shared user accounts.

Direct all Presidential Libraries to assess their holdings to determine the correct percentage of basic processing work as stipulated in NARA’s Analog Records Processing Policy.

Enhancing instructions to approving officials to look for sales tax paid by a cardholder, recurring purchases, and split purchases.

Enhancing the monitoring of the approving officials timely verification of purchase card transactions.

Documenting the monitoring of purchase card transactions to ensure cardholders’ recover sales tax paid and/or make a good-faith attempt to recover sales tax paid.

Documenting the monitoring of purchase card transactions to ensure split purchases are not occurring.

Monitoring purchase card transactions to ensure separation of duties from authorizing the purchases and making purchases.

Ensure Accounting Policy and Operations and Acquisitions purchase card policies are updated to reflect current practices.

Ensure Accounting Policy and Operations and Acquisitions update the controls and the methods used to monitor controls associated with the purchase card program.

Enforce the current policy of rescinding cardholder and approving official privileges if they fail to complete refresher training.

Improve the alternate control by informing cardholders and approving officials months prior to the refresher training due date.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

Establish and document an acquisition workforce strategic plan to address achieving the objectives of key acquisition positions.

Review, update, and implement revised NARA Directive 273, Administrative Procedures for Security Clearances, NARA Directive 273 Supplement, Supplement Administrative Procedures Related to Security Clearances and Applicant and Employee Rights, NARA Directive 275, Background and Identity Verification Process for Access Privileges, and NARA Directive 276, Employment or Service Suitability Determinations.

Ensure all Security Management Personnel Security staff is familiar with updated policies.

The Chief of Management and Administration and the Chief Operating Officer ensure the Risk Executive, Chief of Management and Administration, Chief Operating Officer, and Senior Accountable Official for risk management roles and responsibilities are fully and accurately defined in NARA policies.

The Chief of Management and Administration develop, document, implement, and disseminate an organizational risk management strategy and policy, in accordance with NIST 800-39, and a process for coordination between cybersecurity and enterprise risk management.

We recommend that NARA Chief Financial Officer report the ADA violation in accordance with 31 U.S.C. Section 1351,1517(b) and OMB Circular A-11, Section 145.

Designate an office to take the ownership of NARA’s inappropriate use program, and formally document and communicate to all stakeholders their management and oversight responsibilities for detecting and reporting suspected inappropriate use.

Update Supplement 1 to NARA Directive 363, NARA Penalty Guide, to include penalties for misusing government IT equipment and resources.

Strengthen contract oversight controls to ensure all contract deliverables are completed in a complete, accurate, and timely manner, as it relates to the analyzing and monitoring of inappropriate Internet use on NARA IT resources.

Ensure a process is developed to select sample inappropriate use occurrences on a periodic basis for further investigation and analysis.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

Establish review and monitoring standards for loans and report the results of those activities.

Review, update, and implement revised policies and procedures related to the loan program including, NARA 1572, Preventing Theft and Vandalism of NARA Holdings in NARA Facilities, NARA 1611, Loans of Archival Holdings to Federal Originators, NARA 1611 Supplement, Procedures for Loans to Originators, NARA 1612, Exhibition Loans and Traveling Exhibits, NARA 1612 Supplement 1, Procedures for Exhibition Loans, and NARA 1702, Transporting Holdings in NARA's Physical and Legal Custody, to ensure they are reflective of current practices and the organizational structure.

Ensure current Research Services and Legislative Archives, Presidential Libraries, and Museum Services employees are familiar with and properly trained on the updated loan program.

Ensure NARA coordinates with the Central Intelligence Agency (CIA), Central Imagery Office, and United States Geological Survey, to review, cancel, update, or create a new Memorandum of Understanding (MOU), Declassified Imagery Transition, or other appropriate instrument, which is equal with NARA’s current operations for fulfilling loan requests.

Develop a strategy to work with Federal agencies to reduce the eligible disposal backlog.

Review policies and procedures and determine which internal stakeholders, including the IG, should be notified and revise policies and procedures as necessary.

Prioritize creation of DEER and DCR Audit Reports under the ARCIS contract.

Develop a strategy to transition agencies to use the ARCIS Customer Portal Disposition Module.

Develop and implement an ARCIS internal user manual.

Review unreimbursed official travel conference expenses identified during the audit and reimburse those employees for eligible expenses.

Review, update, and implement revised NARA 601, NARA Travel Policy, and NARA Travel Card Management Plan to reflect current practices, and the current versions of Federal Travel Regulation and Appendix B to OMB A-123, A Risk Management Framework for Government Charge Card Programs.

We recommend that the Chief Acquisition Officer ensure internal control on approval and coordination with PRISM support required to appropriately bypass FPDS-NG when modifying a document via the double-dash process (a 90000 administrative action modification) is implemented. Moreover, clearly document in the Supplement to NARA 501, Procurement Guide, that the double-dash contract modification is a 90000 administrative action.

Incorporate interim guidance into final policy directives per established guidance.

Update NARA 1572, Preventing Theft and Vandalism of NARA Holdings in NARA Facilities, and its Supplement(s) to include documented procedures that include simplified reporting of internal incidents of loss, theft, or damage of NARA holdings.

Use a system-approach that complies with Public Law 116-92, EEO MD-715, and 29 CFR 1614.

Review and evaluate current processes, procedures, and practices, make revisions, and implement guidance to improve efficiencies associated with obtaining contract award for conducting investigations and drafting final agency decisions.

Develop and implement processes and procedures to ensure the contractors adhere to the Statement of Work for Equal Employment Opportunity services, to include, but not limited to (1) completing investigations timely, (2) submitting authorizations for extensions, if necessary, and (3) submitting weekly status reports; and where applicable enforce any associated penalties for delays.

Define and formalize the roles and responsibilities of the Office of General Counsel in the processing of discrimination complaints. Specifically, implement policies and procedures to demonstrate the agency has a fair and impartial Equal Employment Opportunity process, to include but not limited to, ensuring: a clear separation between the agency’s Equal Employment Opportunity complaint program and its defensive function, and the agency representative does not intrude or have the appearance of intruding upon Equal Employment Opportunity counseling, investigations, and final agency decisions.

Establish and implement procedures to ensure agency responses submitted to Equal Employment Opportunity Commission in its EEO MD-715 submissions are accurate, complete, and supported by documentation.

Develop and implement controls to ensure standard operating procedures are kept up to date to reflect subsequent organizational, policy, or procedural changes that can affect processing of discrimination complaints.

Establish an automated and comprehensive inventory for managing and tracking software licenses.

Develop and implement a comprehensive software licensing policy that includes a methodology for analyzing and maintaining software usage data to determine the software license needs of the agency.

Reconsider the National Personnel Records Center’s definition of medical emergency, make any necessary changes to internal policy, communicate the definition to veterans and stakeholders, and implement procedures for how medical emergency requests are made and how they are validated.

We noted that in OIG Audit Report No. 17-AUD-15, a suggestion was made to “modify NARA's SDLC methodology to align it better for agile projects” that has not been addressed. In addition to resolving this issue, we recommend NARA’s Information Services review and update the SDLC Methodology to ensure it reflects current NARA practices related to system development methodologies utilized at the agency. NARA should modify the description of their SDLC methodology processes to be more agile, by adopting the cyclical approach described in GAO’s Agile Assessment Guide – Best Practices for Agile Adoption and Implementation. The system development process should be focused on producing working software for users to test after each agile iteration, and for the software to be updated with user feedback after each cycle.

We recommend NARA’s Office of the Chief Financial Officer finalize Interim Guidance 400-5, Capitalization Policy for NARA Assets on capitalization of costs for Software Development Projects and enhance to address the scenario where programming and development for internal software is outsourced to external contractors. This should include the types of costs to be capitalized, materiality, and documentation requirements.

Enhance current procedures to ensure that new NARA users who do not complete theirinitial security awareness training, have their accounts automatically disabled inaccordance with timeframes promulgated within the Privacy and Awareness Handbook.(New Recommendation)

Continue and complete efforts to require PIV authentication for all privileged users, serversand applications, through NARA’s Privileged Access Management authentication projectand other efforts. (Recommendation #26 from the FY 2021 FISMA audit, report #22-AUD04)

Enforce mandatory PIV card authentication for all NARANet users, in accordance withOMB requirements. (Recommendation #27 from the FY 2021 FISMA audit, report #22-AUD-04)

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’sinformation technology policies and requirements. (Recommendation #29 from theFY 2021 FISMA audit, report #22-AUD-04)

Ensure that the SAOP complete PIAs for all systems which contain PII. (NewRecommendation)

The SAOP review and update the NARA 1609 Initial Privacy Reviews and Privacy ImpactAssessments privacy policies and procedures to reflect NARA’s current processes andcontrols. (Recommendation #33 from the FY 2021 FISMA audit, report #22-AUD-04)

The CIO and SAOP implement a process to ensure role-based privacy training iscompleted by all personnel having responsibility for PII or for activities that involve PII, andcontent includes, as appropriate: responsibilities under the Privacy Act of 1974 andE-Government Act of 2002, consequences for failing to carry out responsibilities,identifying privacy risks, mitigating privacy risks, and reporting privacy incidents, datacollections and use requirements. (Recommendation #34 from the FY 2021 FISMA audit,report #22-AUD-04)

Ensure the Information System Security Officers are reviewing system configurationcompliance scans monthly as required within NARA’s Configuration ComplianceManagement Standard Operating Procedure. (New Recommendation)

Implement improved processes to remediate security deficiencies on NARA’s networkinfrastructure, to include enhancing its patch and vulnerability management program toaddress security deficiencies identified during our assessments of NARA’s applicationsand network infrastructure. (Recommendation #13 from the FY 2022 FISMA audit, report#22-AUD-09)

Document and implement a process to track and remediate persistent configurationvulnerabilities or document acceptance of the associated risks. (Recommendation #15from the FY 2021 FISMA audit, report #22-AUD-04)

Ensure all information systems are migrated away from unsupported operating systemsto operating systems that are vendor-supported. (Recommendation #18 from the FY 2021FISMA audit, report #22-AUD-04)

Finalize and implement system configuration baseline management procedures, whichencompass at a minimum, the request, documentation, and approval of deviations frombaseline settings for all NARA systems. (Recommendation #22 from the FY 2021 FISMAaudit, report #22-AUD-04)

Implement an automated process, which notifies all relevant IT system owners of pending separations and reassignments.

Determine whether individuals who departed NARA since April 27, 2020 still have access to related IT systems. Ensure IT system access for these individuals has been terminated.

Evaluate the process and/or definition for reassignments as defined in NARA 215 to ensure it meets the business needs of National Personnel Records Center’s Core environment.

Revise NARA 215 requirements for outstanding debt obligations for separating individuals.

Update and implement NARA 215 requirements to establish clear reporting lines among those units with off-boarding and property management duties.

Ensure communication of revised NARA 215 with NARA Clearance Officials.

Formally define and document in writing ISOO’s monitoring methodology to address at a minimum program risk, staff responsibilities, and monitoring of program performance.

Develop and implement written internal policies and procedures that provide clear guidelines and timelines for CUI program management and oversight processes.

Formally document processes in writing that detail ISOO personnel responsible for the preparation and regular review of CUI internal control activities and relevant risks.

Develop and document a CUI performance management and oversightplan (i.e., performance measures and controls that ensure compliance with relevant CUIpolicies and regulations) to address at a minimum staff responsibilities and frequency ofactivities performed.

Develop a plan that includes a timeline within which a preservation review will be performed of all NARA owned or leased records storage facilities to mitigate potential risks and ensure the long-term preservation and accessibility of valuable records;

Update policies and procedures to include established frequency ofreviews

Develop contingency plans for assigning responsibilities if a key role inthe entity is vacated. In addition, contingency plans should include implementation ofalternative procedures for preservation reviews when on-site visit is not possible or curtailedin the future. As an alternative, consider performing part of the preservation reviews remotewhere possible (i.e. review of preservation plans, inquiries of facility personnel, etc.)

Develop and implement a comprehensive SOP that can help mitigatethe above effects by providing clear guidelines, promoting consistency, and ensuringpreservation activities are conducted effectively, uniformly, and systematically across theorganization

Develop a prioritization method for preservation actions. BudgetRequests should be submitted for any additional resources necessary to complete prioritizedpreservation actions

Review all NARA facilities’ Plans annually to ensure they include allrequired minimum elements and that the Plans are reviewed annually by their respectivefacility director/administrator and Records Emergency Management Team (REMT)

Implement consistent controls across all facilities to maintain evidenceof annual review of the Plans by the facility director/administrator and REMT

Finalize and implement any remaining risk matrices for vulnerableaudio and video formats

Reconcile departure reports received from Human Capital to the asset managementinventory system, on a regular basis (e.g., monthly, quarterly, etc.) to ensure updates arebeing made in a timely manner and are accurate to reflect separated or transferredemployees and contractors.

Ensure audit logging is enabled for each major information system.

Ensure periodic reviews of generated audit logs are performed for each major informationsystem.

12. Ensure password configuration settings for all major information systems are in accordancewith NARA IT Security Requirements.

Ensure the use of shared/group accounts is restricted to only those users with a validbusiness justification, by enhancing user account review procedures to incorporate reviewsof shared/group account membership and reasonableness.

Ensure a process is developed, documented, and implemented to change passwordswhenever users within shared/group accounts change.

Ensure a comprehensive ICAM policy or strategy, which includes the establishment ofrelated Standard Operating Procedures (SOPs), identification of stakeholders,communicating relevant goals, task assignments and measure and reporting progress isdeveloped and implemented.

Implement requirements across all EL maturity tiers to ensure events are logged andtracked in accordance with OMB M-21-31.

Perform a reconciliation of all NARA hardware asset inventories to ensure all data such asassignments and status are accurately and completely stated, investigating any unusual orpotentially duplicate entries, and making revisions as needed.

Ensure IT policies, procedures, methodologies, and supplements are reviewed andapproved in accordance with NARA Directive 111.

Implement a process to ensure accounts with access to the Domain Administrators groupare appropriately assigned based on job responsibilities. If determined that an account canbe configured with more restrictive access, then implement a process to revoke the DomainAdministrator group membership and apply the most restrictive access.

Develop and implement policies and procedures for network user accounts to:• Create unique passwords for each service account.• Maintain a list of commonly used, expected, or compromised passwords.• Update the list on an organization defined timeframe and when organizationalpasswords are suspected to have been compromised directly or indirectly.• Verify (such as through regular password audits or system configurations), when userscreate or update passwords, that the passwords are not found on the list of commonlyused, expected, or compromised passwords.

Assess applications residing on unsupported platforms to identify a list of applications, allservers associated to each application, and the grouping and schedule of applications to bemigrated, with the resulting migration of applications to vendor-supported platforms.

Ensure user system accounts for all systems are periodically reviewed and automaticallydisabled in accordance with NARA policy.

Develop a formal work planning process that incorporatesthe selection criteria from the Handbook and requires thatACO teams clearly document the criteria used to selecteach agency in the inspection plans and reports.

Revise Standard Operating Procedure 2.2, section 12, toexplicitly require the inspection teams to document theanalyses they conduct to support their findings andrecommendations.

Develop a standard documentation template that ACOstaff can use to clearly document the deficienciesidentified during an inspection.

Migrate the existing program data from CARS to asupported in-house tool to better manage the data whilethe team completes the market research for a newprogram management information system.

Develop relevant internal controls (policies, procedures,and/or guidance) to ensure data entry is integrated intoACO’s daily workflow.

Complete the enterprise-wide data inventory.

Document and implement a standard operating procedureto maintain the enterprise-wide data inventory as new datacollections are created and old data collections are retired.

Collaborate with NARA’s Chief Information Officer todocument and implement a standardized process tomonitor service level agreements with cloud-based serviceproviders. The process should include the monitoringresponsibilities of the Contracting Officer’sRepresentatives and actions NARA should take if acontractor does not meet the defined service levels.

Document and implement a process to incorporate theCloud Service Provider's Quality Assurance SurveillancePlan as part of future cloud service contracts. Whereincorporation of a Cloud Service Provider QualityAssurance Surveillance Plan is not anticipated, NARAshould incorporate its own Quality Assurance SurveillancePlan and service level agreements at the solicitationphase, these should align with commercial best practices.

Implement a documented process requiring the assignment of aQuality Assurance Evaluator for future relocation of records project(s).

Ensure a Quality Assurance Surveillance Plan is developed andimplemented requiring onsite supervision to provide proper oversight and compliancewith the PWS.

In collaboration with applicable parties, ensure PWS requirementsare developed to reflect the procedures necessary to protect and account for therelocation of archival records that should include:a. Implementing a documented process requiring the assignment of a QualityAssurance Evaluator for future relocation of records project(s).

In collaboration with applicable parties, ensure PWS requirementsare developed to reflect the procedures necessary to protect and account for therelocation of archival records that should include:Ensuring a Quality Assurance Surveillance Plan is developed, approved, andimplemented requiring onsite supervision to provide proper oversight andcompliance with the PWS.

Develop and implement standard operating procedures to ensurethat Research Services personnel comply with the PWS requirements.

Develop and implement standard operating procedures tocommunicate final PWS requirements to all responsible parties before the contract isawarded.

Implement a process to ensure accounts with access to the Domain Administrators group are appropriately assigned based on job responsibilities. If determined that an account can be configured with more restrictive access, then implement a process to revoke the Domain Administrator group membership and apply the most restrictive access.

Fully complete the migration of applications to vendor supported operating systems.

Ensure the Information System Security Officers are reviewing system configuration compliance scans monthly as required within NARA’s Configuration Compliance Standard Operating Procedure.

Enhance current procedures to ensure that new NARA users who do not complete their initial security awareness training, have their accounts automatically disabled in accordance with timeframes promulgated within the Privacy and Awareness Handbook.

Implement requirements across all event logging maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

Develop and implement policies and procedures for network user accounts to:
a. Create unique passwords for each service account;
b. Maintain a list of commonly used, expected, or compromised passwords;
c. Update the list on an organization defined timeframe and when organizational passwords are suspected to have been compromised directly or indirectly;
d. Verify (such as through regular password audits or system configurations), when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords.

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.

Coordinate with other departments as necessary to implement an authoritative data source which provides the current status of NARA contractors and volunteers at the enterprise level.

Enforce mandatory Personal Identity Verification (PIV) card authentication for all NARANet users, in accordance with OMB requirements.

Continue and complete efforts to require PIV authentication for all privileged users, servers, and applications, through NARA’s identity and access management project and other efforts.

Ensure a comprehensive identity, credential, and access management (ICAM) policy or strategy, which includes the establishment of related standard operating procedures, identification of stakeholders, communicating relevant goals, task assignments, and measure and reporting progress is developed and implemented.

Document and implement a process to track and remediate persistent configuration vulnerabilities, or document acceptance of the associated risks.

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks.

Update the travel policy and continue efforts to ensure that all written policies and
procedures are reviewed and revised in a timely manner.