U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Audit of NARA’s Fiscal Year 2023 Consolidated Financial Statements

Report Information

Date Issued
Report Number
Report Type
Joint Report
Agency Wide
Yes (agency-wide)
Questioned Costs
Funds for Better Use


Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.

Coordinate with other departments as necessary, to implement an authoritative data source which provides the current status of NARA contractors and volunteers at the enterprise level.

Enforce mandatory Personal Identity Verification (PIV) card authentication for all NARANet users, in accordance with OMB requirements.

Continue and complete efforts to require PIV authentication for all privileged users, servers, and applications, through NARA’s identity and access management project and other efforts.

Ensure a comprehensive identity, credential, and access management (ICAM) policy or strategy, which includes the establishment of related standard operating procedures, identification of stakeholders, communicating relevant goals, task assignments, and...

Document and implement a process to track and remediate persistent configuration vulnerabilities, or document acceptance of the associated risks.

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks.

Fully complete the migration of applications to vendor supported operating systems.

Ensure the Information System Security Officers are reviewing system configuration compliance scans monthly as required within NARA’s Configuration Compliance Standard Operating Procedure.

Enhance current procedures to ensure that new NARA users who do not complete their initial security awareness training, have their accounts automatically disabled in accordance with timeframes promulgated within the Privacy and Awareness Handbook.