Audit of NARA's Web Hosting Environment
Report Information
Recommendations
The Chief Operating Officer (COO) should coordinate with the Chief Innovation Officer (CINO) to clearly define a business owner for the public facing website process.
The COO should coordinate with the CIO, Office of Presidential Libraries and the CINO to develop and document a centralized process to manage the public facing websites.
The CIO and CINO should clearly define the roles and responsibilities throughout the process developed in recommendation #2.
The CIO and NGC should review and document the approval of all agreements for web hosting services.
The CIO should review all of the systems attached to NARANet general support system to determine if there are any others that are not FISMA compliant.
The CIO should coordinate with the CINO to make the web hosting environment FISMA compliant.
The COO should coordinate with the CIO and CINO to evaluate whether all of the web hosting environments (internal and external) should be consolidated into one centralized system for FISMA purposes.
The CIO should provide Innovation with guidance that clearly delineates the management responsibilities of the web hosting environment between Information Services and Innovation.
The CIO, COO, and CINO should retroactively perform or obtain from the contractor vendor, or partner IT security assessments on vendors that currently host NARA websites.
The CIO should require an IT security assessment be performed prior to NARA initiating a web hosting agreement.
The CIO should ensure that all IT service agreements with external contractors, vendors, or partners have a clause that require NARA or an independent third-party contractor to annually perform IT security assessment on that contractor’s, vendor’s, and...
The CIO should ensure Information Services personnel document their review of the IT security assessments.
The CIO should ensure Information Services include an audit clause in the agreement that requires contractors, vendor's, and partner's to provide all documentation to the OIG without requiring a signed NDA.
The CIO develop a process for managing access to shared user accounts.
The CIO should implement the annual compliance check required by the User Account Management Standard Operating Procedure for Administrator accounts to the shared user accounts.
This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.