U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


NARA's Fiscal Year 2023 Federal Information Security Modernization Act of 2014 Audit

Report Information

Date Issued
Report Number
Report Type
Joint Report
Agency Wide
Yes (agency-wide)
Questioned Costs
Funds for Better Use


Reconcile departure reports received from Human Capital to the asset management
inventory system, on a regular basis (e.g., monthly, quarterly, etc.) to ensure updates are
being made in a timely manner and are accurate to reflect separated or...

. Ensure complete security authorization packages for each major application and general
support system is completed prior to deployment into production. (Recommendation #1
from FY 2022 FISMA audit, report #22-AUD-09)

Ensure the Information System Security Officers are reviewing system configuration
compliance scans monthly as required within NARA’s Configuration Compliance
Management Standard Operating Procedure. (New Recommendation)

Document Information Services review of Cross-site Request Forgery tokens for external
web applications and if an issue is identified, document the remediation efforts or other
existing mitigations in place to protect against cross site forgery...

Implement improved processes to remediate security deficiencies on NARA’s network
infrastructure, to include enhancing its patch and vulnerability management program to
address security deficiencies identified during our assessments of NARA’s...

Implement remediation efforts to address security deficiencies on affected systems
identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks. (Recommendation #16 from...

Document and implement a process to track and remediate persistent configuration
vulnerabilities or document acceptance of the associated risks. (Recommendation #15
from the FY 2021 FISMA audit, report #22-AUD-04)

Ensure all information systems are migrated away from unsupported operating systems
to operating systems that are vendor-supported. (Recommendation #18 from the FY 2021
FISMA audit, report #22-AUD-04)

Finalize and implement system configuration baseline management procedures, which
encompass at a minimum, the request, documentation, and approval of deviations from
baseline settings for all NARA systems. (Recommendation #22 from the FY 2021 FISMA...

Document, communicate and implement NARA’s configuration management processes
applicable to all NARA systems, not just those under Enterprise Change Advisory Board
(ECAB) control, within NARA’s Configuration Management (CM) program management
plan or...

Enhance current procedures to ensure that new NARA users who do not complete their
initial security awareness training, have their accounts automatically disabled in
accordance with timeframes promulgated within the Privacy and Awareness Handbook.

Continue and complete efforts to require PIV authentication for all privileged users, servers
and applications, through NARA’s Privileged Access Management authentication project
and other efforts. (Recommendation #26 from the FY 2021 FISMA audit,...

Enforce mandatory PIV card authentication for all NARANet users, in accordance with
OMB requirements. (Recommendation #27 from the FY 2021 FISMA audit, report #22-

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s
information technology policies and requirements. (Recommendation #29 from the
FY 2021 FISMA audit, report #22-AUD-04)

Ensure that the SAOP complete PIAs for all systems which contain PII. (New

The SAOP review and update the NARA 1609 Initial Privacy Reviews and Privacy Impact
Assessments privacy policies and procedures to reflect NARA’s current processes and
controls. (Recommendation #33 from the FY 2021 FISMA audit, report #22-AUD-04)

The CIO and SAOP implement a process to ensure role-based privacy training is
completed by all personnel having responsibility for PII or for activities that involve PII, and
content includes, as appropriate: responsibilities under the Privacy Act of...