U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


NARA's FY 2021 Federal Information Security Modernization Act of 2014 Audit

Report Information

Date Issued
Report Number
Report Type
Joint Report
Agency Wide
Yes (agency-wide)
Questioned Costs
Funds for Better Use


Ensure all systems have POA&Ms created
when weaknesses are identified, to include completion dates; are remediated timely; and are updated to include detailed information on the status of corrective actions. (Recommendation #6, FY 2018 FISMA Audit...

Ensure plans of actions and milestones are
created, updated, remediated, and closed, for each system (including for "failed" controls identified in Security Assessment Reports), in accordance with NARA policies, guidance and directives. (New...

Ensure plans of actions and milestones for the
NARANet and OFAS systems are created, updated and remediated, for each system, in accordance with NARA policies, guidance and directives, to include enhanced POA&M closure procedures. (Recommendation #6...

Ensure inconsistencies described regarding the
POA&M closure process stated within and between the CFM, NARA IT Security Methodology for Certification and Accreditation (CA) and Security Assessments, and the NARA ISSO Guide are identified and...

Identify all FISMA reportable systems in which
the Authorizing Official (AO) listed within the Authorization to Operate (ATO), has subsequently changed. (New Recommendation)

For those systems identified in which the AO
listed in the ATO has changed, NARA should follow the NARA Security Methodology for Certification and Accreditation and Security Assessment in regards to requirements upon changes in AO. This is a separate...

Update the CFM for ongoing authorizations, to
include examples of situations where a change in status could prompt the independent security control assessor to recommend re-certification of a system. (New Recommendation)

Identify all system security plans, which are missing attributes, then update so these values are populated. (New Recommendation)

Conduct a security control assessment of the AERIC Title 13 system, with results documented within a SAR. (New Recommendation)

Ensure individual system security plans are revised (as needed) to reflect the changes made to the standard data elements/taxonomy for hardware inventories, within the CFM. (New Recommendation)

Perform a reconciliation of all NARA hardware
asset inventories to ensure all data such as assignments and status are accurately and completely stated, investigating any unusual or potentially duplicate entries, and making revisions as needed. (New...

Upon completion of the FY 2021 annual laptop
asset inventory and the reconciliation of any discrepancies, update NARA asset management policies and procedures to reflect lessons learned to improve the accuracy, completeness, and timeliness of NARA’s...

Reconcile departure reports received from Human Capital to the asset management inventory system, on a regular basis (e.g., monthly, quarterly, etc.) to ensure updates are being made in a timely manner and are accurate to reflect separated or transferred...

Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks. (New Recommendation)

Document and implement a process to track and remediate persistent configuration vulnerabilities or document acceptance of the associated risks. (Recommendation #8, FY2020 Financial Audit Report #

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance
of the associated risks. (Recommendation #9, FY2020...

Assess applications residing on unsupported platforms to identify a list of applications, all servers associated to each application, and the grouping and schedule of applications to be migrated, with the
resulting migration of applications to vendor-...

Fully complete the migration of applications to vendor supported operating systems. (Recommendation #10, FY2020 Financial Audit Report #21-AUD-03)

Implement improved processes to remediate security deficiencies on NARA’s network infrastructure, to include enhancing its patch and vulnerability management program to address security deficiencies
identified during our assessments of NARA’s...

Ensure all information systems are migrated away from unsupported operating systems to operating systems that are vendor-supported. (Recommendation #13, FY2018 FISMA Audit Report #19-AUD-02)

Document, communicate and implement NARA’s configuration management processes applicable to all NARA systems, not just those under ECAB control, within NARA’s CM program management plan or
other NARA methodology. (New Recommendation)

Finalize and implement system configuration baseline management procedures, which encompass at a minimum, the request, documentation, and approval of deviations from baseline settings for all NARA systems. (New Recommendation)

Develop and implement a configuration management plan for the WTC system in accordance with NARA’s
configuration management plan templates, policies, and procedures. (New Recommendation)

Ensure system owners and ISSOs have completed an E-Authentication Threshold Analysis (ETA) for all
information systems, with a signed E-Authentication Risk Assessment (if required). (New Recommendation)

Review and reduce the number of NARA users assigned to the PIV debarment group and move to the PIV Mandatory group, using a risk-based decision process. (New Recommendation)

Continue and complete efforts to require PIV authentication for all privileged users, servers and
applications, through NARA’s Privileged Access Management authentication project and other efforts. (New Recommendation)

Enforce mandatory PIV card authentication for all NARANet users, in accordance with OMB requirements.
(New Recommendation)

Ensure a comprehensive ICAM policy or strategy, which includes the establishment of related SOPs, identification of stakeholders, communicating relevant goals, task assignments and measure and reporting progress, is developed and implemented. (New...

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information
technology policies and requirements. (Recommendation #1, FY 2020 Financial Audit
Report #21-AUD-03)

Ensure account reviews are completed in accordance with Access Control IT Methodology requirements.
(Recommendation #5, FY 2020 Financial Audit Report #21-AUD-03)

Ensure user system accounts for all systems are periodically reviewed and automatically disabled in
accordance with NARA policy. (Recommendation #15, FY 2018 FISMA Audit Report #19-AUD-02)

Ensure upon termination of employment, all system access is disabled in accordance with the applicable system security plan defined period, as described under control PS-4 “Personnel Termination.” (Recommendation #16, FY 18 FISMA Audit #19-AUD-02)

The SAOP review and update the “NARA 1609 Initial
Privacy Reviews and Privacy Impact Assessments” privacy policies and procedures to reflect NARA’s current processes and controls. (New Recommendation)

The CIO and SAOP implement a process to ensure
role-based privacy training is completed by all personnel having responsibility for PII or for activities that involve PII, and content includes, as appropriate: responsibilities under the Privacy Act of...

Coordinate with system owners and ISSOs, identify and remediate inconsistencies in contingency plan testing requirements between the CFM and the NARA IT Security Methodology for Contingency Planning, to ensure requirements are more clearly defined and...