Topics:
GAO: 'Significant' cybersecurity weaknesses at NARA
A whole slew of cybersecurity problems plague the National Archives and Records Administration, says the GAO in a Oct. 21 report.
An almost yearlong assessment of security controls by GAO auditors from December 2009 to October of this year found that "significant weaknesses" pervade NARA information technology systems.
Specifically, NARA hasn't always:
- Protected the boundaries of its networks by, for example, ensuring that all incoming traffic is inspected by a firewall;
- enforced strong policies for identifying and authentication users, meaning that some passwords weren't complex enough;
- adhered to the principal of "least privilege" and limit user access within systems just to what is required to perform their jobs;
- encrypted passwords and encryption keys;
- kept logs of network activity and monitored all parts of its networks for possible security incidents; and
- restricted physical access to IT equipment.
In addition, NARA hasn't segregated the duties of IT personnel and followed up on the plans of action and milestones to correct known security weaknesses.
Also, when making changes to its in-development Electronic Records Archives system, NARA hasn't always consistently documented the status of those requests. Specifically, some change requests listed as "approved" for implementation in agency meeting notes were classed as "closed" in a configuration management repository. Some change requests classed as "canceled" in the repository were actually listed as "on hold" in meeting notes.
In the agency's official response to the report, National Archivist David Ferriero took exception to some GAO findings.
The GAO assertion that risk assessment in systems inventory have been incorrectly applied, that NARA policies and procedures aren't always consistent with National Institutes of Standards and Technology guidance, and that an owner should be identified for each system are incorrect, Ferriero said.
Nonetheless, NARA "generally" concurs with all of GAO's 11 recommendations, Ferriero added.
For more:
- download the report, GAO-11-20 (.pdf)
- read a statement from Ferriero regarding the GAO report
Related Articles:
NARA should get tougher, says GAO
NARA: Federal social media requires archiving attention
Electronic records management falling short, not a priority
Comments