Open Recommendations

Enhancing instructions to approving officials to look for sales tax paid by a cardholder, recurring purchases, and split purchases.

Enhancing the monitoring of the approving officials timely verification of purchase card transactions.

Documenting the monitoring of purchase card transactions to ensure cardholders’ recover sales tax paid and/or make a good-faith attempt to recover sales tax paid.

Documenting the monitoring of purchase card transactions to ensure split purchases are not occurring.

Monitoring purchase card transactions to ensure separation of duties from authorizing the purchases and making purchases.

Ensure Accounting Policy and Operations and Acquisitions purchase card policies are updated to reflect current practices.

Ensure Accounting Policy and Operations and Acquisitions update the controls and the methods used to monitor controls associated with the purchase card program.

Enforce the current policy of rescinding cardholder and approving official privileges if they fail to complete refresher training.

Improve the alternate control by informing cardholders and approving officials months prior to the refresher training due date.

The CIO ensures that the WAHS meets OMB and NIST requirements prior to full implementation.

The Assistant Archivist for Records Services, Washington D.C. should ensure development of controls to adequately monitor agency scheduling of electronic records in an effort to reasonably ensure electronic records/systems are scheduled in a timely manner and therefore provide a reasonably accurate reflection of the universe.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

The CIO should conduct the consolidation/virtualization analysis to investigate the impact of consolidating or virtualizing two major application domains (NISP and ERA) and the General Support System (NARANET) as planned, or evaluate other alternatives to increase the average server utilization rate.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) ensure all classified system authorization packages are updated in accordance with NARA policy.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) establish a timeline for review and approval of authorization documents.

We recommend the Executive for Information Services/Chief Information Officer (I), in coordination with the Chief Operating Officer (C) obtain authorizations to operate for each of the classified systems or disallow them in accordance with NARA and Federal policy.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

The Archivist of the United States should demonstrate a commitment to the development, implementation, and operation of NARA’s ICP by ensuring Risk management responsibilities are included in the performance plans for program and function owners.

The Chief Innovation Officer and Executives for Research Services and Legislative Archives, Presidential Libraries and Museum Services should ensure comprehensive preservation policies and procedures for each of their organizations are developed and/or updated.

We recommend the Executive for Research Services should ensure An analysis is performed to determine if additional risk assessments for the Washington Area Archives and Presidential Libraries, including older holdings, should be completed.  Identify the risks for not completing the assessments.

The Chief Operating Officer should ensure a plan is developed, including a timeline, for when the archival storage facility reviews will be completed.  As a part of the reviews, identify facilities with (1) areas of non­-compliance, associated costs, risk if the actions are not completed, and an action plan, (2) structural, environmental control, fire safety, preservation, and security deficiencies that could be severe enough to permanently damage records.

The Chief Operating Officer should ensure an accurate listing of facilities currently non-compliant with the Standards, along with the area of deficiencies is identified and communicated.

The Chief Operating Officer should ensure resources needed to make all archival storage facilities compliant by 2016 are identified.  If the facility cannot be brought into conformance with the Standards, determine and document what mitigating actions have been or will be taken to minimize threats to the holdings.

The Chief Operating Officer should ensure PMRS is updated to accurately reflect percentage of archival holdings in appropriate space.

The Executive for Legislative Archives, Presidential Libraries, and Museum Services should Work with the Performance and Accountability Office to develop a performance measure for tracking the processing of electronic presidential records.

The Executive for Legislative Archives, Presidential Libraries, and Museum Services should determine the true backlog of electronic presidential records and determine if additional resources are needed and can be obtained to handle the increased workload.

We recommend the Executive for Business Support Services establish formal assessment criteria and future savings analysis for use in determining whether to cancel Energy Savings Performance Contracts.

We recommend NARA’s Chief Information Officer (CIO) ensure NARA’s documented CPIC policy is updated and formalized to reflect the current processes in use by NARA. This includes ensuring all required CPIC related documentation is completed for all NARA IT investments going through the CPIC process.

We recommend NARA’s Chief Information Officer (CIO) ensure NARA’s documented CPIC policy is updated and formalized to reflect the current processes in use by NARA. This includes requiring the creation and use of a checklist outlining the IT governance related documentation required to be completed for all IT investments going through the CPIC process.

We recommend NARA’s Chief Operating Officer (COO) ensure NARA IT investments do not bypass NARA’s CPIC process.

To ensure NARA IT investments do not bypass NARA’s CPIC process we recommend NARA’s Chief Operating Officer ensure that I-P maintain documentation of its approval of IT investments in PRISM and I-P’s PRISM approval of IT investments is tested on an annual basis with all documentation of this testing sent to NARA’s internal controls group.

To ensure NARA IT investments do not bypass NARA’s CPIC process we recommend NARA’s Chief Operating Officer ensure the training guide for purchase card holders is updated to include a discussion of the requirements of NARA’s CPIC process.

We recommend NARA’s Chief Information Officer ensure NARA’s IT governance process, which includes CPIC, incorporates the lessons learned when Directive 801 was followed to create a more user-friendly, streamlined and transparent policy where CPIC requirements align closely with the costs of IT investments.

We recommend that NARA incorporate the wireless network into its RMF process by performing the following SA&A tasks: authorize network operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

We recommend NARA’s Chief Information Officer review and update NARA's current policy documents for use of NARA-issued mobile devices, including NARA 813-1 and NARA 802 to reflect more complete and accurate information an acceptable uses of the devices and when a disciplinary action will be required.

We recommend NARA’s Chief Information Officer develop a formal policy for interaction of NARA-issued mobile devices with other systems and update NARA 813-1 to clearly reflect the policy.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure SPHs inventory listings are completed at the item level.  Establish a timeframe for when the listings must be completed.  Additionally, communicate with other offices to identify best practices used in documenting their inventories.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure Inventory listings are reviewed to determine their accuracy and update as necessary.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure a finding aid is created for the agency’s entire SPHs collection at the item level.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure locked hard copies of the inventory listings are maintained.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure SPHs inventory listings are maintained in HMS. Until HMS is implemented by all offices, all electronic versions of the listings are password protected and access limited to authorized employees.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure initial inspections of SPHs inventory are completed.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure custodial units are in compliance with NARA 1572, including randomly inspecting at least 3% of SPHs inventory annually on a rotating basis and using one individual that does not work for the individual responsible for the inspection.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure annual inspection reports include at a minimum date of inspection, individuals that complete the inspections, and a listing of items inspected, including their location and physical condition.

The Executive for Research Services and Executive for Legislative Archives, Presidential Libraries, and Museum Services should ensure annual inspection results are adequately documented and communicated to Security Management and office heads.

To support Digitization Lab infrastructure, we recommend the Chief Innovation Officer and Chief Information Officer develop a longterm strategy for increasing transfer capabilities between various internal storage systems housing digitized records.

We recommend NARA's Chief Information Officer, in collaboration with the Chief Human Capital Officer and Executive for Business Support Services, establish on authoritative data source that provides the latest data to role-based users on NARA's federal employees, contractors, and volunteers at the enterprise level.

We recommend that NARA incorporate all locations into the NARANet SA&A package by documenting location-specific security controls and ensuring that they are appropriately tested and monitored.

We recommend that, to the extent possible, NARA revisit all site locations and ensure that appropriate and consistent PE, infrastructure, and cabling controls are implemented.  At a minimum, NARA should take the following appropriate steps to remediate the issues identified above, which represent the present risks and flaws applicable to NARA ensure that neat cable management and labeling mechanisms are employed for all sites.

We recommend that, to the extent possible, NARA revisit all site locations and ensure that appropriate and consistent PE, infrastructure, and cabling controls are implemented. At a minimum, NARA should take the following appropriate steps to remediate the issues identified above, which represent the present risks and flaws applicable to NARA Ensure that all server racks, switches, and network equipment are adequately secured from unauthorized access via locked racks.

The CIO should provide Innovation with guidance that clearly delineates the management responsibilities of the web hosting environment between Information Services and Innovation.

The CIO, COO, and CINO should retroactively perform or obtain from the contractor vendor, or partner IT security assessments on vendors that currently host NARA websites.

The CIO should ensure Information Services personnel document their review of the IT security assessments.

The CIO develop a process for managing access to shared user accounts.

The CIO should implement the annual compliance check required by the User Account Management Standard Operating Procedure for Administrator accounts to the shared user accounts.

The CIO and NGC should review and document the approval of all agreements for web hosting services.

The CIO should review all of the systems attached to NARANet general support system to determine if there are any others that are not FISMA compliant.

The CIO should coordinate with the CINO to make the web hosting environment FISMA compliant.

We recommend the Chief Innovation Office (CINO) coordinate with the CIO to improve NARA’s management and internal controls surrounding the security of NARA’s publicly-accessible websites.  Specifically, we recommend the CIO documents the process conducting a web vulnerability scan on all publically-accessible websites.

We recommend the CIO document a process to review all security assessments by a qualified official.

We recommend the CIO ensure Information Services personnel review all cloud hosting security assessments.

We recommend the CIO ensure Information Services personnel document their review of the IT security assessments.

We recommend the Executive for Agency Services conduct training for all employees on the policies and procedures for quality control reviews, including notification of errors and penalties.

We recommend the Executive for Agency Services  Establish standardized policies and procedures for tracking and documenting IRS record problems, including problems with refiles.  Identify timeframes for resolution and when the IRS should assist with resolution.

We recommend the Executive for Agency Services implement a mechanism (database, etc.) to facilitate the problem tracking and resolution process.

We recommend that the Chief Operating Officer\Chief Risk Officer fully implement all components of NARA 160, including developing, documenting, and fully implementing NARA 162, NARA’s Enterprise Risk Management Program.  Within NARA 162, roles and responsibilities for ERM activities should be clearly identified.

We recommend that the Chief Operating Officer\Chief Risk Officer fully implement all components of NARA 160, including Developing, documenting, and fully implementing NARA 163, NARA’s Issues Management.

We recommend that the Chief Operating Officer\Chief Risk Officer develop, document, and implement a formal process to identify and prioritize risks within the organization. Risks should be tied directly to NARA’s strategic plan and mission and prioritized based on their overall importance to the agency.

We recommend that the Chief Operating Officer\Chief Risk Officer develop, document, and implement a formal process to prioritize risk management activities including the use of limited resources based on key risks within the organization. Management’s prioritization should be clearly documented and include formal steps to ensure risks are maintained at an appropriate level.

We recommend that the Chief Operating Officer\Chief Risk Officer Provide additional resources to the Office of Accountability to ensure ICP activities are effectively carried out.

We recommend that the Chief Operating Officer\Chief Risk Officer develop and implement a formal process to review and evaluate the completeness and accuracy of ICP documentation submitted. Validation procedures should include a formal review: To ensure all required documentation has been submitted by the due date. Where documentation has not been provided, NARA should have a formal process in place to follow up and obtain the required documentation. Of ICP documentation submitted to ensure it is both complete and accurate. Where discrepancies are identified, NARA should have a formal process in place to follow up with management so corrections can be made. Of each office’s submission to determine whether risks identified and conclusions made are appropriately supported. Of test plans and test results for all high-risk or highly critical functions to ensure they clearly demonstrate the office’s methodology for performing testing and reaching conclusions. Of monitoring plans and monitoring results for all functions that clearly show the extent of monitoring performed, the office’s methodology for performing the monitoring, and the rationale for its conclusions

We recommend that the Chief Operating Officer\Chief Risk Officer develop and fully implement a formal ICP training program. NARA’s ICP training program should identify and require individuals who are involved with NARA’s ICP to complete initial training and refresher training periodically thereafter. Further, management should track completion of ICP training to ensure all individuals involved in the ICP process have received adequate training.

The ICP Official review the ICP reports and make and document  any revisions necessary to the format to ensure all necessary information is obtained in the reports.

The Archivist implement or upgrade current internal control software or utilize other mechanisms to enhance and improve the agency’s ability to track and report on internal controls.

The Archivist address outstanding recommendations from OIG Audit Report No. 13-01, including:  Revisiting his decision on the placement and role in the organization of the Chief Risk Officer.

NARA Executives ensure:  Monitoring and testing plans are sufficiently reported in the ICP Tool.

NARA Executives ensure:  Results of monitoring and testing plans are achievable within the reporting timeframe.

NARA Executives ensure:  All information is up-to-date and reflects the current control environment.

NARA Executives identify, develop, and include in ICP reports measurable indicators to evaluate functions.

The ICP Official develop and implement a consistent risk assessment process and format for risk ranking, analysis of effect or impact, and risk reporting.

CAO and SPE develop and implement test plans and procedures to assess internal control over acquisition activities and programs using OMB Memorandum, Conducting Acquisition Assessments.

CAO modify procedures to ensure all contracting activity, including Architecture/ Engineering, construction services are included in random selections for internal control reviews.

CAO include CO’s who are not GS1102’s, COR’s and P/PM’s in the internal control program test plan.

CAO establish various performance metrics to be tracked and analyzed on how long the acquisition takes, where delays occur and why delays occur.

CAO develop and implement meaningful and measurable performance metrics to continually assess the performance of the acquisition function in supporting NARA’s mission and achieving acquisition goals.

CAO ensure NARA 501 NARA Procurement policy include guidance to program offices on their responsibilities in the procurement process.

CAO formally appoint a SPE and procurement officials who are authorized to approve warrants over $100,000,000 and approve warrant for construction and architectural-engineering services contracting officers.

Competition Advocate, in collaborations with the CAO, develop and implement procedures to promote the acquisition of commercial items and report annually new initiatives to the CAO and SPE.

CAO ensure NARA 501 NARA Procurement policy and NARA’s General Acquisition Policy addresses procurements related to Architecture/Engineering and Construction.

CAO, in collaboration with CFO, Director of Acquisitions, and program managers, develop and implement procedures for proper planning of new contracts with NARA funds.

We recommend the Chief Information Officer, in conjunction with each program office, implement the security assessment process as described in NARA’s Enterprise Architecture to those applications/databases determined critical to carrying out NARA’s or program offices’ missions from Recommendation 1.

We recommend the Chief Information Officer, in conjunction with each program office, develop and implement a comprehensive, systematic process to determine when a MS Access application or database should be recognized as an IT system.

We recommend the Chief Information Officer, in conjunction with each program office: Determine all MS Access databases containing PII and ensure they are: (a) encrypted in storage and transmission; and (b) password-protected in accordance with NARA Directive 1608 and the Privacy Act.

Develop and implement a process, for future MS Access applications and databases created by program offices, including notification to and approval from the Office of Information Services for those that are mission-critical and/or contain PII or otherwise sensitive information.

Chief of Management and Administration or designee develops a detailed implementation plan with remaining work to be completed, critical tasks, roles and responsibilities of key personnel, milestones for critical tasks, costs, locations, and any other necessary documentation that would allow the agency to successfully implement HSPD-12.

Chief of Management and Administration or designee uses existing budgetary resources to fully implement HSPD-12. 

Chief of Management and Administration or designee establishes a reasonable date to fully implement HSPD-12.

The NARA CIO, acting as the centralized authority for NARA’s cloud computing program, should take the lead and collaborate with business areas such as Acquisitions and General Counsel, to develop, approve, and implement comprehensive policies and procedures which will coordinate activities and establish key control points for NARA’s cloud computing program.

The NARA CIO should coordinate with the Chief Acquisitions Officer, and General Counsel to establish a working group to evaluate and monitor recommendations and best practices for cloud computing procurement in order to improve the content and effectiveness of the CPIC Business Case Form.

The NARA CIO should complete and document a review of existing IT systems for cloud compatibility.

The NARA CIO should update the Enterprise Cloud Strategy with clearly defined roles and responsibilities, and develop and implement a written plan to execute the strategy.

The NARA CIO should conduct and document a risk assessment specific to NARA’s implementation of cloud computing in coordination with NARA's Chief Risk Officer.

The NARA CIO should establish and approve a centralized reporting point for cloud computing inventory and develop, implement and communicate a written mechanism to standardize tracking cloud computing inventory across NARA’s business area lines.

The NARA CIO should coordinate with necessary business areas including Acquisitions and General Counsel to develop, approve, and implement its written cloud provisioning guidelines.

The NARA CIO should coordinate with necessary business areas including Acquisitions and General Counsel to develop, approve, and implement its IT Security Contractual Requirements in addition to a method to monitor and enforce the use of the standards.

The NARA CIO, in conjunction with Acquisitions and General Counsel should develop, approve, and implement written standards for centralized maintenance and standardized monitoring of service level agreements and formally communicate the requirement to those who need it.

Utilize updated processing mechanisms or processes to increase the efficiency and effectiveness of the FOIA Program.

We recommend the CIO Ensure risk assessments and risk assessment reports are completed and/or reviewed annually and updated accordingly for all NARA systems .

We recommend the Chief of Management and Administration ensure all NARA Human Capital policies are reviewed, revised, finalized, and implemented.

We recommend the Chief Information Officer, in coordination with the Office of Federal Register, develop and implement a process to maintain an up-to-date security authorization package for the EFR system, which includes a system security plan, security assessment report, risk assessment report, plan of action and milestones (PO&M), contingency plan, contingency plan test, and business impact analysis.

We recommend the the Chief Information Officer: determine the laptop computer needs for all current ERG, DERG, and RIT/RPT member employees, in consultation with Executives responsible for executing the PMEFs, MEFs, and ESAs for NARA; conduct a cost-benefit analysis for providing a government-furnished laptop computer to those employees identified from (a); and (c) provide a government-furnished laptop computer to the ERG, DERG, and RPT/RIT member employees, based on the analyses conducted from (a) and (b) above.

We recommend the Chief Information Officer develop and implement a process to update the contingency plan, contingency plan test results, and business impact analysis on an annual basis for all information systems with a FIPS PUB 199 security categorization of moderate or high.

Direct all Presidential Libraries to assess their holdings to determine the correct percentage of basic processing work as stipulated in NARA’s Analog Records Processing Policy.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

Ensure the CAO's delegated responsibilities and authorities as outlined in NARA Directive 101, NARA Organization and Delegation of Authority, are reflected in the CAO's position description and performance plan.

Establish and document an acquisition workforce strategic plan to address achieving the objectives of key acquisition positions.

Review, update, and implement revised NARA Directive 273, Administrative Procedures for Security Clearances, NARA Directive 273 Supplement, Supplement Administrative Procedures Related to Security Clearances and Applicant and Employee Rights, NARA Directive 275, Background and Identity Verification Process for Access Privileges, and NARA Directive 276, Employment or Service Suitability Determinations.

Ensure all Security Management Personnel Security staff is familiar with updated policies.

The Chief of Management and Administration and the Chief Operating Officer ensure the Risk Executive, Chief of Management and Administration, Chief Operating Officer, and Senior Accountable Official for risk management roles and responsibilities are fully and accurately defined in NARA policies.

The Chief of Management and Administration develop, document, implement, and disseminate an organizational risk management strategy and policy, in accordance with NIST 800-39, and a process for coordination between cybersecurity and enterprise risk management.

We recommend that NARA Chief Financial Officer report the ADA violation in accordance with 31 U.S.C. Section 1351,1517(b) and OMB Circular A-11, Section 145.

Designate an office to take the ownership of NARA’s inappropriate use program, and formally document and communicate to all stakeholders their management and oversight responsibilities for detecting and reporting suspected inappropriate use.

Update Supplement 1 to NARA Directive 363, NARA Penalty Guide, to include penalties for misusing government IT equipment and resources.

Strengthen contract oversight controls to ensure all contract deliverables are completed in a complete, accurate, and timely manner, as it relates to the analyzing and monitoring of inappropriate Internet use on NARA IT resources.

Increase the Analytics log retention period in FortiAnalyzer to one year in accordance with NARA Enterprise Architecture.

Ensure a process is developed to retrieve IT devices and review user Internet activity on NARA-issued IT devices when they were not connected to NARANet, when other indicators of inappropriate use are detected.

Ensure a process is developed to select sample inappropriate use occurrences on a periodic basis for further investigation and analysis.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.

Establish review and monitoring standards for loans and report the results of those activities.

Identify all overdue loans. Determine the actions needed for recovery of the loaned holdings, including consulting with the OIG. If recovery is not pursued, document the decision and reasons.

Review, update, and implement revised policies and procedures related to the loan program including, NARA 1572, Preventing Theft and Vandalism of NARA Holdings in NARA Facilities, NARA 1611, Loans of Archival Holdings to Federal Originators, NARA 1611 Supplement, Procedures for Loans to Originators, NARA 1612, Exhibition Loans and Traveling Exhibits, NARA 1612 Supplement 1, Procedures for Exhibition Loans, and NARA 1702, Transporting Holdings in NARA's Physical and Legal Custody, to ensure they are reflective of current practices and the organizational structure.

Ensure current Research Services and Legislative Archives, Presidential Libraries, and Museum Services employees are familiar with and properly trained on the updated loan program.

Ensure NARA coordinates with the Central Intelligence Agency (CIA), Central Imagery Office, and United States Geological Survey, to review, cancel, update, or create a new Memorandum of Understanding (MOU), Declassified Imagery Transition, or other appropriate instrument, which is equal with NARA’s current operations for fulfilling loan requests.

Revise procedures to strengthen controls over quarterly disposal audits.

Develop a strategy to work with Federal agencies to reduce the eligible disposal backlog.

Review policies and procedures and determine which internal stakeholders, including the IG, should be notified and revise policies and procedures as necessary.

Prioritize creation of DEER and DCR Audit Reports under the ARCIS contract.

Implement timeframes for completion of disposal documentation packages.

Develop a plan to transition disposal documentation to fully electronic recordkeeping.

Develop a strategy to transition agencies to use the ARCIS Customer Portal Disposition Module.

Develop and implement an ARCIS internal user manual.

Review unreimbursed official travel conference expenses identified during the audit and reimburse those employees for eligible expenses.

Review, update, and implement revised NARA 601, NARA Travel Policy, and NARA Travel Card Management Plan to reflect current practices, and the current versions of Federal Travel Regulation and Appendix B to OMB A-123, A Risk Management Framework for Government Charge Card Programs.

We recommend that the Chief Acquisition Officer ensure internal control on approval and coordination with PRISM support required to appropriately bypass FPDS-NG when modifying a document via the double-dash process (a 90000 administrative action modification) is implemented. Moreover, clearly document in the Supplement to NARA 501, Procurement Guide, that the double-dash contract modification is a 90000 administrative action.

Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks. (New Recommendation)

Assess applications residing on unsupported platforms to identify a list of applications, all servers associated to each application, and the grouping and schedule of applications to be migrated, with the
resulting migration of applications to vendor-supported platforms. (New Recommendation)

Ensure a comprehensive ICAM policy or strategy, which includes the establishment of related SOPs, identification of stakeholders, communicating relevant goals, task assignments and measure and reporting progress, is developed and implemented. (New Recommendation)

Incorporate interim guidance into final policy directives per established guidance.

Update standard operating procedures for the Holdings Protection and Recovery Staff walkthroughs (stack, research room, and processing area), outgoing mail inspections, and Holdings Management System verifications to include: (a) quality reviews of staff checklists and tracker spreadsheets for completeness and accuracy, (b) consistent definitions of similar issues, and (c) requirements to follow-up on repeated findings.

Update NARA 1572, Preventing Theft and Vandalism of NARA Holdings in NARA Facilities, and its Supplement(s) to include documented procedures that include simplified reporting of internal incidents of loss, theft, or damage of NARA holdings.

Use a system-approach that complies with Public Law 116-92, EEO MD-715, and 29 CFR 1614.

Review and evaluate current processes, procedures, and practices, make revisions, and implement guidance to improve efficiencies associated with obtaining contract award for conducting investigations and drafting final agency decisions.

Develop and implement processes and procedures to ensure the contractors adhere to the Statement of Work for Equal Employment Opportunity services, to include, but not limited to (1) completing investigations timely, (2) submitting authorizations for extensions, if necessary, and (3) submitting weekly status reports; and where applicable enforce any associated penalties for delays.

Define and formalize the roles and responsibilities of the Office of General Counsel in the processing of discrimination complaints. Specifically, implement policies and procedures to demonstrate the agency has a fair and impartial Equal Employment Opportunity process, to include but not limited to, ensuring: a clear separation between the agency’s Equal Employment Opportunity complaint program and its defensive function, and the agency representative does not intrude or have the appearance of intruding upon Equal Employment Opportunity counseling, investigations, and final agency decisions.

Establish and implement procedures to ensure agency responses submitted to Equal Employment Opportunity Commission in its EEO MD-715 submissions are accurate, complete, and supported by documentation.

Develop and implement controls to ensure standard operating procedures are kept up to date to reflect subsequent organizational, policy, or procedural changes that can affect processing of discrimination complaints.

Ensure IT policies, procedures, methodologies, and supplements are reviewed and
approved in accordance with NARA Directive 111.

Ensure all information systems are migrated away from unsupported operating systems
to operating systems that are vendor-supported.

The CIO should implement the following corrective actions:
● Complete efforts to implement the Net IQ Sentinel product,
● Develop and implement processes and procedures to monitor and at least weekly
review user activity and audit logs (in accordance with NARA IT Security
Requirements), on systems that may indicate potential security violations, and
● Ensure the procurement of new IT system hardware and software, which provides
user authentication, includes a minimum set of audit logging.

Ensure user system accounts for all systems are periodically reviewed and automatically
disabled in accordance with NARA policy.

Ensure upon termination of employment, all system access is disabled in accordance with
the applicable system security plan defined period, as described under control PS-4
“Personnel Termination.”

Ensure audit logging is enabled for each major information system.

Ensure periodic reviews of generated audit logs are performed for each major information
system.

Ensure password configuration settings for all major information systems are in
accordance with NARA IT Security Requirements.

Ensure the use of shared/group accounts is restricted to only those users with a valid
business justification, by enhancing user account review procedures to incorporate
reviews of shared/group account membership and reasonableness.

Ensure a process is developed, documented, and implemented to change passwords
whenever users within shared/group accounts change.

Perform a reconciliation of all NARA hardware asset inventories to ensure all data such
as assignments and status are accurately and completely stated, investigating any
unusual or potentially duplicate entries, and making revisions as needed.

Recommend the Chief Financial Officer update the travel policy and continue efforts to ensure
that all written policies and procedures are reviewed and revised timely.

Establish an automated and comprehensive inventory for managing and tracking software licenses.

Develop and implement a comprehensive software licensing policy that includes a methodology for analyzing and maintaining software usage data to determine the software license needs of the agency.

Identify and formally appoint a software manager.

Assess the feasibility of implementing an automated system allowing veterans or their representatives to access their records online.

Implement controls to require digital delivery of responses on all requests where digital delivery is possible.

Update eVetRecs to: ensure the online request process requires requesters provide all information and documentation needed to ensure request can be filled during initial processing; implement controls to better ensure acceptable entries for requesters’ name and provide automated address fields; and ensure eVetRecs has clear attestation language at key points in the record request process to better ensure the request is being made by the veteran or an authorized representative.

Reconsider the National Personnel Records Center’s definition of medical emergency, make any necessary changes to internal policy, communicate the definition to veterans and stakeholders, and implement procedures for how medical emergency requests are made and how they are validated.

We noted that in OIG Audit Report No. 17-AUD-15, a suggestion was made to “modify NARA's SDLC methodology to align it better for agile projects” that has not been addressed.

In addition to resolving this issue, we recommend NARA’s Information Services review and update the SDLC Methodology to ensure it reflects current NARA practices related to system development methodologies utilized at the agency. NARA should modify the description of their SDLC methodology processes to be more agile, by adopting the cyclical approach described in GAO’s Agile Assessment Guide – Best Practices for Agile Adoption and Implementation. The system development process should be focused on producing working software for users to test after each agile iteration, and for the software to be updated with user feedback after each cycle.

We recommend NARA’s Information Services institute a process to complete an annual review and update of the SDLC methodology.

We recommend NARA’s Information Services, for ERA 2.0 and future system development projects, require the development and maintenance of a program management plan which describes how these subprojects are expected to reach a targeted steady state for production and roll out for agency use. This plan should consider current and future risks which could threaten the achievement of planned milestones and deliverables on the overall project. This plan should also demonstrate how to validate participation and adoption of the system under development to reduce reliance on legacy systems or components and related decommissioning processes.

We recommend NARA’s Information Services enhance policy or procedures which outline documentation requirements and records retention for delivery and acceptance of contract deliverables by the COR and project team/stage gate reviewers within tailoring plans. Additionally, for projects with multiple releases, ensure that these policies or procedures provide clear guidance on how to document deliverable acceptance within the tailoring plans.

We recommend NARA’s Information Services, for ERA 2.0 and future system development projects, require the development of a program baseline budget that encompasses costs and schedule, and the measurement of performance against this budget. In addition, risks related to cost, schedule and scope should be identified, documented, and measured on an on-going basis. Assumptions and constraints should also be identified, documented, and analyzed for cost impact.

We recommend NARA’s Office of the Chief Financial Officer finalize Interim Guidance 400-5, Capitalization Policy for NARA Assets on capitalization of costs for Software Development Projects and enhance to address the scenario where programming and development for internal software is outsourced to external contractors. This should include the types of costs to be capitalized, materiality, and documentation requirements.

Reconcile departure reports received from Human Capital to the asset management
inventory system, on a regular basis (e.g., monthly, quarterly, etc.) to ensure updates are
being made in a timely manner and are accurate to reflect separated or transferred
employees and contractors. (Recommendation #13 from FY 2021 FISMA audit, report
#22-AUD-04)

Document, communicate and implement NARA’s configuration management processes
applicable to all NARA systems, not just those under Enterprise Change Advisory Board
(ECAB) control, within NARA’s Configuration Management (CM) program management
plan or other NARA methodology. (Recommendation #15 from the FY 2022 FISMA audit,
report #22-AUD-09)

Enhance current procedures to ensure that new NARA users who do not complete their
initial security awareness training, have their accounts automatically disabled in
accordance with timeframes promulgated within the Privacy and Awareness Handbook.
(New Recommendation)

Continue and complete efforts to require PIV authentication for all privileged users, servers
and applications, through NARA’s Privileged Access Management authentication project
and other efforts. (Recommendation #26 from the FY 2021 FISMA audit, report #22-AUD04)

Enforce mandatory PIV card authentication for all NARANet users, in accordance with
OMB requirements. (Recommendation #27 from the FY 2021 FISMA audit, report #22-
AUD-04)

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s
information technology policies and requirements. (Recommendation #29 from the
FY 2021 FISMA audit, report #22-AUD-04)

Ensure that the SAOP complete PIAs for all systems which contain PII. (New
Recommendation)

The SAOP review and update the NARA 1609 Initial Privacy Reviews and Privacy Impact
Assessments privacy policies and procedures to reflect NARA’s current processes and
controls. (Recommendation #33 from the FY 2021 FISMA audit, report #22-AUD-04)

The CIO and SAOP implement a process to ensure role-based privacy training is
completed by all personnel having responsibility for PII or for activities that involve PII, and
content includes, as appropriate: responsibilities under the Privacy Act of 1974 and
E-Government Act of 2002, consequences for failing to carry out responsibilities,
identifying privacy risks, mitigating privacy risks, and reporting privacy incidents, data
collections and use requirements. (Recommendation #34 from the FY 2021 FISMA audit,
report #22-AUD-04)

. Ensure complete security authorization packages for each major application and general
support system is completed prior to deployment into production. (Recommendation #1
from FY 2022 FISMA audit, report #22-AUD-09)

Ensure the Information System Security Officers are reviewing system configuration
compliance scans monthly as required within NARA’s Configuration Compliance
Management Standard Operating Procedure. (New Recommendation)

Document Information Services review of Cross-site Request Forgery tokens for external
web applications and if an issue is identified, document the remediation efforts or other
existing mitigations in place to protect against cross site forgery requests.
(Recommendation #12 from the FY 2022 FISMA audit, report 22-AUD-09)

Implement improved processes to remediate security deficiencies on NARA’s network
infrastructure, to include enhancing its patch and vulnerability management program to
address security deficiencies identified during our assessments of NARA’s applications
and network infrastructure. (Recommendation #13 from the FY 2022 FISMA audit, report
#22-AUD-09)

Implement remediation efforts to address security deficiencies on affected systems
identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks. (Recommendation #16 from
the FY 2021 FISMA audit, report #22-AUD-04)

Document and implement a process to track and remediate persistent configuration
vulnerabilities or document acceptance of the associated risks. (Recommendation #15
from the FY 2021 FISMA audit, report #22-AUD-04)

Ensure all information systems are migrated away from unsupported operating systems
to operating systems that are vendor-supported. (Recommendation #18 from the FY 2021
FISMA audit, report #22-AUD-04)

Finalize and implement system configuration baseline management procedures, which
encompass at a minimum, the request, documentation, and approval of deviations from
baseline settings for all NARA systems. (Recommendation #22 from the FY 2021 FISMA
audit, report #22-AUD-04)

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.

Enhance current procedures to ensure that new NARA users who do not complete their initial security awareness training, have their accounts automatically disabled in accordance with timeframes promulgated within the Privacy and Awareness Handbook.

Coordinate with other departments as necessary, to implement an authoritative data source which provides the current status of NARA contractors and volunteers at the enterprise level.

Enforce mandatory Personal Identity Verification (PIV) card authentication for all NARANet users, in accordance with OMB requirements.

Continue and complete efforts to require PIV authentication for all privileged users, servers, and applications, through NARA’s identity and access management project and other efforts.

Ensure a comprehensive identity, credential, and access management (ICAM) policy or strategy, which includes the establishment of related standard operating procedures, identification of stakeholders, communicating relevant goals, task assignments, and measure and reporting progress is developed and implemented.

Document and implement a process to track and remediate persistent configuration vulnerabilities, or document acceptance of the associated risks.

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks.

Fully complete the migration of applications to vendor supported operating systems.

Ensure the Information System Security Officers are reviewing system configuration compliance scans monthly as required within NARA’s Configuration Compliance Standard Operating Procedure.

Recommend the Chief Financial Officer update the travel policy and continue efforts to ensure
that all written policies and procedures are reviewed and revised timely.

Implement an automated process, which notifies all relevant IT system owners of pending separations and reassignments.

Determine whether individuals who departed NARA since April 27, 2020 still have access to related IT systems. Ensure IT system access for these individuals has been terminated.

Adopt a specific time-frame requirement for termination of Personal Identity Verification cards in accordance with the Federal Information Processing Standards.

Evaluate the process and/or definition for reassignments as defined in NARA 215 to ensure it meets the business needs of National Personnel Records Center’s Core environment.

Revise NARA 215 requirements for outstanding debt obligations for separating individuals.

Update and implement NARA 215 requirements to establish clear reporting lines among those units with off-boarding and property management duties.

Ensure communication of revised NARA 215 with NARA Clearance Officials.