Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
()
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.
Coordinate with other departments as necessary, to implement an authoritative data
source which provides the current status of NARA contractors and volunteers at the
enterprise level.
Ensure system access requests are completed and retained for the duration of a users’
system access.
Ensure account reviews are completed in accordance with Access Control IT
Methodology requirements
Enforce mandatory Personal Identity Verification (PIV) card authentication for all
NARANet users, in accordance with OMB requirements.
Ensure system owners and Information System Security Officers (ISSO) have
completed an E-Authentication Threshold Analysis (ETA) for all information systems
with a signed E-Authentication Risk Assessment (if required).
Review and reduce the number of NARA users assigned to the PIV debarment group
and move to the PIV mandatory group, using a risk-based decision process.
Continue and complete efforts to require PIV authentication for all privileged users,
servers, and applications, through NARA’s CyberArk authentication project and other
efforts
Ensure a comprehensive identity, credential, and access management (ICAM) policy
or strategy, which includes the establishment of related standard operating
procedures, identification of stakeholders, communicating relevant goals, task
assignments,...
Ensure POA&Ms for the NARANet, RCPBS, and OFAS systems are created, updated,
and remediated, for each system in accordance with NARA policies, guidance, and
directives, to include enhanced POA&M closure procedures.
For those systems identified in which the Authorizing Official (AO) listed in the
Authorization to Operate (ATO) has changed, NARA should follow the NARA Security
Methodology for Certification and Accreditation (C&A) and Security Assessment in...
Update NARA’s Cyber Security Framework Methodology Processes & Procedures, for
ongoing authorizations, to include examples of situations where a change in status
could prompt the independent security control assessor to recommend re-certification...
Develop oversight mechanisms to ensure system security plans reflect current
operational environments, include an accurate status of the implementation of system
security controls, and all applicable security controls are properly evaluated prior to...
Document and implement a process to track and remediate persistent configuration
vulnerabilities, or document acceptance of the associated risks.
Implement remediation efforts to address security deficiencies on affected systems
identified, to include enhancing its patch and vulnerability management program as
appropriate, or document acceptance of the associated risks.
Fully complete the migration of applications to vendor supported operating systems.
Document, communicate, and implement NARA’s configuration management
processes applicable to all NARA systems, not just those under Information Services
Enterprise Change Advisory Board (ECAB) control within for example, NARA’s
Configuration...
Finalize and implement system configuration baseline management procedures,
which encompass at a minimum, the request, documentation, and approval of
deviations from baseline settings for all NARA systems
Ensure that records of configuration-controlled changes are retained within those
systems (e.g., Remedy/ ServiceNow) which retain those records, in accordance with
the NARA records schedule.
In coordination with system owners and ISSOs, identify and remediate inconsistencies
in contingency plan testing requirements between the NARA Cyber Security
Framework Methodology: Processes and Procedures and the NARA IT Security
Methodology for...
