Audit of NARA’s Fiscal Year 2023 Consolidated Financial Statements

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.

Coordinate with other departments as necessary, to implement an authoritative data source which provides the current status of NARA contractors and volunteers at the enterprise level.

Enforce mandatory Personal Identity Verification (PIV) card authentication for all NARANet users, in accordance with OMB requirements.

Continue and complete efforts to require PIV authentication for all privileged users, servers, and applications, through NARA’s identity and access management project and other efforts.

Ensure a comprehensive identity, credential, and access management (ICAM) policy or strategy, which includes the establishment of related standard operating procedures, identification of stakeholders, communicating relevant goals, task assignments, and...

Document and implement a process to track and remediate persistent configuration vulnerabilities, or document acceptance of the associated risks.

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks.

Fully complete the migration of applications to vendor supported operating systems.

Ensure the Information System Security Officers are reviewing system configuration compliance scans monthly as required within NARA’s Configuration Compliance Standard Operating Procedure.

Enhance current procedures to ensure that new NARA users who do not complete their initial security awareness training, have their accounts automatically disabled in accordance with timeframes promulgated within the Privacy and Awareness Handbook.