U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of NARA's Web Hosting Environment

Report Information

Date Issued
Report Number
16-01
Report Type
Audit
Description
This is a summary of the complete audit report. The Inspector General has determined publically releasing the complete audit report would unacceptably increase the risk to the agency’s information technology systems by disclosing too much information on persistent security deficiencies.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

The Chief Operating Officer (COO) should coordinate with the Chief Innovation Officer (CINO) to clearly define a business owner for the public facing website process.

The COO should coordinate with the CIO, Office of Presidential Libraries and the CINO to develop and document a centralized process to manage the public facing websites.

The CIO and CINO should clearly define the roles and responsibilities throughout the process developed in recommendation #2.

The CIO and NGC should review and document the approval of all agreements for web hosting services.

The CIO should review all of the systems attached to NARANet general support system to determine if there are any others that are not FISMA compliant.

The CIO should coordinate with the CINO to make the web hosting environment FISMA compliant.

The COO should coordinate with the CIO and CINO to evaluate whether all of the web hosting environments (internal and external) should be consolidated into one centralized system for FISMA purposes.

The CIO should provide Innovation with guidance that clearly delineates the management responsibilities of the web hosting environment between Information Services and Innovation.

The CIO, COO, and CINO should retroactively perform or obtain from the contractor vendor, or partner IT security assessments on vendors that currently host NARA websites.

The CIO should require an IT security assessment be performed prior to NARA initiating a web hosting agreement.

The CIO should ensure that all IT service agreements with external contractors, vendors, or partners have a clause that require NARA or an independent third-party contractor to annually perform IT security assessment on that contractor’s, vendor’s, and...

The CIO should ensure Information Services personnel document their review of the IT security assessments.

The CIO should ensure Information Services include an audit clause in the agreement that requires contractors, vendor's, and partner's to provide all documentation to the OIG without requiring a signed NDA.

The CIO develop a process for managing access to shared user accounts.

The CIO should implement the annual compliance check required by the User Account Management Standard Operating Procedure for Administrator accounts to the shared user accounts.

This recommendation contains information about IT deficiencies which, if made public, could endanger NARA systems. Please contact the OIG if you need further information.