National Archives rapped for weak document security

Two GAO reports say risk of sensitive data breaches in digitization effort affects all agencies.

The risk of loss or damage to archived federal documents remains unacceptably high despite the National Archives and Records Administration's progress in digitizing, securing and easing access to information across government, according to a pair of Government Accountability Office reports released on Wednesday.

Sen. Charles Grassley, R-Iowa, requested the studies in part because of the loss in 2009 of a computer hard drive containing Social Security numbers of Clinton White House staff. GAO praised the Archives' own investigations using self-assessment surveys to measure progress on its digital transformation effort. But even those revealed "almost 80 percent of agencies were at moderate to high risk of unlawful destruction of records," GAO said. (The day before the reports were released, Archives officials and U.S. Marshals raided the home of a retired NARA official in search of undisclosed materials.)

In a report on Archives management and oversight, GAO auditors faulted the pace of NARA in whittling down a backlog of paper that grew some 200,000 cubic feet from 2008 to 2009 alone. Digital preservation of those documents has stalled at 65 percent of total holdings. Also criticized was an absence of risk management plans and sufficient implementation of a strategic human capital initiative to collaborate with agencies on training staff in specialized electronic preservation.

For a separate report on the Archive's information security controls, auditors tested networks and interviewed staff and determined that "NARA has not effectively implemented information security controls to sufficiently protect the confidentiality, integrity and availability of the information and systems that support its mission." Collectively, the report continued, "these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification, or loss."

Noting delays in correcting security deficiencies, GAO said, "NARA has not updated its badge and access system security plan since 2003, despite replacing the system in 2007. NARA had scheduled to correct this weakness by the end of 2009, but as of September 2010, it had not been corrected."

In a set of recommendations, GAO advised the Archives to improve training, beef up physical inspections of document centers, update systems to reflect accurate Federal Information Processing Standard categories, set security processes that identify which office or individual is the "owner" of a set of documents, and align information controls with National Institute of Standards and Technology guidance.

In a response published with the reports, NARA said it accepted the general criticisms but disagreed with several technical points. Officials rejected the notion that risk assessments were incorrectly applied, its procedures are out of compliance with NIST guidance, and the "owner role" of each system of documents always must be identified in security plans.

"The National Archives safeguards billions of records," Archivist of the United States David Ferriero said in a statement on Wednesday. "It is an enormous and complex undertaking made even more challenging by the proliferation of electronic records created and stored on multiple platforms and in an ever evolving variety of formats. ... I welcome these audits by GAO, and I appreciate that the reports made some helpful recommendations and acknowledged the strides of improvement this agency has been making over the last year. I also agree with GAO that more work needs to be done, both internally at the Archives and across the records management community in the federal government."

Patrice McDermott, director of the transparency advocacy group OpenTheGovernment.org, said both the bulging backlog and the risk of mishandling documents "are issues that NARA is aware of and is dealing with." NARA is in the process of hiring a new chief information officer, she added, and "solving these concerns awaits a new CIO."

Grassley's office said on Thursday in a written statement, "according to GAO, the agency's failure to fully implement its information security programs is impairing its ability to fulfill its mission. The agency needs to commit to fixing its problems and follow through."