Weak Infosec Places Historic Papers in JeopardyGAO: National Archives Hasn't Effectively Implemented Safeguards
According to the Government Accountability Office audit issued Wednesday, the National Archives failed to fully implement access controls, which are designed to prevent, limit, and detect unauthorized access to computing resources, programs, information and facilities.
Sen. Charles Grassley of Iowa, the ranking Republican on the Senate Finance Committee, requested the audit after the loss of the Wright Brothers' original patent and maps for atomic bomb missions in Hiroshima and Nagasaki, according to an Associated Press report. "This agency is the country's record keeper," Grassley said in a statement. "It's responsible for protecting classified materials and for preserving our most important historical documents. ... The agency needs to commit to fixing its problems and follow through."
Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with oversight over the National Archives and cybersecurity, issued a statement Thursday saying he's deeply concerned by the GAO report.
"The fact that the National Archives' latest initiative, preserving records electronically, has faced serious challenges and been questioned by many experts as to whether or not it will be effective," Carper said. "Like all federal agencies, the National Archives must maintain vigorous oversight over the billions of dollars they spend on IT investments to ensure that they are spent effectively. Finally, the Government Accountability Office's report noting cracks in the National Archives' computer firewall highlights persistent weaknesses in our national cybersecurity system. This latest report reminds us that our national security and our national heritage are both threatened by a cyber attack due to faulty network protection
GAO, the investigative arm of Congress, pointed out that the National Archives has developed a policy for granting or denying access rights to its resources, employed mechanisms to prevent and respond to security breaches and made use of encryption technologies to protect sensitive data, yet significant weaknesses pervade its systems. GAO reported that NARA didn't fully implement access controls aimed to prevent, limit and detect unauthorized access to computing resources, programs, information and facilities.
Specifically, GAO said, the agency did not always:
- Protect the boundaries of its networks by, for example, ensuring that all incoming traffic was inspected by a firewall;
- Enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex passwords;
- Limit users' access to systems to what was required for them to perform their official duties;
- Ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by potentially malicious individuals;
- Keep logs of network activity or monitor all parts of its networks for possible security incidents; and
- Implement physical controls on access to its systems and information, such as securing perimeter and exterior doors and controlling visitor access to computing facilities.
In addition to weaknesses in access controls, GAO said NARA had mixed results in implementing other security controls. For example, NARA didn't always ensure equipment used for sanitization and disposal of media was tested to verify orrect performance. It also didn't conduct appropriate background investigations for employees and contractors to ensure sufficient clearance requirements have been met before permitting access to information and information systems. GAO also fund that NARA didn't consistently segregate duties among various personnel to ensure that no one person or group can independently control all key aspects of a process or operation.
The identified weaknesses can be attributed to NARA not fully implementing key "Collectively, these weaknesses could place sensitive information, such as records containing personally identifiable information, at increased and unnecessary risk of unauthorized access, disclosure, modification or loss," wrote GAO Information Security Issues Director Gregory C. Wilshusen and Chief Technologist Nabajyoti Barkakati .
GAO offered 11 recommendations to the archivist of the United States to implement elements of NARA's information security program. Archivist David Ferriero generally agreed with the GAO audit, but took exception to GAO's contention that the archives risk assessments in system inventory were incorrectly applied, that its polices weren't always consistent with guidance from the National Institute of Standards and Technology and the "owner role" must be identified in each system security plan. "In each case," Ferriero wrote, "we believe that we have demonstrated good faith efforts to keep these current and acknowledge that sometimes things get missed."
GAO stood by its critiques.