Information Management
Planning for the Electronic Records Archives Has Improved
Gao ID: GAO-04-927 September 23, 2004
Since 2001, the National Archives and Records Administration (NARA) has been working to develop the policies and plans to build the Electronic Records Archives (ERA), a major information system that is intended to preserve and provide access to massive volumes of all types and formats of electronic records. Senate Report 108-146 directed GAO to provide a progress report on NARA's development of the ERA system. Specifically, GAO's objective was to determine the agency's progress in implementing recommendations from previous assessments.
NARA has made progress towards addressing GAO's prior recommendations: four of the eight recommendations have been fully addressed, and NARA is making progress in addressing the three recommendations on staffing, enterprise architecture, and information security. NARA is making less progress in addressing the recommendation to revise acquisition policies and plans to meet relevant industry standards. None of the eight key acquisition policies and plans fully complies with the standards selected by the agency. A contributing cause has been that although contractor staff assessed these policies and plans against standards, NARA had not established a process to ensure that the identified weaknesses were addressed and incorporated into subsequent versions. Making program policies and plans compliant before contract award is important to ensure that the agency has the information it needs to manage the acquisition and that the contractors have sufficient information on which to base the design of the system.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-927, Information Management: Planning for the Electronic Records Archives Has Improved
This is the accessible text file for GAO report number GAO-04-927
entitled 'Information Management: Planning for the Electronic Records
Archives Has Improved' which was released on September 23, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
September 2004:
RECORDS MANAGEMENT:
Planning for the Electronic Records Archives Has Improved:
GAO-04-927:
GAO Highlights:
Highlights of GAO-04-927, a report to congressional committees:
Why GAO Did This Study:
Since 2001, the National Archives and Records Administration (NARA) has
been working to develop the policies and plans to build the Electronic
Records Archives (ERA), a major information system that is intended to
preserve and provide access to massive volumes of all types and formats
of electronic records. Senate Report 108-146 directed GAO to provide a
progress report on NARA‘s development of the ERA system. Specifically,
GAO‘s objective was to determine the agency‘s progress in implementing
recommendations from previous assessments.
What GAO Found:
NARA has made progress towards addressing GAO‘s prior recommendations:
four of the eight recommendations have been fully addressed, and NARA
is making progress in addressing the three recommendations on staffing,
enterprise architecture, and information security (see table).
NARA is making less progress in addressing the recommendation to revise
acquisition policies and plans to meet relevant industry standards.
None of the eight key acquisition policies and plans fully complies
with the standards selected by the agency. A contributing cause has
been that although contractor staff assessed these policies and plans
against standards, NARA had not established a process to ensure that
the identified weaknesses were addressed and incorporated into
subsequent versions. Making program policies and plans compliant before
contract award is important to ensure that the agency has the
information it needs to manage the acquisition and that the contractors
have sufficient information on which to base the design of the system.
[See PDF for image]
Source: GAO, based on NARA data.
[End of figure]
What GAO Recommends:
To reduce the risks associated with NARA‘s efforts to acquire ERA, GAO
recommends that the Archivist direct the ERA Program Director to design
and implement a process to ensure that recommendations from contractor
reviews are addressed and incorporated into program policies and plans.
In commenting on a draft of this report, the Archivist of the United
States generally agreed with the overall findings and recommendation,
and provided an update on NARA‘s actions to implement the
recommendations in this and prior GAO reports.
www.gao.gov/cgi-bin/getrpt?GAO-04-927.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda D. Koontz at (202)
512-6240 or Koontzl@gao.gov.
Contents:
Letter:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Briefing Slides:
Appendix II: Comments from the National Archives and Records
Administration:
Abbreviations:
ASC: American Systems Corporation:
ERA: Electronic Records Archives:
ICE: Integrated Computer Engineering, Inc.:
IT: information technology:
NARA: National Archives and Records Administration:
Letter September 23, 2004:
The Honorable Richard C. Shelby:
Chairman:
The Honorable Patty Murray:
Ranking Minority Member:
Subcommittee on Transportation, Treasury and General Government:
Committee on Appropriations United States Senate:
The Honorable Ernest J. Istook, Jr.:
Chairman:
The Honorable John W. Olver:
Ranking Minority Member:
Subcommittee on Transportation, Treasury and Independent Agencies:
Committee on Appropriations:
House of Representatives:
The National Archives and Records Administration (NARA) is responsible
for the oversight of government records management and archiving, which
increasingly involves dealing with documents that are created and
stored electronically. Since 2001, the agency has been working to
develop the Electronic Records Archives (ERA) system. This major
information system is intended to preserve and provide access to
massive volumes of all types and formats of electronic records. NARA
plans to develop the system in five increments, with the first
increment expected to be completed in 2007 and the fifth in 2011.
We have issued two prior reports[Footnote 1] assessing NARA's
acquisition of the ERA system. Our assessments identified several
weaknesses in the acquisition process and made eight recommendations to
the agency that, if addressed, would reduce the risks in acquiring the
ERA system. These recommendations were to:
1. develop a schedule that is based on a comprehensive work breakdown
structure (including associated costs and other resources),
2. establish schedule dependencies among successor and predecessor
tasks,
3. use earned value management to capture and monitor progress for the
entire acquisition,
4. revise acquisition policies and plans to conform to Institute of
Electrical and Electronics Engineers, Inc. standards,
5. fill vacant key program positions,
6. develop an enterprise architecture,
7. improve information security, and:
8. implement an IT investment management process.
Senate Report 108-146 directed GAO to provide a progress report on
NARA's development of the ERA system. Our objective was to determine
the agency's progress in implementing our prior recommendations. To
achieve this objective, we assessed and reviewed related plans and
schedules to determine the level of progress since our last report and
we interviewed key NARA officials and contractor staff. We selected
eight key policies and plans for review; we assessed seven of these in
our 2003 review. We added an eighth--the Program Management Plan--that
had been completed since the 2003 review. We reviewed NARA's progress
in filling all government and contractor positions and conducted
interviews of senior NARA officials to determine the status of the
agency's efforts to establish a capability in IT investment management,
develop an enterprise architecture, and strengthen the agency's
information security program. We also reviewed the contractor's
verification and validation reports associated with the eight policies
and plans. We performed our work from February 2004 to May 2004 at
NARA's College Park, Maryland, location in accordance with generally
accepted government auditing standards.
In June 2004 we provided your staff with a briefing on the results of
our study, which included procurement-sensitive information. The slides
from that briefing--with procurement-sensitive information removed--
are included as appendix I. The purpose of this report is to provide
the published briefing slides to you and to officially transmit our
recommendation to the Archivist of the United States.
In summary, our briefing made the following points:
NARA has made progress toward addressing our prior recommendations;
four of the eight recommendations have been fully addressed.
Specifically, the ERA schedule is now based on a comprehensive work
breakdown structure, dependencies have been established among
predecessor and successor tasks, earned value management is being used
to capture and monitor progress for the entire acquisition, and an IT
investment management process has been implemented. In addition, NARA
is making progress in addressing the three recommendations on staffing,
enterprise architecture, and information security.
NARA is making less progress in addressing the recommendation to revise
acquisition policies and plans to meet relevant industry standards.
Such policies and plans are essential for managing the acquisition and
providing critical guidance to the contractors who will be designing
the system. However, none of the eight key acquisition policies and
plans fully complies with the standards. A contributing cause has been
that, although contractor staff performed verification and validation
reviews to assess these polices and plans against standards, NARA had
not established a process to ensure that the weaknesses identified in
these reviews were addressed and incorporated into the subsequent
versions. Making acquisition policies and plans compliant before
contract award is important to ensure that the agency has the
information it needs to manage the acquisition and the contractors have
adequate information on which to base the design of the system.
Recommendation for Executive Action:
To reduce the risks associated with NARA's efforts to acquire ERA, we
recommend that the Archivist direct the ERA program director to design
and implement a process to ensure that recommendations in verification
and validation reviews are addressed and incorporated into acquisition
policies and plans.
Agency Comments and Our Evaluation:
In providing written comments on a draft of this report (reprinted in
app. II), the Archivist of the United States stated that NARA was
pleased to note our recognition of the progress that it has made and
that actions were well under way to address all outstanding
recommendations. The Archivist also provided an update on the status of
the four recommendations in the report that had not been fully
addressed. In response to a technical comment concerning the status of
the requirements document, we have amended the briefing slides to
clarify that this document contains a complete set of high level system
requirements.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Subcommittee on Transportation, Treasury and
General Government, Senate Appropriations Committee, and the
Subcommittee on Transportation, Treasury and Independent Agencies,
House Appropriations Committee. We are also sending copies to the
Archivist of the United States. We will make copies available to others
on request. In addition, the report will be available at no charge on
the GAO Web site at [Hyperlink, http://www.gao.gov/.].
If you or your staff have any questions concerning this report, please
call me at 202-512-6240 or Mirko Dolak, Assistant Director, at (202)
512-6362. We can also be reached by e-mail at [Hyperlink,
koontzl@gao.gov] and [Hyperlink, dolakm@gao.gov], respectively. Key
contributors to this report were Timothy Case, Nancy Glover, and Kush
Malhotra.
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendixes:
[End of section]
Appendix I: Briefing Slides:
[See PDF for image]
[End of figure]
[End of section]
Appendix II: Comments from the National Archives and Records
Administration:
National Archives at college Park:
8601 Adelphi Road:
College Park, Maryland 20740-6001:
AUG 3 2004:
General Accounting Office:
Managing Director of Information Technology Team:
Mr. Joel C. Willemssen:
441 G Street, NW #4T31:
Washington, DC 20548:
Dear Mr. Willemssen:
We thank you for the opportunity to review and comment on the draft
report entitled Information Management: Planning for the Electronic
Records Archives Has Improved (GAO-04-927) before it is issued in final
form. We are pleased to note the recognition of the progress made
towards implementing the recommendations provided in GAO's report of
August 2003, Records Management: National Archives and Records
Administration's Acquisition of Major System Faces Risks (GAO-03-880).
Most of the steps NARA has taken to implement GAO's recommendations are
acknowledged in the report. However, some of our efforts were just
getting started at the time of the GAO review and therefore are not
reflected in the report. We would like to take this opportunity to
update you on the status of the four recommendations in the report with
a partially addressed or not addressed status. As you will see, we are
well underway to implementing all the recommendations in the report.
Following are our comments.
Enterprise Architecture: Although the specifications for NARA's target
architecture are not fully complete in the version 2.0 release
(September 2003), the framework for the target Enterprise Architecture
(EA) is in place for each major view of the EA to include Business,
Data, Applications, Systems, Operations, and Security. Significant
progress will be reflected in the 3.0 release of the EA which will be
completed on September 2, 2004. Specifically, the following areas are
being improved:
* The Business Architecture will provide "to be" business process
specifications for several of NARA's key business areas within the
Records Lifecycle Management function. Additionally, an updated
transition plan based on the gap analysis of the baseline and the
target architectures will be provided.
* The Enterprise Conceptual Data Model (CDM) will incorporate the ERA
domain model.
* The agency's security architecture and IT security program will be
aligned with FISMA and NIST guidance for IT security.
National Archives and Records Administration:
We would like to clarify that the ERA system design must conform to the
Enterprise Target Architecture and not the other way around. The
functional specifications for NARA's target systems, data, and
applications will be improved as the agency's business architecture
continues to develop.
Information Security: Eight of the nine weaknesses identified through
our contractor's compliance testing have been corrected. Enclosure (1)
outlines a description of the weaknesses and the corrective actions
taken. Creation of a control log to illustrate what ports are closed,
filtered, or open on each subnet is the only weakness that has not been
addressed. This log will be implemented by August 31, 2004.
In response to the issue regarding central control of classified
systems, it is important to note that the current classified systems
are physically secure, are not attached to a network, and have security
plans in place. We are taking the following steps to improve the
security posture of the classified systems:
* Revising NARA 101, NARA Organization and Delegation of Authority.
Responsibilities for NA and NH will be re-defined to ensure that NARA
classified computer systems are centrally managed by technically
qualified personnel by October 1, 2004.
* Developing and implementing information systems security education,
training, and awareness programs relating to national security systems
for NARA information security personnel by September 30, 2004. NARA
will provide additional training as needed for agency-wide security
information system security professionals, system administrators,
information systems security officers, and system certifiers, to ensure
their knowledge of communications security and computer security is up-
to-date.
* Updating the NARA Information Security Manual (INFO. SECURITY 202)
with NAS support to provide technical guidance for securing automated
classified information systems, including both classified systems
applications and their support networks by December 31, 2004.
* Revising NARA 804, Information Technology (IT) Systems Security to
include NARA classified IT systems. A draft will be prepared by August
31, 2004; the final to be issued by December 31, 2004.
* Completing an up-to-date inventory of all existing NARA classified
systems by October 1, 2004.
* Completing an initial Certification and Accreditation (C&A) for each
NARA classified system including a risk assessment, systems security
plan, security controls testing and vulnerability analysis, and
contingency by October 1, 2004.
Acquisition Program Policies and Plans: Although the scheduled date for
contract award was May 28, 2004, actions to mitigate risks related to
potential protests resulted in schedule changes during the acquisition
process. The Source Selection Team has taken a conservative approach to
the Source Selection activities to minimize any risks of protests. This
approach resulted in a longer timetable for Source Selection
activities. Currently, a decision was made by July 30, 2004 and the
contract will be awarded on August 3, 2004.
Five of the documents identified were updated and have undergone
Verification and Validation (V&V) to ensure IEEE compliance prior to
contract award. Enclosure (2) includes copies of the updated documents
and their respective V&V reports.
As indicated in previous correspondence, the Requirements Document will
not be updated. Reallocation of resources to finalize the ERA contract
source selection activities impeded completion of the update to the
Risk Management Plan and the Life Cycle Document. These two documents
are undergoing final editorial review and will be delivered for
government review by August 6, 2004.
More importantly, a temporary process was put in place that
incorporated verification and validation activities through out the
entire document development process. Enclosure (3) describes the
temporary process. The process will become permanent when we finalize
the Standard Operating Procedures (SOPS) document currently under
development.
ERA Staff. We have hired the replacement for the quality assurance
position. The security position remains unfilled. We have advertised
the position through regular government channels and in the Washington
Post. Hundreds of applications have been reviewed but no qualified
candidates have surfaced. As we continue to search for an ERA Security
Specialist we have the support of the National Security Agency (NSA)
and a staff member from NARA's Office of Human Resources and
Information Services.
Finally, we would like to clarify a point from the report. The ERA
Requirements Document section implies that the Requirements Document is
not complete. The final ERA Requirements Document released with the ERA
Request for Proposal (RFP) on December 5, 2003, outlines a complete set
of high level system requirements. These high level requirements will
be used by the ERA development contractor to generate a detailed System
Requirements Specification that will be delivered to the government six
months after contract award.
Again, we thank you for this opportunity and look forward to our future
interactions as we continue the ERA acquisition process.
Sincerely,
Signed by:
JOHN W. CARLIN:
Archivist of the United States:
Enclosures:
[End of section]
(310719):
FOOTNOTES
[1] GAO, Information Management: Challenges in Managing and Preserving
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and
Records Management, National Archives and Records Administration's
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.:
Aug. 22, 2003).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: