Information Management
Acquisition of the Electronics Records Archives Is Progressing Gao ID: GAO-05-802 July 15, 2005Since 2001, the National Archives and Records Administration (NARA) has been working to acquire the Electronic Records Archives (ERA) system. In August 2004, NARA awarded two contracts to design the ERA system. The agency plans to select one of the resulting designs for the development of the system in August 2005. Conference Report 108-792 directed GAO to report on ERA's costs, schedule, and performance. Our objectives were to determine (1) the extent to which NARA has achieved the ERA program's cost, schedule, and performance objectives and the extent to which the agency has identified risks to future objectives; and (2) the status of NARA's efforts to address prior GAO recommendations on the acquisition.
The ERA program is meeting its cost, schedule, and performance objectives and has identified risks to the program's objectives. For example, the program has achieved all major milestones to date on or ahead of schedule, accepted three major contractor deliverables that met the program's performance standards, and identified risks to the program including the lack of an integrated schedule that encompasses agency projects related to ERA. NARA continues to make progress in addressing recommendations from prior GAO reports: the agency has implemented one recommendation by hiring two key ERA personnel and has partially implemented the other recommendations. For example, NARA has addressed one of the two security weaknesses by bringing classified systems under the central control and protection of the chief information officer, and it has completed corrective action on five of nine security weaknesses in systems operating on its network. However, the Office of the Inspector General has identified additional security weaknesses, including the lack of a formal, documented, and tested agency disaster recovery plan; and inadequate physical and logical security in areas such as password and systems configuration management. Until NARA fully addresses all prior recommendations, risks remain to the successful implementation of the system.
GAO-05-802, Information Management: Acquisition of the Electronics Records Archives Is Progressing
This is the accessible text file for GAO report number GAO-05-802
entitled 'Information Management: Acquisition of the Electronic Records
Archives Is Progressing' which was released on July 15, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
July 2005:
Information Management:
Acquisition of the Electronic Records Archives Is Progressing:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-802]:
GAO Highlights:
Highlights of GAO-05-802, a report to congressional committees:
Why GAO Did This Study:
Since 2001, the National Archives and Records Administration (NARA) has
been working to acquire the Electronic Records Archives (ERA) system.
In August 2004, NARA awarded two contracts to design the ERA system.
The agency plans to select one of the resulting designs for the
development of the system in August 2005.
Conference Report 108-792 directed GAO to report on ERA‘s costs,
schedule, and performance. Our objectives were to determine
* the extent to which NARA has achieved the ERA program‘s cost,
schedule, and performance objectives and the extent to which the agency
has identified risks to future objectives and
* the status of NARA‘s efforts to address prior GAO recommendations on
the acquisition.
GAO is not making any recommendations at this time because NARA has
plans in place to address identified weaknesses.
What GAO Found:
The ERA program is meeting its cost, schedule, and performance
objectives and has identified risks to the program‘s objectives. For
example, the program has
* achieved all major milestones to date on or ahead of schedule,
* accepted three major contractor deliverables that met the program‘s
performance standards, and
* identified risks to the program including the lack of an integrated
schedule that encompasses agency projects related to ERA.
NARA continues to make progress in addressing recommendations from
prior GAO reports: the agency has implemented one recommendation by
hiring two key ERA personnel and has partially implemented the other
recommendations (see table). For example, NARA has addressed one of the
two security weaknesses by bringing classified systems under the
central control and protection of the chief information officer, and it
has completed corrective action on five of nine security weaknesses in
systems operating on its network. However, the Office of the Inspector
General has identified additional security weaknesses, including
* the lack of a formal, documented, and tested agency disaster recovery
plan and
* inadequate physical and logical security in areas such as password
and systems configuration management.
Until NARA fully addresses all prior recommendations, risks remain to
the successful implementation of the system.
Summary Status of NARA‘s Progress in Addressing GAO Recommendations:
[See PDF for image]
[End of table]
www.gao.gov/cgi-bin/getrpt?GAO-05-802.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda D. Koontz at (202)
512-6240 or koontzl@gao.gov.
[End of section]
Contents:
Letter:
Appendixes:
Appendix I: Briefing Slides:
Appendix II: Comments from the National Archives:
Appendix III: GAO Contact and Staff Acknowledgments:
Abbreviations:
ASC: American Systems Corporation:
ERA: Electronic Records Archives:
ICE: Integrated Computer Engineering, Inc.
IEEE: Institute of Electrical and Electronics Engineers, Inc.
NARA: National Archives and Records Administration:
Letter July 15, 2005:
The Honorable Christopher S. Bond:
Chairman:
The Honorable Patty Murray:
Ranking Minority Member:
Subcommittee on Transportation, Treasury, the Judiciary, Housing and
Urban Development, and Related Agencies:
Committee on Appropriations:
United States Senate:
The Honorable Joe Knollenberg:
Chairman:
The Honorable John W. Olver:
Ranking Minority Member:
Subcommittee on the Departments of Transportation, Treasury, and
Housing and Urban Development, the Judiciary, and District of Columbia,
and Independent Agencies:
Committee on Appropriations:
House of Representatives:
The National Archives and Records Administration (NARA) is responsible
for the oversight of government records management and archiving, which
increasingly involves dealing with documents that are created and
stored electronically. Since 2001, the agency has been working to
acquire the Electronic Records Archives (ERA) system. NARA selected the
standards of the Institute of Electrical and Electronics Engineers,
Inc. (IEEE) to guide the overall acquisition of the system.
In December 2003, the agency released a request for proposals for the
design of ERA, and in August 2004, NARA awarded two firm fixed-price
contracts[Footnote 1] for the design phase that totaled about $20
million--one to Harris Corporation and the other to Lockheed Martin
Corporation. The agency plans to select a winning design from Harris
and Lockheed Martin submissions by August 2005.
We previously issued three reports assessing NARA's efforts to
establish the capabilities to acquire major information systems and the
ERA system acquisition.[Footnote 2] In these reports, we made nine
recommendations. We previously reported that NARA had implemented four,
and these five remained to be addressed:
* fill vacant key positions,
* develop an enterprise architecture,[Footnote 3]
* improve information security,
* design and implement a process to ensure that recommendations from
verification and validation reviews[Footnote 4] are addressed and
incorporated into acquisition policies and plans, and:
* revise policies and plans to conform to IEEE standards.
Conference Report 108-792 directed GAO to report on ERA's program
costs, schedule, and performance by May 25, 2005. Our objectives were
to determine (1) the extent to which NARA has achieved the ERA
program's cost, schedule, and performance objectives and the extent to
which the agency has identified risks to future objectives and (2) the
status of NARA's efforts to address prior GAO recommendations on the
acquisition. We performed our work from January 2005 to May 2005 at
NARA's College Park, Maryland, location in accordance with generally
accepted government auditing standards. Details of our methodology are
in appendix I.
In May 2005 we provided your staff with a briefing on the results of
our study, which are included as appendix I. The purpose of this report
is to officially transmit the published briefing slides to you.
In summary, our briefing made the following points:
* ERA is meeting its cost, schedule, and performance objectives and has
identified risks to the program's objectives.
* NARA's cost objectives associated with the Lockheed Martin and Harris
design contracts are for $9.5 million and $10.6 million, respectively.
The program is meeting these cost objectives; the contracts for this
phase are firm fixed-price and cost variations are expected to be at
the contractors' expense.
* The program has also achieved all major milestones on or ahead of
schedule and the three major deliverables that NARA has received from
the contractors--the systems requirements specifications from Lockheed
Martin and system architecture and design documents from both Lockheed
Martin and Harris--were reviewed by NARA and, according to the agency,
met the program's performance standards and were accepted.
* ERA has identified four risks to the acquisition: (1) lack of an
integrated schedule that encompasses agency projects related to ERA;
(2) the level of preservation and access required for current and
future electronic records has not yet been determined; (3) NARA may
build to the wrong specifications in terms of size and scalability if
the agency is unable to forecast the expected volume of records to be
processed by the system with any reliability; and (4) NARA will lose
more than $20 million in single year funds if it does not award the
development contract by September 30, 2005.
NARA continues to make progress in addressing our prior
recommendations.
* The agency has fully implemented our recommendation to hire two key
personnel--the quality assurance specialist and security officer--
which should strengthen the program's capability to manage the
acquisition.
* The agency has partially implemented four other recommendations that
are essential for the successful management of the acquisition. It has
(1) improved the baseline architecture, but has not completed, the
target architecture; (2) improved information security, but has not
addressed, all weaknesses; (3) designed, but has not finalized, the
document review process; and (4) significantly revised the program's
policies and plans, but has not made them fully compliant with IEEE
standards. Until NARA fully addresses all prior recommendations, risks
remain to the successful implementation of the system. Because the
agency recognizes these weaknesses and has plans in place to address
them, we are not making further recommendations at this time. However,
it will be important for NARA to continue its efforts to resolve these
weaknesses in a timely manner.
The Archivist stated that the written comments on our briefing
submitted on May 20, 2005, represent NARA's response to the draft
report. In those comments, he indicated appreciation for the insight
provided into the progress remaining to be made toward addressing our
recommendations. In addition, he stated that NARA will complete the
recommendations identified in our report as "partially implemented."
The Archivist's written comments on the briefing are reproduced in
appendix II.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Subcommittee on Transportation, Treasury, the
Judiciary, Housing and Urban Development, and Related Agencies, Senate
Appropriations Committee, and the Subcommittee on the Departments of
Transportation, Treasury, and Housing and Urban Development, the
Judiciary, and District of Columbia, and Independent Agencies, House
Appropriations Committee. We are also sending copies to the Archivist
of the United States. We will make copies available to others on
request. In addition, the report will be available at no charge on the
GAO Web site at [Hyperlink, http://www.gao.gov].
If you or your staff have any questions concerning this report, please
call me at 202-512-6240; I can also be reached by e-mail at [Hyperlink,
koontzl@gao.gov]. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are
listed in appendix III.
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendixes:
Appendix I: Briefing Slides:
The National Archives and Records Administration's Acquisition of the
Electronic Records Archives Is Progressing:
Briefing for Staff Members of the Subcommittee on Transportation,
Treasury, the Judiciary, Housing and Urban Development, and Related
Agencies:
Committee on Appropriations:
United States Senate:
and the Subcommittee on the Departments of Transportation, Treasury,
and Housing and Urban Development, the Judiciary, and District of
Columbia, and Independent Agencies:
Committee on Appropriations:
House of Representatives:
May 25, 2005:
Introduction:
Objectives, Scope, and Methodology:
Results in Brief:
Background:
Review of Cost, Schedule, Performance, and Risks:
Implementation Status of GAO Recommendations:
* Staffing:
* Enterprise Architecture:
* Information Security:
* Document Review Process:
* Acquisition Policies and Plans:
Summary:
Agency Comments and Our Evaluation:
Appendix:
Introduction:
The National Archives and Records Administration (NARA) is responsible
for oversight of records management and archiving, which increasingly
involves dealing with documents that are electronically created and
stored. Accordingly, the Archivist established the Electronic Records
Archives (ERA) program to acquire a major information system to address
critical issues in receiving, preserving, and accessing electronic
records.
In 2001, the agency hired a contactor to develop policies and plans to
support and guide the acquisition of the ERA system. NARA selected the
standards of the Institute of Electrical and Electronics Engineers,
Inc. (IEEE) to guide the overall acquisition of the system.
In December 2003, the agency released a request for proposals for the
design of ERA, and in August 2004, NARA awarded two firm fixed-price
contracts [NOTE 1] for the design phase totaling about $20 million; one
to Harris Corporation and the other to Lockheed Martin Corporation. The
agency plans to select a winning design from Harris and Lockheed Martin
submissions by August 2005.
We have issued three reports assessing NARA's efforts to establish the
capabilities to acquire major information systems and the ERA system
acquisition. [NOTE 2] In these reports, we made nine recommendations.
We previously reported that NARA had implemented four, and these five
remained to be addressed:
* fill vacant key positions,
* develop an enterprise architecture, [NOTE 3]
* improve information security,
* design and implement a process to ensure that recommendations from
verification and validation reviews [NOTE 4] are addressed and
incorporated into acquisition policies and plans, and:
* revise policies and plans to conform to IEEE standards.
Objectives, Scope, and Methodology:
Conference Report 108-792 directed GAO to report on ERA's program
costs, schedule, and performance by May 25, 2005. As agreed with staff
of the Subcommittee on Transportation, Treasury, the Judiciary, Housing
and Urban Development, and Related Agencies, Senate Committee on
Appropriations, and the Subcommittee on the Departments of
Transportation, Treasury, and Housing and Urban Development, the
Judiciary, and District of Columbia, and Independent Agencies, House
Appropriations Committee, our objectives were to determine:
* the extent to which NARA has achieved the ERA program's cost,
schedule, and performance objectives and the extent to which NARA has
identified risks to future objectives and:
* the status of NARA's efforts to address prior GAO recommendations on
the ERA acquisition.
Scope and methodology:
To accomplish our objectives, we:
* reviewed reports on the cost status of the two design contractors to
determine to what extent ERA was achieving its cost goals,
* reviewed and assessed the project schedule to determine to what
extent the program was meeting its schedule goals,
* reviewed the program's plans and other documentation such as quality
assurance checklists to determine what process exists for assessing the
performance and quality of the design contractors' deliverables,
* reviewed assessments of the program's risk management processes and
practices, plans of action and milestones, and interviewed ERA and NARA
officials responsible for risk management to determine the status of
risk management,
* interviewed the senior managers responsible for hiring ERA staff and
reviewed the staffing plan to determine if efforts to hire key
government positions were complete,
* obtained and evaluated the agency's enterprise architecture plans and
products, an information security assessment and plan, and conducted
interviews of senior NARA officials to determine the status of the
agency's efforts to develop an enterprise architecture and strengthen
the agency's information security program,
* reviewed seven key policies and plans, the contractor's verification
and validation reports associated with the documents, and interviewed
ERA officials to determine what progress the program had made in
addressing our recommendation that policies and plans conform to
industry standards,
* assessed the program's process for reviewing and finalizing policies
and plans and interviewed ERA officials responsible for the review
process to determine the extent to which the review process was
developed and implemented, and:
* performed our work from January 2005 to May 2005 at NARA's College
Park, Maryland location in accordance with generally accepted
government auditing standards.
Results in Brief:
Cost, Schedule, and Performance and Risks:
The program is currently achieving its cost, schedule, and performance
objectives, and it recently provided us with a list of risks to these
objectives.
* ERA is meeting its cost objectives; the contracts for this phase are
firm fixed-price and cost variations are expected to be at the
contractors' expense.
* The design contractors have completed the initial major milestones
for the design phase on or ahead of schedule and, to date NARA has
reviewed three major deliverables: the system requirements
specifications from Lockheed Martin and system architecture and design
documents from both Lockheed Martin and Harris.
* According to NARA, these met the program's performance standards and
were accepted.
* ERA has identified risks to the program's cost and schedule
objectives. For example, NARA identified the lack of an integrated
schedule that encompasses agency projects related to ERA to be a risk
to the program.
Results in Brief:
Status of Recommendations:
NARA has made progress towards implementing our prior recommendations
(table 1).
Table 1: Summary Status of NARA's Progress in Implementing GAO
Recommendations:
[See PDF for image]
[End of table]
The Archivist of the United States provided written comments on a draft
of these briefing slides and planned to implement our prior
recommendations. We have reproduced the written comments in the
appendix.
Background:
Acquisition Strategy:
NARA envisions ERA to be a major information system with the ability to
authentically preserve and provide access to massive volumes of all
types and formats of electronic records that are free from dependency
on any specific type of hardware or software. The agency is seeking a
system that balances the use of commercial off-the-shelf with new
software development. However, as agency officials have indicated,
there is no single commercial solution available today that meets the
full end-to-end requirements for ERA. As a result, NARA decided to
develop an advanced architecture for the conversion and preservation of
electronic records.
To guide the acquisition of the system, NARA has adopted IEEE standards
for the software life cycle processes. [NOTE 5] The standards establish
a common framework for the acquisition of software products and
services and define processes and activities that are to be tailored
and applied during the acquisition, supply, development, and operation
and maintenance of a system.
Through fiscal year 2004, the ERA program had completed three major
acquisition milestones:
* defining the concept on January 3, 2003,
* releasing a request for proposal and completing high-level system
requirements on December 5, 2003, and:
* awarding design contracts on August 4, 2004.
The program entered the systems analysis and design phase at the end of
fiscal year 2004. This phase is expected to conclude in fiscal year
2005 with the selection of one of the two design contractors to develop
the system. The developer is to begin building the system in the first
of five increments at the end of fiscal year 2005. The first increment
is planned for completion in 2007 (figure 1) and the expected
completion date of the system is 2011.
Figure 1: ERA Acquisition Schedule:
[See PDF for image]
Source: GAO analysis of agency data.
[End of figure]
Background:
Program Management:
The ERA Program Management Office is responsible for the development of
policies and plans for the ERA acquisition.
* In 2001, NARA hired a contractor, Integrated Computer Engineering
(ICE), Inc., [NOTE 6] to assist in developing the capability to design,
acquire, and manage the ERA system.
* ICE is responsible for developing policies and plans and for
validating and verifying that they conform to IEEE standards for
content and structure. ICE has also performed independent verification
and validation of products delivered by the design contractors for
conformance to applicable industry standards.
* In fiscal year 2005, the agency also intends to hire an independent
verification and validation contractor to assess ERA policies and plans
and work performed by the development contractor.
Review of Cost, Schedule, and Performance and Risks:
Costs:
NARA's cost objectives associated with the Lockheed Martin and Harris
design contracts are for $9.5 million and $10.6 million, respectively.
ERA is meeting these cost objectives; the contracts for this phase are
firm fixed-priced and cost variations are expected to be at the
contractors' expense.
Review of Cost, Schedule, and Performance and Risks:
ERA Program Schedule and Performance Objectives:
ERA has defined six major milestones that are planned for completion in
fiscal year 2005 (table 1).
Table 1: ERA System Acquisition Schedule: Design Phase:
[See PDF for image]
[Footnote 7 contained within table information]
Source: NARA.
[End of figure]
ERA has completed all major milestones on or ahead of schedule.
To date, NARA has received three major deliverables: the system
requirements specifications from Lockheed Martin, and system
architecture and design documents from both Lockheed Martin and Harris.
NARA assessed these deliverables using IEEE and other industry
standards, quality assurance checklists, and reviews by subject matter
experts.
NARA has completed its review of these deliverables. According to the
agency, these deliverables met the program's performance standards and
were accepted.
Review of Cost, Schedule, and Performance and Risks:
Risks:
Risk management is a process to identify potential problems and adjust
the acquisition to mitigate problems and decrease the chance of their
occurring. It is a critical tool for continuously determining the
feasibility of project plans, for improving the search for and
identification of potential problems that can affect project activities
and the quality and performance of products, and for improving the
active management of software projects. [NOTE 8]
ERA has identified these risks to the acquisition:
* Schedule-NARA lacks an integrated schedule that encompasses agency
projects related to ERA.
* Preservation-NARA has not yet determined the level of preservation
and access [NOTE 9] required for its current and future electronic
records.
* Volume-If NARA is unable to forecast the expected volume of records
to be processed by the system, with any reliability, it may build to
the wrong specifications in terms of size and scalability.
* Funds-If NARA does not award the development contract by September
30, 2005, it will lose more than $20 million in single year funds.
According to NARA, this could have cascading effects that could result
in program termination.
By identifying project risks, NARA should be able to better achieve its
cost, schedule, and performance goals.
Implementation Status of GAO Recommendations:
ERA Staffing:
We reported in our September 2004 report that, while NARA had made
progress in staffing ERA, two of the key government positions remained
vacant-quality assurance specialist and the security officer. We noted
that, until the agency filled these key positions, the program might
not have the resources necessary to manage the acquisition.
NARA has filled the two vacant key government positions. The quality
assurance specialist was hired in July 2004 and the security officer in
May 2005.
These positions are important to the quality and completeness of
program processes and practices. By hiring key staff, the program has
improved its capability for managing the acquisition.
Implementation Status of GAO Recommendations:
Enterprise Architecture:
We previously reported that, while NARA has taken action to develop an
enterprise architecture, its efforts were incomplete. We recommended
that the agency strengthen its IT management capabilities by developing
an enterprise architecture.
Although not fully complete, NARA has made progress in addressing our
recommendation.
An enterprise architecture provides a description-in useful models,
diagrams, and narrative-of the mode of operation for an agency. It
describes the agency in logical terms, such as interrelated business
locations and users, and in IT operational terms, such as hardware,
software, data, communications, and information security attributes and
standards. It provides these perspectives both for the baseline and
target environments and a plan for transitioning from the baseline to
the target.
NARA has added sections on information security and IT operations to
its baseline enterprise architecture. However, the target architecture
is only a framework, and therefore, is incomplete. The agency plans to
complete high priority items, such as business process specifications,
by September 2005.
Until the target enterprise architecture is complete, NARA may have
difficulty ensuring that the ERA system is defined according to the
requirements of the target enterprise architecture.
Implementation Status of GAO Recommendations:
Information Security:
We previously reported that NARA had improved its information security,
having recognized that it had weaknesses, which included:
* classified systems were not centrally controlled and the agency did
not have the necessary assurance that these systems were adequately
protected and:
* systems compliance testing by a contractor revealed nine security
weaknesses in the systems operating on NARA's network, and the agency
did not develop plans of action to address those security weaknesses.
Federal legislation and guidance for information security require
organizations to, among other things, establish an information security
program that includes the following activities: develop information
security policy and procedures; develop system security plans for
networks, facilities, and systems or groups of information systems;
perform risk assessments; determine the sensitivity and criticality of
systems; and establish certification and accreditation programs for
information systems.
Since our report last year, NARA has fully addressed one of the
previously identified security weaknesses by bringing classified
systems under the central control and protection of the chief
information officer and has partially addressed the second by
developing plans of actions and milestones for the nine weaknesses and
completing corrective action on five of the nine. For example, in the
past year, the agency has implemented and improved its security
awareness program and reported that it had certified and accredited its
information systems according to government standards.
Implementation Status of GAO Recommendations:
Information Security:
However, the Office of Inspector General identified additional security
weakness, including:
* the lack of a formal, documented, and tested agency disaster recovery
plan and:
* inadequate physical and logical security in areas such as password
and systems configuration management.
The agency has developed plans of action and milestones to address
these weaknesses, which it expects to complete by September 2005. As a
result, NARA has considered information security to be a material
weakness since 2000. [NOTE 10]
Until information security is fully addressed, it remains a risk to
ERA's cost, schedule, and performance objectives.
Implementation Status of GAO Recommendations:
Document Review Process:
In our September 2004 report, we recommended that the Archivist direct
the ERA program director to design and implement a process to ensure
that recommendations from verification and validation reviews are
addressed and incorporated into acquisition policies and plans to
reduce the risk associated with efforts to acquire ERA.
NARA has made progress in addressing our recommendation by designing a
process to ensure that reviewers' recommendations are addressed in the
final version. However, this document review process has not been
finalized and implemented. Agency officials indicated that the
recommendation will be fully addressed by June 2005.
A process to ensure that verification and validation recommendations
from internal assessments are addressed and incorporated reduces the
risk that acquisition policies and plans do not meet industry
standards. Without the process, NARA cannot ensure that reviewers'
comments are integrated into final versions.
Until the agency fully designs and implements a process to ensure
recommendations are addressed and incorporated into the final versions
of documents, the program may not have accurate acquisition policies
and plans to guide the system development.
Implementation Status of GAO Recommendations:
Acquisition Policies and Plans:
We previously reported that ERA had developed key acquisition policies
and plans to guide its acquisition, but that the documents did not
conform to the IEEE standards selected by the agency. These policies
and plans are essential for managing the acquisition and providing
critical guidance to the contractor who will be developing the system.
As a result, we recommended that ERA revise these policies and plans to
conform to industry standards.
While the program has revised the seven policies and plans, none fully
complies with IEEE standards. These six were significantly improved:
* Acquisition Strategy,
* Concept of Operations,
* Life Cycle,
* Configuration Management Plan,
Risk Management Plan, and:
Program Management Plan.
According to program officials, these policies and plans will be
updated to conform to IEEE standards during the next phase of the
acquisition.
The remaining plan-the Quality Management Plan-while it has been
revised, has not undergone verification and validation. Officials
indicated that this plan will undergo verification and validation for
compliance to IEEE standards and will be revised in July 2005. [NOTE
11]
Until these policies and plans are revised to meet IEEE standards, the
program may not have the information needed to manage the acquisition
and the contractor may lack the information needed to develop the
system.
Summary:
ERA is meeting its cost, schedule, and performance objectives and has
identified risks to the program's objectives.
NARA continues to make progress in addressing our prior
recommendations. It has implemented one recommendation by hiring two
key ERA personnel, the quality management specialist and security
officer, which should strengthen the program's capability to manage the
acquisition.
NARA has partially implemented other recommendations that are essential
for the successful management of the acquisition. Specifically, ERA
has:
* improved baseline architecture but has not completed target
architecture,
* improved information security but it remains a material weakness
despite five years of effort by NARA to strengthen it,
* revised the policies and plans to more fully comply with IEEE
standards, and
* designed but has not finalized the document review process.
Because the agency recognizes these weaknesses and has plans in place
to address them, we are not making further recommendations at this
time. However, it will be important for NARA to continue its efforts to
resolve these weaknesses in a timely manner.
Agency Comments and Our Evaluation:
In written comments on a draft of our briefing slides, the Archivist of
the United States indicated appreciation for the insight we provided
into the progress remaining to be made toward addressing our
recommendations. The Archivist also provided an update on steps the
agency has taken and plans to take to address our recommendations,
including strengthening the enterprise architecture and information
security, and stated that NARA would complete all recommendations.
In regard to our discussion of the agency's Risk Management Plan, the
Archivist stated that the verification and validation assessment found
the plan to be of high quality and 86 percent compliant with standards.
We have revised our briefing slides to clarify our characterization of
the plan's status.
The Archivist also provided technical comments that were incorporated
into the briefing slides as appropriate.
The Archivist's written comments are reproduced in appendix II.
NOTES:
[1] According to the Federal Acquisition Regulation, a firm fixed-price
contract provides for a price that is not subject to any adjustment on
the basis of the contractor's cost experience in performing the
contract. This type of contract places maximum risk and full
responsibility for all costs and resulting profit or loss on the
contractor(s).
[2] GAO, Information Management. Challenges in Managing and Preserving
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and
GAO, Records Management. National Archives and Records Administration's
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.:
Aug. 22, 2003) and GAO, Records Management. Planning for the Electronic
Records Archives Has Improved, GAO-04-927 (Washington, D.C.: Sept. 23,
2004).
[3] An enterprise architecture provides a description-in useful models,
diagrams, and narrative-of the mode of operation for an agency. It
describes the agency in logical terms, such as interrelated business
locations and users, and in IT operational terms, such as hardware,
software, data, communications, and information security attributes and
standards. It provides these perspectives both for the baseline and
target environments and a plan for transitioning from the baseline to
the target.
[4] Verification and validation reviews are performed by internal
contractors to ensure that ERA policies and plans conform to industry
standards, such as those established by IEEE.
[5] The Institute of Electrical and Electronics Engineers, 12207.0
Standard for Information Technology-Software Life Cycle Processes;
12207.1 Standard for Information Technology-Software Lifecycle
Processes-Life Cycle Data; and 12207.2 Standard for Information
Technology-Software Life Cycle Processes-Implementation Considerations.
[6] On January 15, 2002, American Systems Corporation (ASC) announced
the acquisition of ICE, Inc. According to the ERA project manager, this
change does not affect the status of NARA's contract with ICE, Inc.
[7] Harris Corporation's milestones for delivery and acceptance of
system requirements specifications that were included in its contract
were revised to accommodate delays to the project caused by a hurricane
that struck company headquarters soon after the design contract was
signed. The revision to Harris's schedule did not affect the planned
date for selecting the development contractor.
[8] The Institute of Electrical and Electronics Engineers, IEEE
Standard for Software Life Cycle Processes-Risk Management. IEEE
Standard 1540-2001 (Mar. 17, 2001).
[9] For example, a basic level of preservation and access might entail
saving the original electronic file in its original format. An enhanced
level might be achieved by migrating records from their original format
to a newer one for which better access software is available.
[10] Fiscal Year 2000 Federal Managers' Financial Integrity Assurance
(FMFIA) Report to the President.
[11] In comments on a draft of these briefing slides, NARA reported
that the Quality Management Plan underwent verification and validation
on May 11, 2005, and is 85 percent compliant with IEEE standards.
[End of section]
Appendix II: Comments from the National Archives:
National Archives at College Park:
8601 Adelphi Road:
College Park, Maryland 20740-6001:
Mr. Joel C. Willemssen:
Managing Director of Information Technology Team:
Government Accountability Office:
441 G Street, NW #4T31:
Washington, DC 2054$:
Dear Mr. Willemssen:
Thank you for the opportunity to review and comment on the draft
presentation entitled National Archives and Records Administration's
Acquisition of the Electronic Records Archives is Progressing before it
is briefed to the staff members of the Subcommittee on Transportation,
Treasury, the Judiciary, Housing and Urban Development, and Related
Agencies, of the Senate Appropriations Committee and the Subcommittee
on Transportation, Treasury and Housing and Urban Development, the
Judiciary and District of Columbia, and independent Agencies, of the
House Appropriations Committee. We are pleased to note the recognition
of the progress made toward implementing the recommendations provided
in GAO's report of September 23, 2004, Records Management: Planning for
the Electronic Records Archives Has Improved (GAO-04-927).
We also appreciate the insight into the progress remaining to be made
toward addressing GAO's recommendations. For NARA to carry out its
mission into the future we have to be successful implementing the
Electronic Records Archives (ERA) system. To ensure we are successful,
we will complete those recommendations identified in your presentation
as "partially implemented." We would like to take this opportunity to
update you on the status of those efforts.
Enterprise Architecture. GAD observed that "NARA has added sections on
information security and IT operations to its baseline enterprise
architecture. However, the target architecture is only a framework, and
therefore, is incomplete." GAO also indicates that "Until the target
enterprise architecture is complete, NARA may have difficulty ensuring
that the ERA system is defined according to the requirements of the
target enterprise architecture."
By September 2005, NARA's Target Architecture will have progressed well
beyond the addition of business process specifications. This version of
the Enterprise Architecture will include:
* Specifications of all business processes related to records
lifecycle. This includes data inputs and outputs, security and privacy
constraints, identification of business rules and policies, technology
enablers and support from current systems for each lifecycle business
prates.
* A set of business information flows. These are developed using the
business process, the data inputs and outputs, and the enterprise data
model.
* A set of conceptual business information systems. These are developed
using the business information flows and applying technological and
security constraints.
* A revised sequencing plan that shows a high-level implementation
strategy for the set of conceptual business information systems. The
revised sequencing plan is an important input into specifying an
updated business transformation plan.
These additions to our Enterprise Architecture represent a major step
forward in the definition and maturity of NARA's Target Architecture.
The necessary specifications will be in place by September 2005, when
development of ERA's increment one starts, to ensure that the ERA
requirements will be defined according to NARA's Target Architecture.
IT Security Program. GAO observed in the report that the agency has
developed plans of action and milestones to address the Office of
Inspector General weaknesses by September 2005. GAO also indicates that
"As a result, NARA has considered information security to be a material
weakness since 2000. Until information security is fully addressed, it
remains a risk to ERA's cost, schedule and performance objectives." We
are very pleased GAO noted the progress on the NARA security program,
we want to address additional concerns GAO raised resulting from its
review of NARA's Office of Inspector General audits.
First, to address the lack of a formal, documented, and tested agency
disaster recovery plan, we want to stress that ERA itself has a
comprehensive information security plan, developed in collaboration
with the National Security Agency, that has integrated contingency and
disaster recovery plans as part of its requirements. Recent system
design reviews with both competing contractors confirm that these
requirements are being incorporated into the final ERA system design,
Also, our Plan of Action and Milestones for completing an agency-wide
disaster recovery plan addresses one of the material weaknesses
identified in the 2004 Federal Manager's Financial Integrity Act
report. That disaster recovery plan will incorporate the contingency
plans that have been developed and tested for each NARA system,
including ERA and NARAnet. The NARAnet disaster recovery plan also
addresses the data recovery capabilities needed to support the ERA
Program Management Office.
Second, addressing the general concern related to physical and logical
security weaknesses, we want to assure GAO that the completion of the
specific audit action items comprising this deficiency will be resolved
by September 30, 2005. We believe that completing these audit action
items when development of ERA's increment one starts will mitigate the
risks to ERA's cost, performance, and schedule objectives.
Cost, Schedule, and Performance and Risks, GAO indicates in its report
that "the contracts for this phase are firm-fixed-priced and cost
variations are expected to be at the contractor's expense." We want to
clarify that not only is ERA meeting its cost objectives for the
Analysis and Design (A&D) phase, but both contractors expect to
complete the A&D phase within budget. No variations from the planned
budget are anticipated. If any averages occur, they would be at the
contractor's expense.
Document Review Process. GAO observed that "NARA has made progress in
addressing our recommendation by designing a process to ensure that
reviewer's recommendations are addressed in the final version. However,
this document review process has not been finalized and implemented."
We have a process in place which ensures that comments from all
reviewers as well as the Independent Verification and Validation staff,
when required, are addressed. Comments and responses to comments are
tracked by the Quality Management (QM) staff. All documents submitted
to the Program Manager for approval are required to be accompanied by a
report from the QM staff on the resolution of all comments.
Acquisition Policies and Plan, GAO states in the report that "the
Quality Management Plan - while it has been revised, has not undergone
verification and validation." The Quality Management Plan, Version 2.6,
December 16, 2004, underwent verification and validation on May 11,
2005. It was found to be 85% compliant with the IEEE standards. It
should be noted that the IEEE standard has been tailored for the
Quality Management Plan to incorporate industry best practices derived
from the Project Management Institute's Project Management Body of
Knowledge (PMBOK). The items noted as non-compliant were primarily in
the area of format; these recommendations will be taken into
consideration during the next revision of the plan, which should be
completed by July 2005.
GAO also states that "the Risk Management Plan - has significant
weaknesses." The Risk Management Plan, Version 3.0, August 25 2004
underwent verification and validation on August 26, 2004. It was found
to be 86% compliant with the IEEE standard. The overall quality of the
Risk Management Plan was rated as high. The remaining items will be
addressed during the next revision of the Risk Management Plan
scheduled for August 2005.
The level of IEEE compliance for the documents reviewed is directly
related to the system's life cycle. Most documents show a small number
of partially compliant items that we will make fully compliant as
information becomes available with the start of system development.
Again, we thank you for this opportunity to comment and look forward to
our future interactions as we continue the ERA acquisition process. If
you have any questions, please contact Carmen Colon, Program Support
Division at (301) 837-0445.
Sincerely,
Signed by:
ALLEN WEINSTEIN:
Archivist of the United States:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Linda Koontz, (202) 512-7487:
Staff Acknowledgments:
In addition to the contact named above, Timothy Case, Nancy Glover, and
Teresa Neven made key contributions to this report.
(310740):
FOOTNOTES
[1] According to the Federal Acquisition Regulation, a firm fixed-price
contract provides for a price that is not subject to any adjustment on
the basis of the contractor's cost experience in performing the
contract. This type of contract places maximum risk and full
responsibility for all costs and resulting profit or loss on the
contractor(s).
[2] GAO, Information Management: Challenges in Managing and Preserving
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and
GAO, Records Management: National Archives and Records Administration's
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.:
Sept. 23, 2004).
[3] An enterprise architecture provides a description--in useful
models, diagrams, and narrative--of the mode of operation for an
agency. It describes the agency in logical terms, such as interrelated
business locations and users, and in IT operational terms, such as
hardware, software, data, communications, and information security
attributes and standards. It provides these perspectives both for the
baseline and target environments and a plan for transitioning from the
baseline to the target.
[4] Verification and validation reviews are performed by internal
contractors to ensure that ERA policies and plans conform to industry
standards, such as those established by IEEE.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
