Audit of NARA's Cybersecurity Risk Management Process

Date Issued

Thursday, August 27, 2020

Submitting OIG

National Archives and Records Administration OIG

Other Participating OIGs

National Archives and Records Administration OIG

Agencies Reviewed/Investigated

National Archives and Records Administration

Report Number

20-AUD-15

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
The Chief of Management and Administration and the Chief Operating Officer ensure the Risk Executive, Chief of Management and Administration, Chief Operating Officer, and Senior Accountable Official for risk management roles and responsibilities are fully and accurately defined in NARA policies.
2	Yes	$0	$0
The Chief of Management and Administration develop, document, implement, and disseminate an organizational risk management strategy and policy, in accordance with NIST 800-39, and a process for coordination between cybersecurity and enterprise risk management.