Skip to main content
Report File
Date Issued
Submitting OIG
National Archives and Records Administration OIG
Agencies Reviewed/Investigated
National Archives and Records Administration
Report Number
25-AUD-01
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
13
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 13 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 No $0 $0

Implement a process to ensure accounts with access to the Domain Administrators group are appropriately assigned based on job responsibilities. If determined that an account can be configured with more restrictive access, then implement a process to revoke the Domain Administrator group membership and apply the most restrictive access.

2 No $0 $0

Develop and implement policies and procedures for network user accounts to:
a. Create unique passwords for each service account;
b. Maintain a list of commonly used, expected, or compromised passwords;
c. Update the list on an organization defined timeframe and when organizational passwords are suspected to have been compromised directly or indirectly;
d. Verify (such as through regular password audits or system configurations), when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords.

3 No $0 $0

Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’s information technology policies and requirements.

4 No $0 $0

Coordinate with other departments as necessary to implement an authoritative data source which provides the current status of NARA contractors and volunteers at the enterprise level.

5 No $0 $0

Enforce mandatory Personal Identity Verification (PIV) card authentication for all NARANet users, in accordance with OMB requirements.

6 No $0 $0

Continue and complete efforts to require PIV authentication for all privileged users, servers, and applications, through NARA’s identity and access management project and other efforts.

7 No $0 $0

Ensure a comprehensive identity, credential, and access management (ICAM) policy or strategy, which includes the establishment of related standard operating procedures, identification of stakeholders, communicating relevant goals, task assignments, and measure and reporting progress is developed and implemented.

8 No $0 $0

Document and implement a process to track and remediate persistent configuration vulnerabilities, or document acceptance of the associated risks.

9 No $0 $0

Implement remediation efforts to address security deficiencies on affected systems identified, to include enhancing its patch and vulnerability management program as appropriate, or document acceptance of the associated risks.

10 No $0 $0

Fully complete the migration of applications to vendor supported operating systems.

11 No $0 $0

Ensure the Information System Security Officers are reviewing system configuration compliance scans monthly as required within NARA’s Configuration Compliance Standard Operating Procedure.

12 No $0 $0

Enhance current procedures to ensure that new NARA users who do not complete their initial security awareness training, have their accounts automatically disabled in accordance with timeframes promulgated within the Privacy and Awareness Handbook.

13 No $0 $0

Implement requirements across all event logging maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

National Archives and Records Administration OIG

United States