Information Management: Acquisition of the Electronics Records	 
Archives Is Progressing (15-JUL-05, GAO-05-802).		 
                                                                 
Since 2001, the National Archives and Records Administration	 
(NARA) has been working to acquire the Electronic Records	 
Archives (ERA) system. In August 2004, NARA awarded two contracts
to design the ERA system. The agency plans to select one of the  
resulting designs for the development of the system in August	 
2005. Conference Report 108-792 directed GAO to report on ERA's  
costs, schedule, and performance. Our objectives were to	 
determine (1) the extent to which NARA has achieved the ERA	 
program's cost, schedule, and performance objectives and the	 
extent to which the agency has identified risks to future	 
objectives; and (2) the status of NARA's efforts to address prior
GAO recommendations on the acquisition. 			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-802 					        
    ACCNO:   A30117						        
  TITLE:     Information Management: Acquisition of the Electronics   
Records Archives Is Progressing 				 
     DATE:   07/15/2005 
  SUBJECT:   Archives						 
	     Information management				 
	     Information security				 
	     Performance measures				 
	     Procurement planning				 
	     Program management 				 
	     Records						 
	     Systems design					 
	     Standards						 
	     Procurement policy 				 
	     Strategic information systems planning		 
	     NARA Electronic Records Archives			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-802

     

     * Report to Congressional Committees
          * July 2005
     * INFORMATION MANAGEMENT
          * Acquisition of the Electronic Records Archives Is Progressing
     * Contents
     * Briefing Slides
     * Comments from the National Archives
     * GAO Contact and Staff Acknowledgments
     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

                 United States Government Accountability Office

GAO

                                   July 2005

                             INFORMATION MANAGEMENT

         Acquisition of the Electronic Records Archives Is Progressing

                                       a

GAO-05-802

INFORMATION MANAGEMENT

Acquisition of the Electronic Records Archives Is Progressing

  What GAO Found

The ERA program is meeting its cost, schedule, and performance objectives
and has identified risks to the program's objectives. For example, the
program has

     o achieved all major milestones to date on or ahead of schedule,
     o accepted three major contractor deliverables that met the program's
       performance standards, and
          * identified risks to the program including the lack of an
            integrated schedule that encompasses agency projects related to
            ERA.
          * NARA continues to make progress in addressing recommendations
            from prior GAO reports: the agency has implemented one
            recommendation by hiring two key ERA personnel and has partially
            implemented the other recommendations (see table). For example,
            NARA has addressed one of the two security weaknesses by bringing
            classified systems under the central control and protection of
            the chief information officer, and it has completed corrective
            action on five of nine security weaknesses in systems operating
            on its network. However, the Office of the Inspector General has
            identified additional security weaknesses, including
     o the lack of a formal, documented, and tested agency disaster recovery
       plan and
     o inadequate physical and logical security in areas such as password and
       systems configuration management.

Until NARA fully addresses all prior recommendations, risks remain to the
successful implementation of the system.

      Summary Status of NARA's Progress in Addressing GAO Recommendations

Prior recommendation     Status      Progress                              
1. Staffing              implemented NARA filled the vacant key positions; 
                                        the                                   
                                        quality assurance specialist was      
                                        hired in July                         
                                        2004 and the security officer in May  
                                        2005.                                 
2. Enterprise            partially   While NARA has improved the           
architecture                         enterprise                            
                            implemented architecture, several elements are    
                                        incomplete,                           
                                        including the target architecture.    
3. Information security  partially   Information security has been         
                                        improved;                             
                            implemented however, weaknesses remain.           
4. Document review       partially   While a documented review process has 
process                              been                                  
                            implemented designed, it has not been finalized   
                                        and                                   
                                        implemented.                          
5. Acquisition program   partially   Even though most policies and plans   
policies                             have                                  
and plans                implemented been significantly revised, none are  
                                        fully                                 
                                        compliant with IEEE standards.        
Source: GAO.                         

                 United States Government Accountability Office

Contents

  Letter

Appendixes    
                     Appendix I: Briefing Slides                            6 
                 Appendix II:    Comments from the National Archives       33 
                 Appendix III:   GAO Contact and Staff Acknowledgments     36 

                                 Abbreviations

      ASC        American Systems Corporation                              
      ERA        Electronic Records Archives                               
      ICE        Integrated Computer Engineering, Inc.                     
      IEEE       Institute of Electrical and Electronics Engineers, Inc.   
      NARA       National Archives and Records Administration              

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

A

United States Government Accountability Office Washington, D.C. 20548

July 15, 2005

The Honorable Christopher S. Bond Chairman The Honorable Patty Murray
Ranking Minority Member Subcommittee on Transportation, Treasury, the
Judiciary,

Housing and Urban Development, and Related Agencies Committee on
Appropriations United States Senate

The Honorable Joe Knollenberg Chairman The Honorable John W. Olver Ranking
Minority Member Subcommittee on the Departments of Transportation,

Treasury, and Housing and Urban Development, the Judiciary,

and District of Columbia, and Independent Agencies Committee on
Appropriations House of Representatives

The National Archives and Records Administration (NARA) is responsible for
the oversight of government records management and archiving, which
increasingly involves dealing with documents that are created and stored
electronically. Since 2001, the agency has been working to acquire the
Electronic Records Archives (ERA) system. NARA selected the standards of
the Institute of Electrical and Electronics Engineers, Inc. (IEEE) to
guide the overall acquisition of the system.

In December 2003, the agency released a request for proposals for the
design of ERA, and in August 2004, NARA awarded two firm fixed-price
contracts1 for the design phase that totaled about $20 million-one to
Harris Corporation and the other to Lockheed Martin Corporation. The
agency plans to select a winning design from Harris and Lockheed Martin
submissions by August 2005.

1According to the Federal Acquisition Regulation, a firm fixed-price
contract provides for a price that is not subject to any adjustment on the
basis of the contractor's cost experience in performing the contract. This
type of contract places maximum risk and full responsibility for all costs
and resulting profit or loss on the contractor(s).

We previously issued three reports assessing NARA's efforts to establish
the capabilities to acquire major information systems and the ERA system
acquisition.2 In these reports, we made nine recommendations. We
previously reported that NARA had implemented four, and these five
remained to be addressed:

     o fill vacant key positions,
     o develop an enterprise architecture,3
     o improve information security,
     o design and implement a process to ensure that recommendations from
       verification and validation reviews4 are addressed and incorporated
       into acquisition policies and plans, and
     o revise policies and plans to conform to IEEE standards.

Conference Report 108-792 directed GAO to report on ERA's program costs,
schedule, and performance by May 25, 2005. Our objectives were to
determine (1) the extent to which NARA has achieved the ERA program's
cost, schedule, and performance objectives and the extent to which the
agency has identified risks to future objectives and (2) the status of
NARA's efforts to address prior GAO recommendations on the acquisition. We
performed our work from January 2005 to May 2005 at NARA's College Park,
Maryland, location in accordance with generally accepted government
auditing standards. Details of our methodology are in appendix I.

2GAO, Information Management: Challenges in Managing and Preserving
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and GAO,
Records Management: National Archives and Records Administration's
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.:
Sept. 23, 2004).

3An enterprise architecture provides a description-in useful models,
diagrams, and narrative-of the mode of operation for an agency. It
describes the agency in logical terms, such as interrelated business
locations and users, and in IT operational terms, such as hardware,
software, data, communications, and information security attributes and
standards. It provides these perspectives both for the baseline and target
environments and a plan for transitioning from the baseline to the target.

4Verification and validation reviews are performed by internal contractors
to ensure that ERA policies and plans conform to industry standards, such
as those established by IEEE.

In May 2005 we provided your staff with a briefing on the results of our
study, which are included as appendix I. The purpose of this report is to
officially transmit the published briefing slides to you.

In summary, our briefing made the following points:

     o ERA is meeting its cost, schedule, and performance objectives and has
       identified risks to the program's objectives.
     o NARA's cost objectives associated with the Lockheed Martin and Harris
       design contracts are for $9.5 million and $10.6 million, respectively.
       The program is meeting these cost objectives; the contracts for this
       phase are firm fixed-price and cost variations are expected to be at
       the contractors' expense.
     o The program has also achieved all major milestones on or ahead of
       schedule and the three major deliverables that NARA has received from
       the contractors-the systems requirements specifications from Lockheed
       Martin and system architecture and design documents from both Lockheed
       Martin and Harris-were reviewed by NARA and, according to the agency,
       met the program's performance standards and were accepted.
          * ERA has identified four risks to the acquisition: (1) lack of an
            integrated schedule that encompasses agency projects related to
            ERA; (2) the level of preservation and access required for
            current and future electronic records has not yet been
            determined; (3) NARA may build to the wrong specifications in
            terms of size and scalability if the agency is unable to forecast
            the expected volume of records to be processed by the system with
            any reliability; and (4) NARA will lose more than $20 million in
            single year funds if it does not award the development contract
            by September 30, 2005.
          * NARA continues to make progress in addressing our prior
            recommendations.
     o The agency has fully implemented our recommendation to hire two key
       personnel-the quality assurance specialist and security officer-which
       should strengthen the program's capability to manage the acquisition.
     o The agency has partially implemented four other recommendations that
       are essential for the successful management of the acquisition. It has
       (1)

improved the baseline architecture, but has not completed, the target
architecture; (2) improved information security, but has not addressed,
all weaknesses; (3) designed, but has not finalized, the document review
process; and (4) significantly revised the program's policies and plans,
but has not made them fully compliant with IEEE standards. Until NARA
fully addresses all prior recommendations, risks remain to the successful
implementation of the system. Because the agency recognizes these
weaknesses and has plans in place to address them, we are not making
further recommendations at this time. However, it will be important for
NARA to continue its efforts to resolve these weaknesses in a timely
manner.

The Archivist stated that the written comments on our briefing submitted
on May 20, 2005, represent NARA's response to the draft report. In those
comments, he indicated appreciation for the insight provided into the
progress remaining to be made toward addressing our recommendations. In
addition, he stated that NARA will complete the recommendations identified
in our report as "partially implemented." The Archivist's written comments
on the briefing are reproduced in appendix II.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Subcommittee on Transportation, Treasury, the Judiciary,
Housing and Urban Development, and Related Agencies, Senate Appropriations
Committee, and the Subcommittee on the Departments of Transportation,
Treasury, and Housing and Urban Development, the Judiciary, and District
of Columbia, and Independent Agencies, House Appropriations Committee. We
are also sending copies to the Archivist of the United States. We will
make copies available to others on request. In addition, the report will
be available at no charge on the GAO Web site at http://www.gao.gov.

If you or your staff have any questions concerning this report, please
call me at 202-512-6240; I can also be reached by e-mail at
[email protected]. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report. GAO staff
who made major contributions to this report are listed in appendix III.

Linda D. Koontz Director, Information Management Issues Appendix I

Briefing Slides

  The National Archives and Records Administration's Acquisition of the
  Electronic Records Archives Is Progressing

Briefing for Staff Members of the Subcommittee on Transportation,
Treasury, the Judiciary, Housing and Urban

Development, and Related Agencies

Committee on Appropriations

United States Senate

and the

Subcommittee on the Departments of Transportation, Treasury, and Housing
and Urban

Development, the Judiciary, and District of Columbia, and Independent
Agencies

Committee on Appropriations

House of Representatives

May 25, 2005 Introduction Objectives, Scope, and Methodology Results in
Brief Background Review of Cost, Schedule, Performance, and Risks
Implementation Status of GAO Recommendations

x Staffing x Enterprise Architecture x Information Security x Document
Review Process x Acquisition Policies and Plans

Summary Agency Comments and Our Evaluation Appendix

Appendix I

The National Archives and Records Administration (NARA) is responsible for
oversight of records management and archiving, which increasingly involves
dealing with documents that are electronically created and stored.
Accordingly, the Archivist established the Electronic Records Archives
(ERA) program to acquire a major information system to address critical
issues in receiving, preserving, and accessing electronic records.

In 2001, the agency hired a contactor to develop policies and plans to
support and guide the acquisition of the ERA system. NARA selected the
standards of the Institute of Electrical and Electronics Engineers, Inc.
(IEEE) to guide the overall acquisition of the system.

In December 2003, the agency released a request for proposals for the
design of ERA, and in August 2004, NARA awarded two firm fixed-price
contracts1 for the design phase totaling about $20 million; one to Harris
Corporation and the other to Lockheed Martin Corporation. The agency plans
to select a winning design from Harris and Lockheed Martin submissions by
August 2005.

1

According to the Federal Acquisition Regulation, a firm fixed-price
contract provides for a price that is not subject to any adjustment on the
basis of the contractor's cost experience in performing the contract. This
type of contract places maximum risk and full responsibility for all costs
and resulting profit or loss on the contractor(s).

                                  Introduction

We have issued three reports assessing NARA's efforts to establish the
capabilities to acquire major information systems and the ERA system
acquisition.2 In these reports, we made nine recommendations. We
previously reported that NARA had implemented four, and these five
remained to be addressed:

x fill vacant key positions,

x develop an enterprise architecture,3

x improve information security,

x design and implement a process to ensure that recommendations from
verification and validation reviews4 are addressed and incorporated into
acquisition policies and plans, and

x revise policies and plans to conform to IEEE standards.

2

GAO, Information Management: Challenges in Managing and Preserving
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and GAO,
Records Management: National Archives and Records Administration's
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.:
Aug. 22, 2003) and GAO, Records Management: Planning for the Electronic
Records Archives Has Improved, GAO-04-927 (Washington, D.C.: Sept. 23,
2004).

3

An enterprise architecture provides a description-in useful models,
diagrams, and narrative-of the mode of operation for an agency. It
describes the agency in logical terms, such as interrelated business
locations and users, and in IT operational terms, such as hardware,
software, data, communications, and information security attributes and
standards. It provides these perspectives both for the baseline and target
environments and a plan for transitioning from the baseline to the target.

4

Verification and validation reviews are performed by internal contractors
to ensure that ERA policies and plans conform to industry standards, such
as those established by IEEE.

Conference Report 108-792 directed GAO to report on ERA's program costs,
schedule, and performance by May 25, 2005. As agreed with staff of the
Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban
Development, and Related Agencies, Senate Committee on Appropriations, and
the Subcommittee on the Departments of Transportation, Treasury, and
Housing and Urban Development, the Judiciary, and District of Columbia,
and Independent Agencies, House Appropriations Committee, our objectives
were to determine

x the extent to which NARA has achieved the ERA program's cost, schedule,
and performance objectives and the extent to which NARA has identified
risks to future objectives and

x the status of NARA's efforts to address prior GAO recommendations on
the ERA acquisition.

Scope and Methodology

To accomplish our objectives, we x reviewed reports on the cost status of
the two design contractors to determine to what extent ERA was achieving
its cost goals,

x reviewed and assessed the project schedule to determine to what extent
the program was meeting its schedule goals,

x reviewed the program's plans and other documentation such as quality
assurance checklists to determine what process exists for assessing the
performance and quality of the design contractors' deliverables,

x reviewed assessments of the program's risk management processes and
practices, plans of action and milestones, and interviewed ERA and NARA
officials responsible for risk management to determine the status of risk
management,

x interviewed the senior managers responsible for hiring ERA staff and
reviewed the staffing plan to determine if efforts to hire key government
positions were complete,

x obtained and evaluated the agency's enterprise architecture plans and
products, an information security assessment and plan, and conducted
interviews of senior NARA officials to determine the status of the
agency's efforts to develop an enterprise architecture and strengthen the
agency's information security program,

x reviewed seven key policies and plans, the contractor's verification
and validation reports associated with the documents, and interviewed ERA
officials to determine what progress the program had made in addressing
our recommendation that policies and plans conform to industry standards,

x assessed the program's process for reviewing and finalizing policies
and plans and interviewed ERA officials responsible for the review process
to determine the extent to which the review process was developed and
implemented, and

x performed our work from January 2005 to May 2005 at NARA's College
Park, Maryland location in accordance with generally accepted government
auditing standards.

The program is currently achieving its cost, schedule, and performance
objectives, and it recently provided us with a list of risks to these
objectives. x ERA is meeting its cost objectives; the contracts for this
phase are firm fixed-price and cost variations are expected to be at the
contractors' expense.

x The design contractors have completed the initial major milestones for
the design phase on or ahead of schedule and, to date NARA has reviewed
three major deliverables: the system requirements specifications from
Lockheed Martin and system architecture and design documents from both
Lockheed Martin and Harris.

x According to NARA, these met the program's performance standards and
were accepted.

x ERA has identified risks to the program's cost and schedule objectives.
For example, NARA identified the lack of an integrated schedule that
encompasses agency projects related to ERA to be a risk to the program.

    Results in Brief

                           Status of Recommendations

NARA has made progress towards implementing our prior recommendations
(table 1).

Table 1: Summary Status of NARA's Progress in Implementing GAO
Recommendations

Prior Recommendation       Status       Progress                           
                                           NARA filled the vacant key         
                                           positions; the quality assurance   
                                           specialist was hired in July 2004  
1. Staffing                implemented  and the security officer in May    
                                           2005.                              
                                           While NARA has improved the        
2. Enterprise architecture partially    enterprise architecture, several   
                              implemented  elements are incomplete, including 
                                           the target architecture.           
                              partially    Information security has been      
3. Information security    implemented  improved; however, weaknesses      
                                           remain.                            
                              partially    While a documented review process  
4. Document review process implemented  has been designed, it has not been 
                                           finalized and implemented.         
                                           Even though most policies and      
5. Acquisition program     partially    plans have been significantly      
policies and plans         implemented  revised, none are fully compliant  
                                           with IEEE standards.               

The Archivist of the United States provided written comments on a draft of
these briefing slides and planned to implement our prior recommendations.
We have reproduced the written comments in the appendix.

NARA envisions ERA to be a major information system with the ability to
authentically preserve and provide access to massive volumes of all types
and formats of electronic records that are free from dependency on any
specific type of hardware or software. The agency is seeking a system that
balances the use of commercial off-the-shelf with new software
development. However, as agency officials have indicated, there is no
single commercial solution available today that meets the full end-to-end
requirements for ERA. As a result, NARA decided to develop an advanced
architecture for the conversion and preservation of electronic records.

To guide the acquisition of the system, NARA has adopted IEEE standards
for the software life cycle

5

processes. The standards establish a common framework for the acquisition
of software products and services and define processes and activities that
are to be tailored and applied during the acquisition, supply,
development, and operation and maintenance of a system.

The Institute of Electrical and Electronics Engineers, 12207.0 Standard
for Information Technology-Software Life Cycle Processes; 12207.1 Standard
for Information Technology-Software Lifecycle Processes-Life Cycle Data;
and 12207.2 Standard for Information Technology-Software Life Cycle
Processes-Implementation Considerations.

Through fiscal year 2004, the ERA program had completed three major
acquisition milestones:

x defining the concept on January 3, 2003,

x releasing a request for proposal and completing high-level system
requirements on December 5, 2003, and

x awarding design contracts on August 4, 2004.

The program entered the systems analysis and design phase at the end of
fiscal year 2004. This phase is expected to conclude in fiscal year 2005
with the selection of one of the two design contractors to develop the
system. The developer is to begin building the system in the first of five
increments at the end of fiscal year 2005. The first increment is planned
for completion in 2007 (figure 1) and the expected completion date of the
system is 2011.

The ERA Program Management Office is responsible for the development of
policies and plans for the ERA acquisition. x In 2001, NARA hired a
contractor, Integrated Computer Engineering (ICE), Inc.,6 to assist in
developing the capability to design, acquire, and manage the ERA system.

x ICE is responsible for developing policies and plans and for validating
and verifying that they conform to IEEE standards for content and
structure. ICE has also performed independent verification and validation
of products delivered by the design contractors for conformance to
applicable industry standards.

x In fiscal year 2005, the agency also intends to hire an independent
verification and validation contractor to assess ERA policies and plans
and work performed by the development contractor.

On January 15, 2002, American Systems Corporation (ASC) announced the
acquisition of ICE, Inc. According to the ERA project manager, this change
does not affect the status of NARA's contract with ICE, Inc.

NARA's cost objectives associated with the Lockheed Martin and Harris
design contracts are for $9.5 million and $10.6 million, respectively.

ERA is meeting these cost objectives; the contracts for this phase are
firm fixed-priced and cost variations are expected to be at the
contractors' expense.

              Review of Cost, Schedule, and Performance and Risks

ERA Program Schedule and Performance Objectives

ERA has defined six major milestones that are planned for completion in
fiscal year 2005 (table 1).

Table 1: ERA System Acquisition Schedule: Design Phase

                                                  Harris      Lockheed Martin
Major Milestone                            Planned Actual  Planned Actual  
System architecture and design             4/18/05  4/8/05 4/21/05 4/11/05 
document-delivered to ERA                                          
System architecture and design             5/10/05 5/10/05 5/11/05 5/11/05 
document-ERA review completed                                      
System requirements                         6/9/05         4/13/05 4/13/05 
specifications-delivered to ERA7                                   
System requirements specifications-ERA     6/21/05         5/13/05 4/18/05 
review completed                                                   
Prototype demonstration                    6/15/05         6/10/05 
Select development contractor               8/3/05          8/3/05 

Source: NARA.

ERA has completed all major milestones on or ahead of schedule.

To date, NARA has received three major deliverables: the system
requirements specifications from Lockheed Martin, and system architecture
and design documents from both Lockheed Martin and Harris.

Harris Corporation's milestones for delivery and acceptance of system
requirements specifications that were included in its contract were
revised to accommodate delays to the project caused by a hurricane that
struck company headquarters soon after the design contract was signed. The
revision to Harris's schedule did not affect the planned date for
selecting the development contractor.

NARA assessed these deliverables using IEEE and other industry standards,
quality assurance

checklists, and reviews by subject matter experts. NARA has completed its
review of these deliverables. According to the agency, these deliverables
met the program's performance standards and were accepted.

Risk management is a process to identify potential problems and adjust the
acquisition to mitigate problems and decrease the chance of their
occurring. It is a critical tool for continuously determining the
feasibility of project plans, for improving the search for and
identification of potential problems that can affect project activities
and the quality and performance of products, and for improving the active
management of software projects.8

ERA has identified these risks to the acquisition: x Schedule-NARA lacks
an integrated schedule that encompasses agency projects related to ERA.

x Preservation-NARA has not yet determined the level of preservation and
access9 required for its current and future electronic records.

x Volume-If NARA is unable to forecast the expected volume of records to
be processed by the system, with any reliability, it may build to the
wrong specifications in terms of size and scalability.

8

The Institute of Electrical and Electronics Engineers, IEEE Standard for
Software Life Cycle Processes-Risk Management. IEEE Standard 1540-2001
(Mar. 17, 2001).

9

For example, a basic level of preservation and access might entail saving
the original electronic file in its original format. An enhanced level
might be achieved by migrating records from their original format to a
newer one for which better access software is available.

x Funds-If NARA does not award the development contract by September 30,
2005, it will lose more than $20 million in single year funds. According
to NARA, this could have cascading effects that could result in program
termination.

By identifying project risks, NARA should be able to better achieve its
cost, schedule, and performance goals.

We reported in our September 2004 report that, while NARA had made
progress in staffing ERA, two of the key government positions remained
vacant-quality assurance specialist and the security officer. We noted
that, until the agency filled these key positions, the program might not
have the resources necessary to manage the acquisition.

NARA has filled the two vacant key government positions. The quality
assurance specialist was hired

in July 2004 and the security officer in May 2005. These positions are
important to the quality and completeness of program processes and
practices. By hiring key staff, the program has improved its capability
for managing the acquisition.

We previously reported that, while NARA has taken action to develop an
enterprise architecture, its efforts were incomplete. We recommended that
the agency strengthen its IT management capabilities by developing an
enterprise architecture.

Although not fully complete, NARA has made progress in addressing our
recommendation. An enterprise architecture provides a description-in
useful models, diagrams, and narrative-of the mode of operation for an
agency. It describes the agency in logical terms, such as interrelated
business locations and users, and in IT operational terms, such as
hardware, software, data, communications, and information security
attributes and standards. It provides these perspectives

both for the baseline and target environments and a plan for transitioning
from the baseline to the target. NARA has added sections on information
security and IT operations to its baseline enterprise

architecture. However, the target architecture is only a framework, and
therefore, is incomplete. The agency plans to complete high priority
items, such as business process specifications, by September 2005.

Until the target enterprise architecture is complete, NARA may have
difficulty ensuring that the ERA system is defined according to the
requirements of the target enterprise architecture.

We previously reported that NARA had improved its information security,
having recognized that it had weaknesses, which included: x classified
systems were not centrally controlled and the agency did not have the
necessary assurance that these systems were adequately protected and

x systems compliance testing by a contractor revealed nine security
weaknesses in the systems operating on NARA's network, and the agency did
not develop plans of action to address those security weaknesses.

Federal legislation and guidance for information security require
organizations to, among other things, establish an information security
program that includes the following activities: develop information
security policy and procedures; develop system security plans for
networks, facilities, and systems or groups of information systems;
perform risk assessments; determine the sensitivity and criticality of
systems; and establish certification and accreditation programs for
information systems.

Since our report last year, NARA has fully addressed one of the previously
identified security weaknesses by bringing classified systems under the
central control and protection of the chief information officer and has
partially addressed the second by developing plans of actions and
milestones for the nine weaknesses and completing corrective action on
five of the nine. For example, in the past year, the agency has
implemented and improved its security awareness program and reported that
it had certified and accredited its information systems according to
government standards.

However, the Office of Inspector General identified additional security
weakness, including

x the lack of a formal, documented, and tested agency disaster recovery
plan and

x inadequate physical and logical security in areas such as password and
systems configuration management.

The agency has developed plans of action and milestones to address these
weaknesses, which it expects to complete by September 2005. As a result,
NARA has considered information security to be a material weakness since
2000.10

Until information security is fully addressed, it remains a risk to ERA's
cost, schedule, and performance objectives.

Fiscal Year 2000 Federal Managers' Financial Integrity Assurance (FMFIA)
Report to the President.

In our September 2004 report, we recommended that the Archivist direct the
ERA program director to design and implement a process to ensure that
recommendations from verification and validation reviews are addressed and
incorporated into acquisition policies and plans to reduce the risk
associated with efforts to acquire ERA.

NARA has made progress in addressing our recommendation by designing a
process to ensure that reviewers' recommendations are addressed in the
final version. However, this document review process has not been
finalized and implemented. Agency officials indicated that the
recommendation will be fully addressed by June 2005.

A process to ensure that verification and validation recommendations from
internal assessments are addressed and incorporated reduces the risk that
acquisition policies and plans do not meet industry standards. Without the
process, NARA cannot ensure that reviewers' comments are integrated into
final versions.

Until the agency fully designs and implements a process to ensure
recommendations are addressed and incorporated into the final versions of
documents, the program may not have accurate acquisition policies and
plans to guide the system development.

We previously reported that ERA had developed key acquisition policies and
plans to guide its acquisition, but that the documents did not conform to
the IEEE standards selected by the agency. These policies and plans are
essential for managing the acquisition and providing critical guidance to
the contractor who will be developing the system. As a result, we
recommended that ERA revise these policies and plans to conform to
industry standards.

While the program has revised the seven policies and plans, none fully
complies with IEEE standards. These six were significantly improved:

x Acquisition Strategy,

x Concept of Operations,

x Life Cycle,

x Configuration Management Plan,

x Risk Management Plan, and

x Program Management Plan. According to program officials, these policies
and plans will be updated to conform to IEEE standards during the next
phase of the acquisition.

The remaining plan-the Quality Management Plan-while it has been revised,
has not undergone verification and validation. Officials indicated that
this plan will undergo verification and validation for compliance to IEEE
standards and will be revised in July 2005.11

Until these policies and plans are revised to meet IEEE standards, the
program may not have the information needed to manage the acquisition and
the contractor may lack the information needed to develop the system.

11In comments on a draft of these briefing slides, NARA reported that the
Quality Management Plan underwent verification and validation on May 11,
2005, and is 85 percent compliant with IEEE standards.

ERA is meeting its cost, schedule, and performance objectives and has
identified risks to the

program's objectives. NARA continues to make progress in addressing our
prior recommendations. It has implemented one recommendation by hiring two
key ERA personnel, the quality management specialist and security officer,
which should strengthen the program's capability to manage the
acquisition.

NARA has partially implemented other recommendations that are essential
for the successful

management of the acquisition. Specifically, ERA has: x improved baseline
architecture but has not completed target architecture, x improved
information security but it remains a material weakness despite five years
of effort by

NARA to strengthen it, x revised the policies and plans to more fully
comply with IEEE standards, and x designed but has not finalized the
document review process.

Because the agency recognizes these weaknesses and has plans in place to
address them, we are not making further recommendations at this time.
However, it will be important for NARA to continue its efforts to resolve
these weaknesses in a timely manner.

In written comments on a draft of our briefing slides, the Archivist of
the United States indicated appreciation for the insight we provided into
the progress remaining to be made toward addressing our recommendations.
The Archivist also provided an update on steps the agency has taken and
plans to take to address our recommendations, including strengthening the
enterprise architecture and information security, and stated that NARA
would complete all recommendations.

In regard to our discussion of the agency's Risk Management Plan, the
Archivist stated that the verification and validation assessment found the
plan to be of high quality and 86 percent compliant with standards. We
have revised our briefing slides to clarify our characterization of the
plan's status.

The Archivist also provided technical comments that were incorporated into
the briefing slides as appropriate. The Archivist's written comments are
reproduced in appendix II.

                                  Appendix II

                      Comments from the National Archives

Appendix III

                     GAO Contact and Staff Acknowledgments

Linda Koontz (202) 512-7487

  GAO Contact

In addition to the contact named above, Timothy Case, Nancy Glover, and

  Staff

Teresa Neven made key contributions to this report.

  GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov) . Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To

have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

                             Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

  E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, D.C. 20548

Paul Anderson, Managing Director, [email protected] (202) 512-4800

  Public Affairs

U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

    PRINTED ON

RECYCLED PAPER
*** End of document. ***