This is the accessible text file for GAO report number GAO-05-802 
entitled 'Information Management: Acquisition of the Electronic Records 
Archives Is Progressing' which was released on July 15, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

July 2005: 

Information Management: 

Acquisition of the Electronic Records Archives Is Progressing: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-802]: 

GAO Highlights: 

Highlights of GAO-05-802, a report to congressional committees: 

Why GAO Did This Study: 

Since 2001, the National Archives and Records Administration (NARA) has 
been working to acquire the Electronic Records Archives (ERA) system. 
In August 2004, NARA awarded two contracts to design the ERA system. 
The agency plans to select one of the resulting designs for the 
development of the system in August 2005. 

Conference Report 108-792 directed GAO to report on ERAís costs, 
schedule, and performance. Our objectives were to determine

* the extent to which NARA has achieved the ERA programís cost, 
schedule, and performance objectives and the extent to which the agency 
has identified risks to future objectives and 
* the status of NARAís efforts to address prior GAO recommendations on 
the acquisition. 

GAO is not making any recommendations at this time because NARA has 
plans in place to address identified weaknesses. 

What GAO Found: 

The ERA program is meeting its cost, schedule, and performance 
objectives and has identified risks to the programís objectives. For 
example, the program has

* achieved all major milestones to date on or ahead of schedule, 
* accepted three major contractor deliverables that met the programís 
performance standards, and 
* identified risks to the program including the lack of an integrated 
schedule that encompasses agency projects related to ERA. 

NARA continues to make progress in addressing recommendations from 
prior GAO reports: the agency has implemented one recommendation by 
hiring two key ERA personnel and has partially implemented the other 
recommendations (see table). For example, NARA has addressed one of the 
two security weaknesses by bringing classified systems under the 
central control and protection of the chief information officer, and it 
has completed corrective action on five of nine security weaknesses in 
systems operating on its network. However, the Office of the Inspector 
General has identified additional security weaknesses, including

* the lack of a formal, documented, and tested agency disaster recovery 
plan and
* inadequate physical and logical security in areas such as password 
and systems configuration management. 

Until NARA fully addresses all prior recommendations, risks remain to 
the successful implementation of the system. 

Summary Status of NARAís Progress in Addressing GAO Recommendations: 

[See PDF for image]

[End of table] 

www.gao.gov/cgi-bin/getrpt?GAO-05-802. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda D. Koontz at (202) 
512-6240 or koontzl@gao.gov. 

[End of section] 

Contents: 

Letter: 

Appendixes: 

Appendix I: Briefing Slides: 

Appendix II: Comments from the National Archives: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

ASC: American Systems Corporation: 

ERA: Electronic Records Archives: 

ICE: Integrated Computer Engineering, Inc. 

IEEE: Institute of Electrical and Electronics Engineers, Inc. 

NARA: National Archives and Records Administration: 

Letter July 15, 2005: 

The Honorable Christopher S. Bond: 
Chairman: 
The Honorable Patty Murray: 
Ranking Minority Member: 
Subcommittee on Transportation, Treasury, the Judiciary, Housing and 
Urban Development, and Related Agencies: 
Committee on Appropriations: 
United States Senate: 

The Honorable Joe Knollenberg: 
Chairman: 
The Honorable John W. Olver: 
Ranking Minority Member: 
Subcommittee on the Departments of Transportation, Treasury, and 
Housing and Urban Development, the Judiciary, and District of Columbia, 
and Independent Agencies: 
Committee on Appropriations: 
House of Representatives: 

The National Archives and Records Administration (NARA) is responsible 
for the oversight of government records management and archiving, which 
increasingly involves dealing with documents that are created and 
stored electronically. Since 2001, the agency has been working to 
acquire the Electronic Records Archives (ERA) system. NARA selected the 
standards of the Institute of Electrical and Electronics Engineers, 
Inc. (IEEE) to guide the overall acquisition of the system. 

In December 2003, the agency released a request for proposals for the 
design of ERA, and in August 2004, NARA awarded two firm fixed-price 
contracts[Footnote 1] for the design phase that totaled about $20 
million--one to Harris Corporation and the other to Lockheed Martin 
Corporation. The agency plans to select a winning design from Harris 
and Lockheed Martin submissions by August 2005. 

We previously issued three reports assessing NARA's efforts to 
establish the capabilities to acquire major information systems and the 
ERA system acquisition.[Footnote 2] In these reports, we made nine 
recommendations. We previously reported that NARA had implemented four, 
and these five remained to be addressed: 

* fill vacant key positions,

* develop an enterprise architecture,[Footnote 3]

* improve information security,

* design and implement a process to ensure that recommendations from 
verification and validation reviews[Footnote 4] are addressed and 
incorporated into acquisition policies and plans, and: 

* revise policies and plans to conform to IEEE standards. 

Conference Report 108-792 directed GAO to report on ERA's program 
costs, schedule, and performance by May 25, 2005. Our objectives were 
to determine (1) the extent to which NARA has achieved the ERA 
program's cost, schedule, and performance objectives and the extent to 
which the agency has identified risks to future objectives and (2) the 
status of NARA's efforts to address prior GAO recommendations on the 
acquisition. We performed our work from January 2005 to May 2005 at 
NARA's College Park, Maryland, location in accordance with generally 
accepted government auditing standards. Details of our methodology are 
in appendix I. 

In May 2005 we provided your staff with a briefing on the results of 
our study, which are included as appendix I. The purpose of this report 
is to officially transmit the published briefing slides to you. 

In summary, our briefing made the following points: 

* ERA is meeting its cost, schedule, and performance objectives and has 
identified risks to the program's objectives. 

* NARA's cost objectives associated with the Lockheed Martin and Harris 
design contracts are for $9.5 million and $10.6 million, respectively. 
The program is meeting these cost objectives; the contracts for this 
phase are firm fixed-price and cost variations are expected to be at 
the contractors' expense. 

* The program has also achieved all major milestones on or ahead of 
schedule and the three major deliverables that NARA has received from 
the contractors--the systems requirements specifications from Lockheed 
Martin and system architecture and design documents from both Lockheed 
Martin and Harris--were reviewed by NARA and, according to the agency, 
met the program's performance standards and were accepted. 

* ERA has identified four risks to the acquisition: (1) lack of an 
integrated schedule that encompasses agency projects related to ERA; 
(2) the level of preservation and access required for current and 
future electronic records has not yet been determined; (3) NARA may 
build to the wrong specifications in terms of size and scalability if 
the agency is unable to forecast the expected volume of records to be 
processed by the system with any reliability; and (4) NARA will lose 
more than $20 million in single year funds if it does not award the 
development contract by September 30, 2005. 

NARA continues to make progress in addressing our prior 
recommendations. 

* The agency has fully implemented our recommendation to hire two key 
personnel--the quality assurance specialist and security officer-- 
which should strengthen the program's capability to manage the 
acquisition. 

* The agency has partially implemented four other recommendations that 
are essential for the successful management of the acquisition. It has 
(1) improved the baseline architecture, but has not completed, the 
target architecture; (2) improved information security, but has not 
addressed, all weaknesses; (3) designed, but has not finalized, the 
document review process; and (4) significantly revised the program's 
policies and plans, but has not made them fully compliant with IEEE 
standards. Until NARA fully addresses all prior recommendations, risks 
remain to the successful implementation of the system. Because the 
agency recognizes these weaknesses and has plans in place to address 
them, we are not making further recommendations at this time. However, 
it will be important for NARA to continue its efforts to resolve these 
weaknesses in a timely manner. 

The Archivist stated that the written comments on our briefing 
submitted on May 20, 2005, represent NARA's response to the draft 
report. In those comments, he indicated appreciation for the insight 
provided into the progress remaining to be made toward addressing our 
recommendations. In addition, he stated that NARA will complete the 
recommendations identified in our report as "partially implemented." 
The Archivist's written comments on the briefing are reproduced in 
appendix II. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Subcommittee on Transportation, Treasury, the 
Judiciary, Housing and Urban Development, and Related Agencies, Senate 
Appropriations Committee, and the Subcommittee on the Departments of 
Transportation, Treasury, and Housing and Urban Development, the 
Judiciary, and District of Columbia, and Independent Agencies, House 
Appropriations Committee. We are also sending copies to the Archivist 
of the United States. We will make copies available to others on 
request. In addition, the report will be available at no charge on the 
GAO Web site at [Hyperlink, http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
call me at 202-512-6240; I can also be reached by e-mail at [Hyperlink, 
koontzl@gao.gov]. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix III. 

Signed by: 

Linda D. Koontz: 
Director, Information Management Issues: 

[End of section]

Appendixes: 

Appendix I: Briefing Slides: 

The National Archives and Records Administration's Acquisition of the 
Electronic Records Archives Is Progressing: 

Briefing for Staff Members of the Subcommittee on Transportation, 
Treasury, the Judiciary, Housing and Urban Development, and Related 
Agencies: 

Committee on Appropriations: 

United States Senate: 

and the Subcommittee on the Departments of Transportation, Treasury, 
and Housing and Urban Development, the Judiciary, and District of 
Columbia, and Independent Agencies: 

Committee on Appropriations: 

House of Representatives: 
May 25, 2005: 

Introduction: 

Objectives, Scope, and Methodology: 

Results in Brief: 

Background: 

Review of Cost, Schedule, Performance, and Risks: 

Implementation Status of GAO Recommendations: 

* Staffing: 

* Enterprise Architecture: 

* Information Security: 

* Document Review Process: 

* Acquisition Policies and Plans: 

Summary: 

Agency Comments and Our Evaluation: 

Appendix: 

Introduction: 

The National Archives and Records Administration (NARA) is responsible 
for oversight of records management and archiving, which increasingly 
involves dealing with documents that are electronically created and 
stored. Accordingly, the Archivist established the Electronic Records 
Archives (ERA) program to acquire a major information system to address 
critical issues in receiving, preserving, and accessing electronic 
records. 

In 2001, the agency hired a contactor to develop policies and plans to 
support and guide the acquisition of the ERA system. NARA selected the 
standards of the Institute of Electrical and Electronics Engineers, 
Inc. (IEEE) to guide the overall acquisition of the system. 

In December 2003, the agency released a request for proposals for the 
design of ERA, and in August 2004, NARA awarded two firm fixed-price 
contracts [NOTE 1] for the design phase totaling about $20 million; one 
to Harris Corporation and the other to Lockheed Martin Corporation. The 
agency plans to select a winning design from Harris and Lockheed Martin 
submissions by August 2005. 

We have issued three reports assessing NARA's efforts to establish the 
capabilities to acquire major information systems and the ERA system 
acquisition. [NOTE 2] In these reports, we made nine recommendations. 
We previously reported that NARA had implemented four, and these five 
remained to be addressed: 

* fill vacant key positions,

* develop an enterprise architecture, [NOTE 3]

* improve information security,

* design and implement a process to ensure that recommendations from 
verification and validation reviews [NOTE 4] are addressed and 
incorporated into acquisition policies and plans, and: 

* revise policies and plans to conform to IEEE standards. 

Objectives, Scope, and Methodology: 

Conference Report 108-792 directed GAO to report on ERA's program 
costs, schedule, and performance by May 25, 2005. As agreed with staff 
of the Subcommittee on Transportation, Treasury, the Judiciary, Housing 
and Urban Development, and Related Agencies, Senate Committee on 
Appropriations, and the Subcommittee on the Departments of 
Transportation, Treasury, and Housing and Urban Development, the 
Judiciary, and District of Columbia, and Independent Agencies, House 
Appropriations Committee, our objectives were to determine: 

* the extent to which NARA has achieved the ERA program's cost, 
schedule, and performance objectives and the extent to which NARA has 
identified risks to future objectives and: 

* the status of NARA's efforts to address prior GAO recommendations on 
the ERA acquisition. 

Scope and methodology: 

To accomplish our objectives, we: 

* reviewed reports on the cost status of the two design contractors to 
determine to what extent ERA was achieving its cost goals,

* reviewed and assessed the project schedule to determine to what 
extent the program was meeting its schedule goals,

* reviewed the program's plans and other documentation such as quality 
assurance checklists to determine what process exists for assessing the 
performance and quality of the design contractors' deliverables,

* reviewed assessments of the program's risk management processes and 
practices, plans of action and milestones, and interviewed ERA and NARA 
officials responsible for risk management to determine the status of 
risk management,

* interviewed the senior managers responsible for hiring ERA staff and 
reviewed the staffing plan to determine if efforts to hire key 
government positions were complete,

* obtained and evaluated the agency's enterprise architecture plans and 
products, an information security assessment and plan, and conducted 
interviews of senior NARA officials to determine the status of the 
agency's efforts to develop an enterprise architecture and strengthen 
the agency's information security program,

* reviewed seven key policies and plans, the contractor's verification 
and validation reports associated with the documents, and interviewed 
ERA officials to determine what progress the program had made in 
addressing our recommendation that policies and plans conform to 
industry standards,

* assessed the program's process for reviewing and finalizing policies 
and plans and interviewed ERA officials responsible for the review 
process to determine the extent to which the review process was 
developed and implemented, and: 

* performed our work from January 2005 to May 2005 at NARA's College 
Park, Maryland location in accordance with generally accepted 
government auditing standards. 

Results in Brief: 

Cost, Schedule, and Performance and Risks: 

The program is currently achieving its cost, schedule, and performance 
objectives, and it recently provided us with a list of risks to these 
objectives. 

* ERA is meeting its cost objectives; the contracts for this phase are 
firm fixed-price and cost variations are expected to be at the 
contractors' expense. 

* The design contractors have completed the initial major milestones 
for the design phase on or ahead of schedule and, to date NARA has 
reviewed three major deliverables: the system requirements 
specifications from Lockheed Martin and system architecture and design 
documents from both Lockheed Martin and Harris. 

* According to NARA, these met the program's performance standards and 
were accepted. 

* ERA has identified risks to the program's cost and schedule 
objectives. For example, NARA identified the lack of an integrated 
schedule that encompasses agency projects related to ERA to be a risk 
to the program. 

Results in Brief: 

Status of Recommendations: 

NARA has made progress towards implementing our prior recommendations 
(table 1). 

Table 1: Summary Status of NARA's Progress in Implementing GAO 
Recommendations: 

[See PDF for image]

[End of table]

The Archivist of the United States provided written comments on a draft 
of these briefing slides and planned to implement our prior 
recommendations. We have reproduced the written comments in the 
appendix. 

Background: 

Acquisition Strategy: 

NARA envisions ERA to be a major information system with the ability to 
authentically preserve and provide access to massive volumes of all 
types and formats of electronic records that are free from dependency 
on any specific type of hardware or software. The agency is seeking a 
system that balances the use of commercial off-the-shelf with new 
software development. However, as agency officials have indicated, 
there is no single commercial solution available today that meets the 
full end-to-end requirements for ERA. As a result, NARA decided to 
develop an advanced architecture for the conversion and preservation of 
electronic records. 

To guide the acquisition of the system, NARA has adopted IEEE standards 
for the software life cycle processes. [NOTE 5] The standards establish 
a common framework for the acquisition of software products and 
services and define processes and activities that are to be tailored 
and applied during the acquisition, supply, development, and operation 
and maintenance of a system. 

Through fiscal year 2004, the ERA program had completed three major 
acquisition milestones: 

* defining the concept on January 3, 2003,

* releasing a request for proposal and completing high-level system 
requirements on December 5, 2003, and: 

* awarding design contracts on August 4, 2004. 

The program entered the systems analysis and design phase at the end of 
fiscal year 2004. This phase is expected to conclude in fiscal year 
2005 with the selection of one of the two design contractors to develop 
the system. The developer is to begin building the system in the first 
of five increments at the end of fiscal year 2005. The first increment 
is planned for completion in 2007 (figure 1) and the expected 
completion date of the system is 2011. 

Figure 1: ERA Acquisition Schedule: 

[See PDF for image]

Source: GAO analysis of agency data. 

[End of figure]

Background: 

Program Management: 

The ERA Program Management Office is responsible for the development of 
policies and plans for the ERA acquisition. 

* In 2001, NARA hired a contractor, Integrated Computer Engineering 
(ICE), Inc., [NOTE 6] to assist in developing the capability to design, 
acquire, and manage the ERA system. 

* ICE is responsible for developing policies and plans and for 
validating and verifying that they conform to IEEE standards for 
content and structure. ICE has also performed independent verification 
and validation of products delivered by the design contractors for 
conformance to applicable industry standards. 

* In fiscal year 2005, the agency also intends to hire an independent 
verification and validation contractor to assess ERA policies and plans 
and work performed by the development contractor. 

Review of Cost, Schedule, and Performance and Risks: 

Costs: 

NARA's cost objectives associated with the Lockheed Martin and Harris 
design contracts are for $9.5 million and $10.6 million, respectively. 

ERA is meeting these cost objectives; the contracts for this phase are 
firm fixed-priced and cost variations are expected to be at the 
contractors' expense. 

Review of Cost, Schedule, and Performance and Risks: 

ERA Program Schedule and Performance Objectives: 

ERA has defined six major milestones that are planned for completion in 
fiscal year 2005 (table 1). 

Table 1: ERA System Acquisition Schedule: Design Phase: 

[See PDF for image] 

[Footnote 7 contained within table information]

Source: NARA. 

[End of figure]

ERA has completed all major milestones on or ahead of schedule. 

To date, NARA has received three major deliverables: the system 
requirements specifications from Lockheed Martin, and system 
architecture and design documents from both Lockheed Martin and Harris. 

NARA assessed these deliverables using IEEE and other industry 
standards, quality assurance checklists, and reviews by subject matter 
experts. 

NARA has completed its review of these deliverables. According to the 
agency, these deliverables met the program's performance standards and 
were accepted. 

Review of Cost, Schedule, and Performance and Risks: 

Risks: 

Risk management is a process to identify potential problems and adjust 
the acquisition to mitigate problems and decrease the chance of their 
occurring. It is a critical tool for continuously determining the 
feasibility of project plans, for improving the search for and 
identification of potential problems that can affect project activities 
and the quality and performance of products, and for improving the 
active management of software projects. [NOTE 8] 

ERA has identified these risks to the acquisition: 

* Schedule-NARA lacks an integrated schedule that encompasses agency 
projects related to ERA. 

* Preservation-NARA has not yet determined the level of preservation 
and access [NOTE 9] required for its current and future electronic 
records. 

* Volume-If NARA is unable to forecast the expected volume of records 
to be processed by the system, with any reliability, it may build to 
the wrong specifications in terms of size and scalability. 

* Funds-If NARA does not award the development contract by September 
30, 2005, it will lose more than $20 million in single year funds. 
According to NARA, this could have cascading effects that could result 
in program termination. 

By identifying project risks, NARA should be able to better achieve its 
cost, schedule, and performance goals. 

Implementation Status of GAO Recommendations: 

ERA Staffing: 

We reported in our September 2004 report that, while NARA had made 
progress in staffing ERA, two of the key government positions remained 
vacant-quality assurance specialist and the security officer. We noted 
that, until the agency filled these key positions, the program might 
not have the resources necessary to manage the acquisition. 

NARA has filled the two vacant key government positions. The quality 
assurance specialist was hired in July 2004 and the security officer in 
May 2005. 

These positions are important to the quality and completeness of 
program processes and practices. By hiring key staff, the program has 
improved its capability for managing the acquisition. 

Implementation Status of GAO Recommendations: 

Enterprise Architecture: 

We previously reported that, while NARA has taken action to develop an 
enterprise architecture, its efforts were incomplete. We recommended 
that the agency strengthen its IT management capabilities by developing 
an enterprise architecture. 

Although not fully complete, NARA has made progress in addressing our 
recommendation. 

An enterprise architecture provides a description-in useful models, 
diagrams, and narrative-of the mode of operation for an agency. It 
describes the agency in logical terms, such as interrelated business 
locations and users, and in IT operational terms, such as hardware, 
software, data, communications, and information security attributes and 
standards. It provides these perspectives both for the baseline and 
target environments and a plan for transitioning from the baseline to 
the target. 

NARA has added sections on information security and IT operations to 
its baseline enterprise architecture. However, the target architecture 
is only a framework, and therefore, is incomplete. The agency plans to 
complete high priority items, such as business process specifications, 
by September 2005. 

Until the target enterprise architecture is complete, NARA may have 
difficulty ensuring that the ERA system is defined according to the 
requirements of the target enterprise architecture. 

Implementation Status of GAO Recommendations: 

Information Security: 

We previously reported that NARA had improved its information security, 
having recognized that it had weaknesses, which included: 

* classified systems were not centrally controlled and the agency did 
not have the necessary assurance that these systems were adequately 
protected and: 

* systems compliance testing by a contractor revealed nine security 
weaknesses in the systems operating on NARA's network, and the agency 
did not develop plans of action to address those security weaknesses. 

Federal legislation and guidance for information security require 
organizations to, among other things, establish an information security 
program that includes the following activities: develop information 
security policy and procedures; develop system security plans for 
networks, facilities, and systems or groups of information systems; 
perform risk assessments; determine the sensitivity and criticality of 
systems; and establish certification and accreditation programs for 
information systems. 

Since our report last year, NARA has fully addressed one of the 
previously identified security weaknesses by bringing classified 
systems under the central control and protection of the chief 
information officer and has partially addressed the second by 
developing plans of actions and milestones for the nine weaknesses and 
completing corrective action on five of the nine. For example, in the 
past year, the agency has implemented and improved its security 
awareness program and reported that it had certified and accredited its 
information systems according to government standards. 

Implementation Status of GAO Recommendations: 

Information Security: 

However, the Office of Inspector General identified additional security 
weakness, including: 

* the lack of a formal, documented, and tested agency disaster recovery 
plan and: 

* inadequate physical and logical security in areas such as password 
and systems configuration management. 

The agency has developed plans of action and milestones to address 
these weaknesses, which it expects to complete by September 2005. As a 
result, NARA has considered information security to be a material 
weakness since 2000. [NOTE 10] 

Until information security is fully addressed, it remains a risk to 
ERA's cost, schedule, and performance objectives. 

Implementation Status of GAO Recommendations: 

Document Review Process: 

In our September 2004 report, we recommended that the Archivist direct 
the ERA program director to design and implement a process to ensure 
that recommendations from verification and validation reviews are 
addressed and incorporated into acquisition policies and plans to 
reduce the risk associated with efforts to acquire ERA. 

NARA has made progress in addressing our recommendation by designing a 
process to ensure that reviewers' recommendations are addressed in the 
final version. However, this document review process has not been 
finalized and implemented. Agency officials indicated that the 
recommendation will be fully addressed by June 2005. 

A process to ensure that verification and validation recommendations 
from internal assessments are addressed and incorporated reduces the 
risk that acquisition policies and plans do not meet industry 
standards. Without the process, NARA cannot ensure that reviewers' 
comments are integrated into final versions. 

Until the agency fully designs and implements a process to ensure 
recommendations are addressed and incorporated into the final versions 
of documents, the program may not have accurate acquisition policies 
and plans to guide the system development. 

Implementation Status of GAO Recommendations: 

Acquisition Policies and Plans: 

We previously reported that ERA had developed key acquisition policies 
and plans to guide its acquisition, but that the documents did not 
conform to the IEEE standards selected by the agency. These policies 
and plans are essential for managing the acquisition and providing 
critical guidance to the contractor who will be developing the system. 
As a result, we recommended that ERA revise these policies and plans to 
conform to industry standards. 

While the program has revised the seven policies and plans, none fully 
complies with IEEE standards. These six were significantly improved: 

* Acquisition Strategy,

* Concept of Operations,

* Life Cycle,

* Configuration Management Plan,

Risk Management Plan, and: 

Program Management Plan. 

According to program officials, these policies and plans will be 
updated to conform to IEEE standards during the next phase of the 
acquisition. 

The remaining plan-the Quality Management Plan-while it has been 
revised, has not undergone verification and validation. Officials 
indicated that this plan will undergo verification and validation for 
compliance to IEEE standards and will be revised in July 2005. [NOTE 
11] 

Until these policies and plans are revised to meet IEEE standards, the 
program may not have the information needed to manage the acquisition 
and the contractor may lack the information needed to develop the 
system. 

Summary: 

ERA is meeting its cost, schedule, and performance objectives and has 
identified risks to the program's objectives. 

NARA continues to make progress in addressing our prior 
recommendations. It has implemented one recommendation by hiring two 
key ERA personnel, the quality management specialist and security 
officer, which should strengthen the program's capability to manage the 
acquisition. 

NARA has partially implemented other recommendations that are essential 
for the successful management of the acquisition. Specifically, ERA 
has: 

* improved baseline architecture but has not completed target 
architecture,

* improved information security but it remains a material weakness 
despite five years of effort by NARA to strengthen it,

* revised the policies and plans to more fully comply with IEEE 
standards, and 

* designed but has not finalized the document review process. 

Because the agency recognizes these weaknesses and has plans in place 
to address them, we are not making further recommendations at this 
time. However, it will be important for NARA to continue its efforts to 
resolve these weaknesses in a timely manner. 

Agency Comments and Our Evaluation: 

In written comments on a draft of our briefing slides, the Archivist of 
the United States indicated appreciation for the insight we provided 
into the progress remaining to be made toward addressing our 
recommendations. The Archivist also provided an update on steps the 
agency has taken and plans to take to address our recommendations, 
including strengthening the enterprise architecture and information 
security, and stated that NARA would complete all recommendations. 

In regard to our discussion of the agency's Risk Management Plan, the 
Archivist stated that the verification and validation assessment found 
the plan to be of high quality and 86 percent compliant with standards. 
We have revised our briefing slides to clarify our characterization of 
the plan's status. 

The Archivist also provided technical comments that were incorporated 
into the briefing slides as appropriate. 

The Archivist's written comments are reproduced in appendix II. 

NOTES: 

[1] According to the Federal Acquisition Regulation, a firm fixed-price 
contract provides for a price that is not subject to any adjustment on 
the basis of the contractor's cost experience in performing the 
contract. This type of contract places maximum risk and full 
responsibility for all costs and resulting profit or loss on the 
contractor(s). 

[2] GAO, Information Management. Challenges in Managing and Preserving 
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and 
GAO, Records Management. National Archives and Records Administration's 
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.: 
Aug. 22, 2003) and GAO, Records Management. Planning for the Electronic 
Records Archives Has Improved, GAO-04-927 (Washington, D.C.: Sept. 23, 
2004). 

[3] An enterprise architecture provides a description-in useful models, 
diagrams, and narrative-of the mode of operation for an agency. It 
describes the agency in logical terms, such as interrelated business 
locations and users, and in IT operational terms, such as hardware, 
software, data, communications, and information security attributes and 
standards. It provides these perspectives both for the baseline and 
target environments and a plan for transitioning from the baseline to 
the target. 

[4] Verification and validation reviews are performed by internal 
contractors to ensure that ERA policies and plans conform to industry 
standards, such as those established by IEEE. 

[5] The Institute of Electrical and Electronics Engineers, 12207.0 
Standard for Information Technology-Software Life Cycle Processes; 
12207.1 Standard for Information Technology-Software Lifecycle 
Processes-Life Cycle Data; and 12207.2 Standard for Information 
Technology-Software Life Cycle Processes-Implementation Considerations. 

[6] On January 15, 2002, American Systems Corporation (ASC) announced 
the acquisition of ICE, Inc. According to the ERA project manager, this 
change does not affect the status of NARA's contract with ICE, Inc. 

[7] Harris Corporation's milestones for delivery and acceptance of 
system requirements specifications that were included in its contract 
were revised to accommodate delays to the project caused by a hurricane 
that struck company headquarters soon after the design contract was 
signed. The revision to Harris's schedule did not affect the planned 
date for selecting the development contractor. 

[8] The Institute of Electrical and Electronics Engineers, IEEE 
Standard for Software Life Cycle Processes-Risk Management. IEEE 
Standard 1540-2001 (Mar. 17, 2001). 

[9] For example, a basic level of preservation and access might entail 
saving the original electronic file in its original format. An enhanced 
level might be achieved by migrating records from their original format 
to a newer one for which better access software is available. 

[10] Fiscal Year 2000 Federal Managers' Financial Integrity Assurance 
(FMFIA) Report to the President. 

[11] In comments on a draft of these briefing slides, NARA reported 
that the Quality Management Plan underwent verification and validation 
on May 11, 2005, and is 85 percent compliant with IEEE standards. 

[End of section]

Appendix II: Comments from the National Archives: 

National Archives at College Park:
8601 Adelphi Road: 
College Park, Maryland 20740-6001: 

Mr. Joel C. Willemssen:
Managing Director of Information Technology Team: 
Government Accountability Office:
441 G Street, NW #4T31: 
Washington, DC 2054$: 

Dear Mr. Willemssen: 

Thank you for the opportunity to review and comment on the draft 
presentation entitled National Archives and Records Administration's 
Acquisition of the Electronic Records Archives is Progressing before it 
is briefed to the staff members of the Subcommittee on Transportation, 
Treasury, the Judiciary, Housing and Urban Development, and Related 
Agencies, of the Senate Appropriations Committee and the Subcommittee 
on Transportation, Treasury and Housing and Urban Development, the 
Judiciary and District of Columbia, and independent Agencies, of the 
House Appropriations Committee. We are pleased to note the recognition 
of the progress made toward implementing the recommendations provided 
in GAO's report of September 23, 2004, Records Management: Planning for 
the Electronic Records Archives Has Improved (GAO-04-927). 

We also appreciate the insight into the progress remaining to be made 
toward addressing GAO's recommendations. For NARA to carry out its 
mission into the future we have to be successful implementing the 
Electronic Records Archives (ERA) system. To ensure we are successful, 
we will complete those recommendations identified in your presentation 
as "partially implemented." We would like to take this opportunity to 
update you on the status of those efforts. 

Enterprise Architecture. GAD observed that "NARA has added sections on 
information security and IT operations to its baseline enterprise 
architecture. However, the target architecture is only a framework, and 
therefore, is incomplete." GAO also indicates that "Until the target 
enterprise architecture is complete, NARA may have difficulty ensuring 
that the ERA system is defined according to the requirements of the 
target enterprise architecture."

By September 2005, NARA's Target Architecture will have progressed well 
beyond the addition of business process specifications. This version of 
the Enterprise Architecture will include: 

* Specifications of all business processes related to records 
lifecycle. This includes data inputs and outputs, security and privacy 
constraints, identification of business rules and policies, technology 
enablers and support from current systems for each lifecycle business 
prates. 

* A set of business information flows. These are developed using the 
business process, the data inputs and outputs, and the enterprise data 
model. 

* A set of conceptual business information systems. These are developed 
using the business information flows and applying technological and 
security constraints. 

* A revised sequencing plan that shows a high-level implementation 
strategy for the set of conceptual business information systems. The 
revised sequencing plan is an important input into specifying an 
updated business transformation plan. 

These additions to our Enterprise Architecture represent a major step 
forward in the definition and maturity of NARA's Target Architecture. 
The necessary specifications will be in place by September 2005, when 
development of ERA's increment one starts, to ensure that the ERA 
requirements will be defined according to NARA's Target Architecture. 

IT Security Program. GAO observed in the report that the agency has 
developed plans of action and milestones to address the Office of 
Inspector General weaknesses by September 2005. GAO also indicates that 
"As a result, NARA has considered information security to be a material 
weakness since 2000. Until information security is fully addressed, it 
remains a risk to ERA's cost, schedule and performance objectives." We 
are very pleased GAO noted the progress on the NARA security program, 
we want to address additional concerns GAO raised resulting from its 
review of NARA's Office of Inspector General audits. 

First, to address the lack of a formal, documented, and tested agency 
disaster recovery plan, we want to stress that ERA itself has a 
comprehensive information security plan, developed in collaboration 
with the National Security Agency, that has integrated contingency and 
disaster recovery plans as part of its requirements. Recent system 
design reviews with both competing contractors confirm that these 
requirements are being incorporated into the final ERA system design, 
Also, our Plan of Action and Milestones for completing an agency-wide 
disaster recovery plan addresses one of the material weaknesses 
identified in the 2004 Federal Manager's Financial Integrity Act 
report. That disaster recovery plan will incorporate the contingency 
plans that have been developed and tested for each NARA system, 
including ERA and NARAnet. The NARAnet disaster recovery plan also 
addresses the data recovery capabilities needed to support the ERA 
Program Management Office. 

Second, addressing the general concern related to physical and logical 
security weaknesses, we want to assure GAO that the completion of the 
specific audit action items comprising this deficiency will be resolved 
by September 30, 2005. We believe that completing these audit action 
items when development of ERA's increment one starts will mitigate the 
risks to ERA's cost, performance, and schedule objectives. 

Cost, Schedule, and Performance and Risks, GAO indicates in its report 
that "the contracts for this phase are firm-fixed-priced and cost 
variations are expected to be at the contractor's expense." We want to 
clarify that not only is ERA meeting its cost objectives for the 
Analysis and Design (A&D) phase, but both contractors expect to 
complete the A&D phase within budget. No variations from the planned 
budget are anticipated. If any averages occur, they would be at the 
contractor's expense. 

Document Review Process. GAO observed that "NARA has made progress in 
addressing our recommendation by designing a process to ensure that 
reviewer's recommendations are addressed in the final version. However, 
this document review process has not been finalized and implemented." 
We have a process in place which ensures that comments from all 
reviewers as well as the Independent Verification and Validation staff, 
when required, are addressed. Comments and responses to comments are 
tracked by the Quality Management (QM) staff. All documents submitted 
to the Program Manager for approval are required to be accompanied by a 
report from the QM staff on the resolution of all comments. 

Acquisition Policies and Plan, GAO states in the report that "the 
Quality Management Plan - while it has been revised, has not undergone 
verification and validation." The Quality Management Plan, Version 2.6, 
December 16, 2004, underwent verification and validation on May 11, 
2005. It was found to be 85% compliant with the IEEE standards. It 
should be noted that the IEEE standard has been tailored for the 
Quality Management Plan to incorporate industry best practices derived 
from the Project Management Institute's Project Management Body of 
Knowledge (PMBOK). The items noted as non-compliant were primarily in 
the area of format; these recommendations will be taken into 
consideration during the next revision of the plan, which should be 
completed by July 2005. 

GAO also states that "the Risk Management Plan - has significant 
weaknesses." The Risk Management Plan, Version 3.0, August 25 2004 
underwent verification and validation on August 26, 2004. It was found 
to be 86% compliant with the IEEE standard. The overall quality of the 
Risk Management Plan was rated as high. The remaining items will be 
addressed during the next revision of the Risk Management Plan 
scheduled for August 2005. 

The level of IEEE compliance for the documents reviewed is directly 
related to the system's life cycle. Most documents show a small number 
of partially compliant items that we will make fully compliant as 
information becomes available with the start of system development. 

Again, we thank you for this opportunity to comment and look forward to 
our future interactions as we continue the ERA acquisition process. If 
you have any questions, please contact Carmen Colon, Program Support 
Division at (301) 837-0445. 

Sincerely,

Signed by: 

ALLEN WEINSTEIN:
Archivist of the United States: 

[End of section]

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Linda Koontz, (202) 512-7487: 

Staff Acknowledgments: 

In addition to the contact named above, Timothy Case, Nancy Glover, and 
Teresa Neven made key contributions to this report. 

(310740): 

FOOTNOTES

[1] According to the Federal Acquisition Regulation, a firm fixed-price 
contract provides for a price that is not subject to any adjustment on 
the basis of the contractor's cost experience in performing the 
contract. This type of contract places maximum risk and full 
responsibility for all costs and resulting profit or loss on the 
contractor(s). 

[2] GAO, Information Management: Challenges in Managing and Preserving 
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and 
GAO, Records Management: National Archives and Records Administration's 
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.: 
Sept. 23, 2004). 

[3] An enterprise architecture provides a description--in useful 
models, diagrams, and narrative--of the mode of operation for an 
agency. It describes the agency in logical terms, such as interrelated 
business locations and users, and in IT operational terms, such as 
hardware, software, data, communications, and information security 
attributes and standards. It provides these perspectives both for the 
baseline and target environments and a plan for transitioning from the 
baseline to the target. 

[4] Verification and validation reviews are performed by internal 
contractors to ensure that ERA policies and plans conform to industry 
standards, such as those established by IEEE. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: