This is the accessible text file for GAO report number GAO-04-927 
entitled 'Information Management: Planning for the Electronic Records 
Archives Has Improved' which was released on September 23, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Committees:

September 2004:

RECORDS MANAGEMENT:

Planning for the Electronic Records Archives Has Improved:

GAO-04-927:

GAO Highlights:

Highlights of GAO-04-927, a report to congressional committees:

Why GAO Did This Study:

Since 2001, the National Archives and Records Administration (NARA) has 
been working to develop the policies and plans to build the Electronic 
Records Archives (ERA), a major information system that is intended to 
preserve and provide access to massive volumes of all types and formats 
of electronic records. Senate Report 108-146 directed GAO to provide a 
progress report on NARA’s development of the ERA system. Specifically, 
GAO’s objective was to determine the agency’s progress in implementing 
recommendations from previous assessments.

What GAO Found:

NARA has made progress towards addressing GAO’s prior recommendations: 
four of the eight recommendations have been fully addressed, and NARA 
is making progress in addressing the three recommendations on staffing, 
enterprise architecture, and information security (see table).

NARA is making less progress in addressing the recommendation to revise 
acquisition policies and plans to meet relevant industry standards. 
None of the eight key acquisition policies and plans fully complies 
with the standards selected by the agency. A contributing cause has 
been that although contractor staff assessed these policies and plans 
against standards, NARA had not established a process to ensure that 
the identified weaknesses were addressed and incorporated into 
subsequent versions. Making program policies and plans compliant before 
contract award is important to ensure that the agency has the 
information it needs to manage the acquisition and that the contractors 
have sufficient information on which to base the design of the system.

[See PDF for image]

Source: GAO, based on NARA data.

[End of figure]

What GAO Recommends:

To reduce the risks associated with NARA’s efforts to acquire ERA, GAO 
recommends that the Archivist direct the ERA Program Director to design 
and implement a process to ensure that recommendations from contractor 
reviews are addressed and incorporated into program policies and plans. 
In commenting on a draft of this report, the Archivist of the United 
States generally agreed with the overall findings and recommendation, 
and provided an update on NARA’s actions to implement the 
recommendations in this and prior GAO reports.

www.gao.gov/cgi-bin/getrpt?GAO-04-927.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda D. Koontz at (202) 
512-6240 or Koontzl@gao.gov.

Contents:

Letter:

Recommendation for Executive Action:

Agency Comments and Our Evaluation:

Appendixes:

Appendix I: Briefing Slides:

Appendix II: Comments from the National Archives and Records 
Administration:

Abbreviations:

ASC: American Systems Corporation:

ERA: Electronic Records Archives:

ICE: Integrated Computer Engineering, Inc.:

IT: information technology:

NARA: National Archives and Records Administration:

Letter September 23, 2004:

The Honorable Richard C. Shelby: 
Chairman: 
The Honorable Patty Murray: 
Ranking Minority Member: 
Subcommittee on Transportation, Treasury and General Government: 
Committee on Appropriations United States Senate:

The Honorable Ernest J. Istook, Jr.: 
Chairman: 
The Honorable John W. Olver: 
Ranking Minority Member: 
Subcommittee on Transportation, Treasury and Independent Agencies: 
Committee on Appropriations: 
House of Representatives:

The National Archives and Records Administration (NARA) is responsible 
for the oversight of government records management and archiving, which 
increasingly involves dealing with documents that are created and 
stored electronically. Since 2001, the agency has been working to 
develop the Electronic Records Archives (ERA) system. This major 
information system is intended to preserve and provide access to 
massive volumes of all types and formats of electronic records. NARA 
plans to develop the system in five increments, with the first 
increment expected to be completed in 2007 and the fifth in 2011.

We have issued two prior reports[Footnote 1] assessing NARA's 
acquisition of the ERA system. Our assessments identified several 
weaknesses in the acquisition process and made eight recommendations to 
the agency that, if addressed, would reduce the risks in acquiring the 
ERA system. These recommendations were to:

1. develop a schedule that is based on a comprehensive work breakdown 
structure (including associated costs and other resources),

2. establish schedule dependencies among successor and predecessor 
tasks,

3. use earned value management to capture and monitor progress for the 
entire acquisition,

4. revise acquisition policies and plans to conform to Institute of 
Electrical and Electronics Engineers, Inc. standards,

5. fill vacant key program positions,

6. develop an enterprise architecture,

7. improve information security, and:

8. implement an IT investment management process.

Senate Report 108-146 directed GAO to provide a progress report on 
NARA's development of the ERA system. Our objective was to determine 
the agency's progress in implementing our prior recommendations. To 
achieve this objective, we assessed and reviewed related plans and 
schedules to determine the level of progress since our last report and 
we interviewed key NARA officials and contractor staff. We selected 
eight key policies and plans for review; we assessed seven of these in 
our 2003 review. We added an eighth--the Program Management Plan--that 
had been completed since the 2003 review. We reviewed NARA's progress 
in filling all government and contractor positions and conducted 
interviews of senior NARA officials to determine the status of the 
agency's efforts to establish a capability in IT investment management, 
develop an enterprise architecture, and strengthen the agency's 
information security program. We also reviewed the contractor's 
verification and validation reports associated with the eight policies 
and plans. We performed our work from February 2004 to May 2004 at 
NARA's College Park, Maryland, location in accordance with generally 
accepted government auditing standards.

In June 2004 we provided your staff with a briefing on the results of 
our study, which included procurement-sensitive information. The slides 
from that briefing--with procurement-sensitive information removed--
are included as appendix I. The purpose of this report is to provide 
the published briefing slides to you and to officially transmit our 
recommendation to the Archivist of the United States.

In summary, our briefing made the following points:

NARA has made progress toward addressing our prior recommendations; 
four of the eight recommendations have been fully addressed. 
Specifically, the ERA schedule is now based on a comprehensive work 
breakdown structure, dependencies have been established among 
predecessor and successor tasks, earned value management is being used 
to capture and monitor progress for the entire acquisition, and an IT 
investment management process has been implemented. In addition, NARA 
is making progress in addressing the three recommendations on staffing, 
enterprise architecture, and information security.

NARA is making less progress in addressing the recommendation to revise 
acquisition policies and plans to meet relevant industry standards. 
Such policies and plans are essential for managing the acquisition and 
providing critical guidance to the contractors who will be designing 
the system. However, none of the eight key acquisition policies and 
plans fully complies with the standards. A contributing cause has been 
that, although contractor staff performed verification and validation 
reviews to assess these polices and plans against standards, NARA had 
not established a process to ensure that the weaknesses identified in 
these reviews were addressed and incorporated into the subsequent 
versions. Making acquisition policies and plans compliant before 
contract award is important to ensure that the agency has the 
information it needs to manage the acquisition and the contractors have 
adequate information on which to base the design of the system.

Recommendation for Executive Action:

To reduce the risks associated with NARA's efforts to acquire ERA, we 
recommend that the Archivist direct the ERA program director to design 
and implement a process to ensure that recommendations in verification 
and validation reviews are addressed and incorporated into acquisition 
policies and plans.

Agency Comments and Our Evaluation:

In providing written comments on a draft of this report (reprinted in 
app. II), the Archivist of the United States stated that NARA was 
pleased to note our recognition of the progress that it has made and 
that actions were well under way to address all outstanding 
recommendations. The Archivist also provided an update on the status of 
the four recommendations in the report that had not been fully 
addressed. In response to a technical comment concerning the status of 
the requirements document, we have amended the briefing slides to 
clarify that this document contains a complete set of high level system 
requirements.

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Subcommittee on Transportation, Treasury and 
General Government, Senate Appropriations Committee, and the 
Subcommittee on Transportation, Treasury and Independent Agencies, 
House Appropriations Committee. We are also sending copies to the 
Archivist of the United States. We will make copies available to others 
on request. In addition, the report will be available at no charge on 
the GAO Web site at [Hyperlink, http://www.gao.gov/.].

If you or your staff have any questions concerning this report, please 
call me at 202-512-6240 or Mirko Dolak, Assistant Director, at (202) 
512-6362. We can also be reached by e-mail at [Hyperlink, 
koontzl@gao.gov] and [Hyperlink, dolakm@gao.gov], respectively. Key 
contributors to this report were Timothy Case, Nancy Glover, and Kush 
Malhotra.

Signed by: 

Linda D. Koontz: 
Director, Information Management Issues:

[End of section]

Appendixes:

[End of section]

Appendix I: Briefing Slides:

[See PDF for image]

[End of figure]

[End of section]

Appendix II: Comments from the National Archives and Records 
Administration:

National Archives at college Park:
8601 Adelphi Road: 
College Park, Maryland 20740-6001:

AUG 3 2004:

General Accounting Office:
Managing Director of Information Technology Team: 
Mr. Joel C. Willemssen:
441 G Street, NW #4T31: 
Washington, DC 20548:

Dear Mr. Willemssen:

We thank you for the opportunity to review and comment on the draft 
report entitled Information Management: Planning for the Electronic 
Records Archives Has Improved (GAO-04-927) before it is issued in final 
form. We are pleased to note the recognition of the progress made 
towards implementing the recommendations provided in GAO's report of 
August 2003, Records Management: National Archives and Records 
Administration's Acquisition of Major System Faces Risks (GAO-03-880).

Most of the steps NARA has taken to implement GAO's recommendations are 
acknowledged in the report. However, some of our efforts were just 
getting started at the time of the GAO review and therefore are not 
reflected in the report. We would like to take this opportunity to 
update you on the status of the four recommendations in the report with 
a partially addressed or not addressed status. As you will see, we are 
well underway to implementing all the recommendations in the report. 
Following are our comments.

Enterprise Architecture: Although the specifications for NARA's target 
architecture are not fully complete in the version 2.0 release 
(September 2003), the framework for the target Enterprise Architecture 
(EA) is in place for each major view of the EA to include Business, 
Data, Applications, Systems, Operations, and Security. Significant 
progress will be reflected in the 3.0 release of the EA which will be 
completed on September 2, 2004. Specifically, the following areas are 
being improved:

* The Business Architecture will provide "to be" business process 
specifications for several of NARA's key business areas within the 
Records Lifecycle Management function. Additionally, an updated 
transition plan based on the gap analysis of the baseline and the 
target architectures will be provided.

* The Enterprise Conceptual Data Model (CDM) will incorporate the ERA 
domain model.

* The agency's security architecture and IT security program will be 
aligned with FISMA and NIST guidance for IT security.

National Archives and Records Administration:

We would like to clarify that the ERA system design must conform to the 
Enterprise Target Architecture and not the other way around. The 
functional specifications for NARA's target systems, data, and 
applications will be improved as the agency's business architecture 
continues to develop.

Information Security: Eight of the nine weaknesses identified through 
our contractor's compliance testing have been corrected. Enclosure (1) 
outlines a description of the weaknesses and the corrective actions 
taken. Creation of a control log to illustrate what ports are closed, 
filtered, or open on each subnet is the only weakness that has not been 
addressed. This log will be implemented by August 31, 2004.

In response to the issue regarding central control of classified 
systems, it is important to note that the current classified systems 
are physically secure, are not attached to a network, and have security 
plans in place.	We are taking the following steps to improve the 
security posture of the classified systems:

* Revising NARA 101, NARA Organization and Delegation of Authority. 
Responsibilities for NA and NH will be re-defined to ensure that NARA 
classified computer systems are centrally managed by technically 
qualified personnel by October 1, 2004.

* Developing and implementing information systems security education, 
training, and awareness programs relating to national security systems 
for NARA information security personnel by September 30, 2004. NARA 
will provide additional training as needed for agency-wide security 
information system security professionals, system administrators, 
information systems security officers, and system certifiers, to ensure 
their knowledge of communications security and computer security is up-
to-date.

* Updating the NARA Information Security Manual (INFO. SECURITY 202) 
with NAS support to provide technical guidance for securing automated 
classified information systems, including both classified systems 
applications and their support networks by December 31, 2004.

* Revising NARA 804, Information Technology (IT) Systems Security to 
include NARA classified IT systems. A draft will be prepared by August 
31, 2004; the final to be issued by December 31, 2004.

* Completing an up-to-date inventory of all existing NARA classified 
systems by October 1, 2004.

* Completing an initial Certification and Accreditation (C&A) for each 
NARA classified system including a risk assessment, systems security 
plan, security controls testing and vulnerability analysis, and 
contingency by October 1, 2004.

Acquisition Program Policies and Plans: Although the scheduled date for 
contract award was May 28, 2004, actions to mitigate risks related to 
potential protests resulted in schedule changes during the acquisition 
process. The Source Selection Team has taken a conservative approach to 
the Source Selection activities to minimize any risks of protests. This 
approach resulted in a longer timetable for Source Selection 
activities. Currently, a decision was made by July 30, 2004 and the 
contract will be awarded on August 3, 2004.

Five of the documents identified were updated and have undergone 
Verification and Validation (V&V) to ensure IEEE compliance prior to 
contract award. Enclosure (2) includes copies of the updated documents 
and their respective V&V reports.

As indicated in previous correspondence, the Requirements Document will 
not be updated. Reallocation of resources to finalize the ERA contract 
source selection activities impeded completion of the update to the 
Risk Management Plan and the Life Cycle Document. These two documents 
are undergoing final editorial review and will be delivered for 
government review by August 6, 2004.

More importantly, a temporary process was put in place that 
incorporated verification and validation activities through out the 
entire document development process. Enclosure (3) describes the 
temporary process. The process will become permanent when we finalize 
the Standard Operating Procedures (SOPS) document currently under 
development.

ERA Staff. We have hired the replacement for the quality assurance 
position. The security position remains unfilled. We have advertised 
the position through regular government channels and in the Washington 
Post. Hundreds of applications have been reviewed but no qualified 
candidates have surfaced. As we continue to search for an ERA Security 
Specialist we have the support of the National Security Agency (NSA) 
and a staff member from NARA's Office of Human Resources and 
Information Services.

Finally, we would like to clarify a point from the report. The ERA 
Requirements Document section implies that the Requirements Document is 
not complete. The final ERA Requirements Document released with the ERA 
Request for Proposal (RFP) on December 5, 2003, outlines a complete set 
of high level system requirements. These high level requirements will 
be used by the ERA development contractor to generate a detailed System 
Requirements Specification that will be delivered to the government six 
months after contract award.

Again, we thank you for this opportunity and look forward to our future 
interactions as we continue the ERA acquisition process.

Sincerely,

Signed by: 

JOHN W. CARLIN: 
Archivist of the United States:

Enclosures:

[End of section]

(310719):

FOOTNOTES

[1] GAO, Information Management: Challenges in Managing and Preserving 
Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002) and 
Records Management, National Archives and Records Administration's 
Acquisition of Major System Faces Risks, GAO-03-880 (Washington, D.C.: 
Aug. 22, 2003). 

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:

	

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: