Tuesday, July 1, 2008

U.S. government agencies’ cyber-security and record-keeping worse than previously thought

SPECIAL REPORT

By David Gewirtz

The United States Government Accountability Office (GAO) is the audit, evaluation, and investigation arm of the United States Congress. This month, the GAO released a 74-page report entitled "National Archives and Selected Agencies Need to Strengthen E-Mail Management".


"The entire apocalypse-in-a-box that is the Internet is allowed to tunnel through all of Homeland Security's security."

After reading the report, I made three key observations:

  • The National Archives and Records Administration (NARA) has completely abdicated responsibility for investigating records management in the U.S. government, putting all U.S. government record-keeping at risk.
  • Record-keeping at the four agencies investigated by the GAO isn't all that bad by government standards, but they'd never survive the standards imposed on corporate CIOs by the government.
  • I've discovered two new cyber-security risks, this time at the Department of Homeland Security and another at the Federal Trade Commission, the government's lead agency for identity-theft protection.

The report was provided to the United States House Committee on Oversight and Government Reform. Unfortunately, while the GAO described certain record-keeping and computer management practices at these various agencies, they may not have fully understood how the practices they documented would lead to troubling security flaws at the DHS and FTC, and they certainly didn't point them out explicitly for the Committee to investigate.

The National Archives and Records Administration

The National Archives and Records Administration is the U.S. government agency charged with preserving and documenting government and historical records. According to the report:

Under the Federal Records Act, NARA is given general oversight responsibilities for records management as well as general responsibilities for archiving. This includes the preservation in the National Archives of the United States of permanent records documenting the activities of the government. NARA thus oversees agency management of temporary and permanent records used in everyday operations and ultimately takes control of permanent agency records judged to be of historic value.