Office of the Inspector General (OIG)

OIG Semi-Annual Report to Congress:
April 1, 2004 - September 30, 2004


Table of Contents

Foreword

The core mission of the National Archives and Records Administration (NARA) is to provide our customers with ready access to essential evidence. In an age of digitized pictures and electronic records we cannot forget that much of our national history and experiences are preserved and defined in the traditional mediums of photographs, paper, parchment, and film. Early in my tenure as Inspector General (IG), the Archivist concurred with our conclusion that a material weakness existed in records holdings security.

In the interceding years, NARA has taken positive and much needed strides to increase physical security over our holdings. However, the sheer volume of records on which the public places a high monetary value, when paired with inherent internal control deficiencies, results in a significant and continuing risk of pilferage. This reporting period saw the Archivist endorse a major initiative that assigned the Office of Inspector General (OIG) the lead role in serving as the contact point in what we call "Operation Historic Protector (OHP)." Upon implementation, OHP will be a multi-faceted program designed to:

  • Protect NARA's holdings
  • Identify alienated Federal records for recovery through replevin or other appropriate legal remedy
  • Educate the collectors, traders, auctioneers, archivists, and the general public to enable them to support NARA in the identification and recovery of alienated Federal records
  • Prosecute under criminal statutes those who remove Federal records from NARA

In effect, we view OHP as an extension of our existing hotline program. In this the Internet age, the capacity exists for anyone to be a dealer of stolen historical records for personal gain in a virtual and expansive market. Thus, there is an immediate need to act through traditional and creative means to staunch the flow and protect our holdings. With top-down NARA support, and that of our congressional oversight committees and appropriators, we hope to have the resources to stem the tide and, in so doing, preserve the records that define our democracy for this and future generations of Americans.

Paul Brachfeld
Inspector General

Top of Page


Executive Summary

This is the 32nd Semiannual Report to the Congress summarizing the activities and accomplishments of the National Archives and Records Administration (NARA) Office of Inspector General (OIG). A summary of NARA's top challenges is provided under the section titled "Top Ten Management Challenges." The highlights of our major functions are summarized below.

Audits

In this reporting period, the Audit Division focused resources on examining the integrity of NARA's financial information and security of NARA's Information Technology (IT) programs. This work had significant positive impact upon agency operations and related controls in these critical areas. We also directed significant audit resources toward the evaluation of such NARA programs and functions as the Transit Benefit Program and Interagency Agreements function and contract issues. Recommendations directed to NARA officials will, upon adoption, translate into increased levels of security and control over our financial assets and programs and operations.
We issued the following audit reports during the reporting period:

  • Evaluation of NARA's Computer Security Incident Response Capability. Our review disclosed that NARA's guidance for handling computer security incidents has not been fully implemented; NARA Information Technology (IT) Security Services personnel were not consistently reporting computer security-related incidents to the Federal Computer Incident Response Center (FedCIRC); NARA guidance did not require that the OIG always be notified when a significant computer security-related incident occurs; the Intrusion Detection System (IDS) alert system was not linked with NARA's Computer Security Incident Response Capability (CSIRC) and therefore, NARA officials were not tracking and reporting incidents identified by the IDS, nor were they notifying and/or obtaining the assistance of the NARA Computer Incident Response Team; IDS alerts were not being investigated and resolved in a timely manner; and contractor performance could not be adequately monitored by the Contracting Officer's Representative because the Technical Direction Letter related to providing a CSIRC capability did not include specific details of the work to be performed, hours associated with each labor category, costs associated with each of the efforts (deliverables) to be performed, and delivery dates of deliverables.(Audit Report #04-16, dated June 22, 2004.)
  • Evaluation of NARA's Password Controls. Our review revealed that many server passwords reviewed were not in compliance with NARA policies, procedures, and guidance. We also observed a simple, yet easily identifiable pattern for the passwords that, although technically compliant with NARA guidance, could increase risks of compromise. Additionally, physical controls over copies of the Master Password File (MPF) were not adequate. Thus, we recommended that NARA address security weaknesses by taking action to ensure that passwords meet the NARA policy and procedure requirements; are changed every 90 days; are unique to each server while not evidencing a pattern easily identifiable; and are stored on properly secured and protected media.(Audit Report #04-23, dated September 15, 2004.)
  • Review of NARA's Water and Sewer Billing Adjustment Charge from Washington Suburban Sanitary Commission (WSSC). We questioned $118,594 in charges levied against NARA by the WSSC for the period January 2003 through February 2004. These additional charges were questioned because they were determined to be unreasonable according to the Federal Acquisition Regulation (FAR) and represent a fine, penalty, or tax that, according to appropriations law, NARA is not authorized to pay. Likewise, we identified a potential annual cost avoidance of approximately $9,700 related to the boilers at the National Archives building in College Park, Maryland, for which we believe sewer charges can be eliminated.(Audit Report #04-15, dated May 11, 2004.)
  • Review of a Contractor's Invoice for Utility Costs for the Lyndon B. Johnson (LBJ) Library. Our audit found that the costs submitted by the contractor were allowable; therefore, we did not question any costs. Further, as a result of our review of the initial invoice for $94,448, we found that the contractor had under billed NARA in the amount of $27,048. The invoice should have been for $121,496, but the contractor made mathematical errors.(Audit Report #04-17, dated June 4, 2004.)
  • Assessment of NARA's Efforts to Comply with New Facility Standards. Subpart K, Facility Standards for Records Storage Facilities, 36 CFR Part 1228.228, requires that new records storage facilities meet the requirements as of January 3, 2000, while existing facilities must meet the requirements no later than October 1, 2009. Our review of NARA's efforts to meet these requirements found that NARA is at risk of not having compliant records storage facilities by the mandated deadline. This condition resulted from a lack of demonstrated planning, fiscal uncertainties, and resulting concerns as to the identification of related costs for facility upgrades.(Audit Report #04-13, dated May 14, 2004.)
  • Evaluation of the First Performance Period Award Fee Determination Process for the Fixed-Price-Award-Fee (FPAF) Contract with a NARA Contractor. At the request of NARA management, we reviewed and evaluated documentation supporting the award fee determination for the first performance period of a NARA contract. In our opinion, the evaluation effort performed by NARA officials and the Contractor's self-evaluation provided an insufficient basis on which to make a determination of the reasonable amount of award fee to be paid to the contractor. Because of the difficulty, and considerable amount of time associated with reviewing and evaluating six months of past performance, we recommended that negotiations be held to determine the amount of award fee to be paid to the contractor for the first performance period.(Audit Memorandum #04-18, dated June 8, 2004.)
  • Audit of NARA's Administration of the Information Technology Support Services Contract Award Fee. NARA personnel responsible for evaluating contractor performance were ineffective in administering the award fee provisions of the contract task order for managing and operating NARA's computer network. Specifically, we found that NARA officials did not comply with all Federal Acquisition Regulation (FAR) requirements for solicitations involving fixed-price-award-fee contracts; an excessive administrative burden was placed on the Performance Monitors because the Fee Determination Official did not limit the monitors' assignments to evaluations of specific areas of contractor performance; performance monitors did not receive training related to their award fee responsibilities; the monitors were unable to provide any documentation of the work they performed or of the results of their monitoring efforts; and contractor evaluation criteria for the award fee were vague.(Audit Report #04-22, dated September 21, 2004.)
  • Review of NARA's Contract for the Telephone System. We reviewed NARA's procurement of a new telephone system upgrade to determine if NARA and FAR requirements were followed. We found that the new telephone system was procured in compliance with the FAR and NARA requirements.(Audit Memorandum #04-21, dated August 2, 2004.)
  • Follow-Up Review of OIG Report #00-02, Review of NARA's Process for Investing in Information Technology. Management has established general criteria for identifying systems based on levels of effort and detail in the planning and development process but has not developed specifics for defining those designations. Additionally, NARA had not adopted the training plan they defined in their action plan. Specifically, while "informal" risk management and cost-benefit analysis training was being provided by some Office of Human Resources and Information Services (NH) staff members to other NH staff members and product owners, formal classroom training had not been scheduled.(Audit Report #04-14, dated June 23, 2004.)

Management Letters

  • Hacker Exploits NARA IT Vulnerability. We issued a management letter to the Archivist's attention that served as an interim report on a computer incident that occurred during the period. Specifically, an infected host on NARA's network was used as a platform to attack the computer network of an outside organization. Three days prior to this instance, a hacker cracked an administrative password on an affected network component server and successfully logged on. This activity went undetected for 43 hours due to the lack of a viable Network Intrusion Detection System. Preliminary facts point to human error on the part of a contract employee that exposed failure in the NARA architecture, security protocol, and operations which culminated in adverse events, the extent of which have yet to be fully ascertained. (Management Letter #04-20, dated June 24, 2004.)
  • Information on NARA's Public Web site Puts NARA at Risk. During the period the OIG notified the Archivist that information residing on NARA's public web site, specifically credit card information and employee e-mail addresses, puts the agency and employees at risk for "phishing." "Phishing" attacks seek to trick account holders into divulging sensitive personal or financial information such as bank account numbers, personal identification numbers, and social security numbers, through the use of e-mails that appear to come from trusted financial institutions or retailers. Employee e-mail addresses, when paired with the name of credit card holders, work addresses, phone numbers, approving officials, and credit limits, are useful elements for supporting a successful "phishing" attack.(Management Letter #04-19, dated June 21, 2004.)
Investigations

In this reporting period the OIG Investigative Division dedicated significant time and resources to the investigation and recovery of NARA holdings. These records primarily predate the Civil War and have significant monetary value imputed to them by dealers and collectors. For example, one item, as seen below, was being auctioned on an online site for $10,000 when identified and recovered by NARA OIG investigators. The extent of the risk to our nation's holdings was communicated to representatives of the Office of Management and Budget (OMB) who toured the National Archives Building, Washington, DC, on June 7, 2004. They were shown the record group from which numerous records had been pilfered by a suspected researcher.


The NARA OIG has taken measures to define the extent of the problem, and has worked with dedicated NARA employees to craft a comprehensive program to address this material weakness. This reporting period saw the Archivist support the NARA OIG as the lead entity on NARA's web site link entitled Help NARA Recover Lost and Stolen Documents. We view this as just one step in a larger program for which we have assigned the working title Operation Historic Protector (OHP). The NARA OIG views OHP as a comprehensive program to focus attention, resources, and energy on stemming the flow of Federal records from the custody of the Archives to the open market. OHP will represent an extension of our existing hotline program and one which we hope the public will come to know through education and targeted marketing.


The workload has already far exceeded our investigative capacity. As we do our job of better educating dealers, collectors, and archivists about OHP, we expect the caseload to increase before the crest is reached and it becomes risky and unwieldy to those who would seek to profit from theft of NARA holdings. We will continue to report upon the status of this initiative in future reporting periods.


Additionally, during the reporting period, the Investigative Staff received 45 allegations, initiated 17 investigations, referred 7 allegations, and closed 30 investigations. We received 244 hotline contacts, which resulted in 1 investigation, the referral of 167 contacts outside the OIG, and the closing of the remaining 62 contacts. Fourteen matters remained open for further inquiry.


The investigative staff completed the following investigations:

  • Theft of NARA holdings
  • Missing presidential portrait
  • NARA employees viewing child pornography
  • Contractor fraud
  • Hacker attack
  • Credit card fraud
  • Time and attendance fraud

Top of Page


Management Assistance

In our management assistance activities this reporting period, we

  • assisted management in acquiring, reviewing, and analyzing documents pertaining to a legal dispute between NARA and the WSSC.
  • commented that the NARA Notice titled "Draft Directive, Communicating with the Media" needed to exclude the OIG because of independence issues.
  • commented that the NARA Notice titled "Reorganization - Office of Human Resources and Information Services" needed to (1) remove the Human Resources function to allow the Chief Information Officer (CIO) to better focus on agency IT issues, and (2) ensure that the IT Security Staff reports directly to the CIO to more adequately and efficiently address IT security throughout the agency.
  • commented that the NARA Notice titled "Draft Directive, Request and Approval Procedures for Training of Employees" should include language specifying that there must be sufficient documented justification on the part of the employee or supervisor to allow a review official or entity, such as the OIG, to determine whether the training was clearly mission-related, especially with college or graduate school training.

Top of Page


Introduction

About the National Archives and Records Administration

Mission
The National Archives and Records Administration ensures, for the Citizen and the Public Servant, for the President and the Congress and the Courts, ready access to essential evidence.

Background
NARA, by preserving the nation's documented history, serves as a public trust on which our democracy depends. It enables citizens' to inspect for themselves the record of what the Government has done. It enables officials and agencies to review their actions and helps citizens' hold them accountable. It ensures continuing access to essential evidence that documents the rights of American citizens', the actions of Federal officials, and the national experience.
Federal records reflect and document America's development over more than 200 years and are great in number, diverse in character, and rich in information. NARA's archival holdings amount to 2.9 million cubic feet of records, while its nontextual archival holdings amount to 168,859 cubic feet. These holdings include more than 49,000 cubic feet of architectural/engineering drawings, maps, and charts; 54,000 cubic feet of moving images and sound recordings; 68,000 cubic feet of photographic images; 527,632 artifact items; and 4.7 billion logical data records.
NARA involves millions of people in its public programs, which include exhibitions, tours, educational programs, film series, and genealogical workshops. In FY 2003, NARA hosted 1.2 million museum visitors and 236,149 public program attendees, while responding to a million written requests from the public. In addition, NARA responded to 11.3 million Federal agency reference requests, over 33,000 Federal agency requests for appointments to review records, and provided records management training to 3,392 individuals. NARA publishes the Federal Register and other legal and reference documents that form a vital link between the Federal Government and those affected by its regulations and actions. Through the National Historical Publications and Records Commission, NARA helps to preserve and publish non-Federal historical documents that also constitute an important part of our national heritage. NARA also administers the Nixon Presidential Materials Project, Clinton Presidential Materials Project, and 10 Presidential libraries that preserve the papers and other historical materials of all past Presidents since Herbert Hoover.

Resources
In 2004, NARA was appropriated an annual budget of approximately $316 million and 2,855 Full-time Equivalents (FTEs). The $316 million included appropriations for operations, the Electronic Records Archive (ERA) program, repairs and restoration of facilities, and grants. NARA operations are spread throughout 35 facilities nationwide.

About the Office of Inspector General (OIG)

The OIG Mission
The OIG's mission is to ensure that NARA provides the American people with ready access to essential evidence by providing high-quality, objective audits and investigations and serving as an independent, internal advocate for economy, efficiency, and effectiveness.

Background
The Inspector General Act of 1978, as amended, established the OIG's independent role and general responsibilities. The Inspector General reports to both the Archivist of the United States and the Congress. The OIG evaluates NARA's performance, makes recommendations for improvements, and follows up to ensure economical, efficient, and effective operations and compliance with laws, policies, and regulations. In particular, the OIG:

  • assesses the effectiveness, efficiency, and economy of NARA programs and operations
  • recommends improvements in policies and procedures to enhance operations and correct deficiencies
  • recommends cost savings through greater efficiency and economy of operations, alternative use of resources, and collection actions
  • investigates and recommends legal and management actions to correct fraud, waste, abuse, or mismanagement

Resources
The FY 2004 OIG budget is approximately $1.6 million for operations. The OIG now has 14 FTEs. During the period, the Assistant Inspector General for Investigations (AIGI) took a position at the United States Postal Service. Additionally, the OIG filled an attorney-advisor position and an IT auditor position. At full staffing, in addition to the Inspector General and support staff, 7 FTEs are devoted to audits, 3 to investigations, and 1 as counsel to the Inspector General. Currently, the AIGI position is vacant. The OIG is seeking additional audit and investigative resources to support the work of this office as defined in the current and Fiscal Year 2006 budget submissions to the Archivist.

Top of Page

Office of Inspector General Activities

Involvement in the Inspector General Community


President's Counsel on Integrity and Efficiency (PCIE) and Executive Counsel on Integrity and Efficiency (ECIE) Legislation Committee
The IG served as one of two ECIE representatives to the Legislation Committee. The Legislation Committee assists the PCIE to effectively carry out its duties as specified in Executive Order 12085. In particular, these ECIE responsibilities are to identify, review, and discuss areas of weakness and vulnerability in Federal programs; conduct operations to uncover fraud, waste, and abuse; and develop plans for coordinated, Government-wide activities that address these problems and promote economy and efficiency in Federal programs and operations. The focus of the Committee in this reporting period was presenting suggested language for the modification of what is known as the "Model Bill." The content of this bill is to support Congress and the Executive Branch in strengthening the OIGs.

PCIE Government Performance Results Act (GPRA) Round Table
The Assistant Inspector General for Audits (AIGA) and various OIG personnel attended several roundtable meetings to discuss issues such as proposed amendments to the Government Performance and Results Act, progress and challenges in human capital, and harvesting the dividends, as results, of OIG work.

Federal Audit Executive Council (FAEC)
The AIGA continued to serve as an ECIE representative to the FAEC. During the period, the AIGA attended FAEC's meeting to discuss issues such as financial statement audit issues, revisions to the PCIE External Peer Review Guide, opinion reports on internal controls, and information security.
FAEC Contract Language and Audit Program Workgroups
The OIG's financial statement auditor participated as a member of the FAEC's Financial Statement Audit Network (FSAN) working on the Contract Language and Audit Program workgroups. These workgroups were established to ensure consistency throughout the Federal Government. The objective of the Contract Language workgroup is to develop a statement of work that can be used by any OIG when contracting for audit services. The objective of the audit program workgroup is to develop audit programs based on guidance in the GAO Financial Audit Manual (Section 650) that can be used by all OIG offices.

Review of Proposed Legislation and Regulations

We reviewed the following regulation during the period:

  • A final rule on Federal Records and Donated Historical Materials Containing Restricted Information, access restrictions - NARA revised its regulations on access to Federal records and donated historical materials containing restricted information. This rule entirely rewrites and reorganizes this portion of NARA's regulation to incorporate several changes, and also to clarify it using plain language. The regulation has been updated to bring language on access restrictions into better conformance with the exemptions to the Freedom of Information Act (FOIA). In addition the regulation was modified to outline controlled procedures for access to privacy-restricted information for purposes of biomedical research to allow access for social science research. The OIG concurred with the final rule.
  • A final rule on Records and Donated Historical Materials Use; Research Room Procedures - NARA revised its regulations on research room procedures to incorporate several changes, and also to clarify it using plain language. Additionally, information about the loan of archival materials for exhibits was moved to 35 CFR Part 1284. The OIG concurred with the final rule.
  • A draft proposed rule on Records Management, Electronic Mail, Electronic Records; Disposition of Records - NARA is seeking comments from Federal agencies and the public on a proposed revision to its regulation to provide for the appropriate management and disposition of very short-term temporary e-mail records and to allow unscheduled records to be transferred to records storage facilities. These changes would allow agencies to manage very short-term temporary e-mail records within the e-mail system and to transfer unscheduled records in a timely manner. The OIG generally concurred with this proposed rule.
  • A draft proposed rule on the Presidential Records Act - NARA proposed to amend Part 1270 to lengthen the time from 10 working days to 35 calendar days to appeal denial of access to Presidential records. This change arose out of a petition that NARA received. The petitioners stated that the current timeframe was not long enough to allow requesters to respond and that this limited timeframe served to discourage people from appealing denial decisions. The petitioners requested that the timeframe be extended to 35 calendar days to match the timeframe NARA allows to appeal denials for access to records made under the provisions of FOIA and the Privacy Act. The OIG generally concurred with the proposed rule.
  • A draft proposed rule on Media Neutral Records Schedules - NARA proposed to amend its regulation relating to scheduling Federal records to make existing approved records schedules and future records schedules applicable to bodies of records regardless of the medium by which the records are created and maintained. The OIG generally concurred with this proposed rule.

Response to Congressional Items

Federal Information Security Management Act (FISMA) of 2004

Together with the NARA CIO the OIG provided the Office of Management and Budget (OMB) the 2004 Annual Security Review report pursuant to the Federal Information Security Management Act (FISMA). FISMA requires Federal agencies to take a risk-based, cost-effective approach to secure their information and systems, identify and resolve current IT security weaknesses and risks, as well as protect against future vulnerabilities and threats. The act lays out a framework for annual IT security reviews, reporting, and remediation planning. Under this framework, the Federal Government is able to quantitatively determine both IT security progress and problems. This information is essential to ensuring that remediation efforts and IT resources are prioritized, resulting in the timely resolution of IT security weaknesses.

We believe, as reflected in our report, that NARA, an agency whose information technology security program only started to take shape in 2000, continues to make significant progress toward the development and implementation of a program that will ensure the security of NARA information systems and comply with Federal regulations. However, despite these efforts, the agency's security program still contains weaknesses that must be addressed in order for NARA to have a comprehensive and integrated security program.

Inventory of Commercial Activities

We submitted to OMB our FY 2004 inventory of commercial activities performed by OIG employees. The Federal Activities Inventory Reform Act of 1998, Pub. L. 105-270 (the FAIR Act), requires Federal agencies to prepare and submit to OMB, by June 30 of each year, inventories of their commercial activities performed by Federal employees. OMB is required to review each agency's inventory and consult with the agency regarding its content. Upon completion of the review and consultation, OMB is required to list the available inventories in the Federal Register, and the agency head must transmit a copy of the inventory to the Congress and make it available to the public.

Top of Page


Audits

Overview

This period, we issued

  • 7 final audit reports
  • 2 audit memorandums
  • 2 management letters

We completed fieldwork on the following assignment:

  • an evaluation of NARA's process for handling personal information collected from the public to determine whether the agency is properly safeguarding and securing personal public information

We also continued work on the following assignments:

  • an evaluation of NARA's network to determine if its operation and management effectively and efficiently satisfies the agency's communication needs
  • an evaluation of NARA's Preservation program to determine whether items needing preservation are identified and treated in a timely manner
  • an assessment of NARA's Intrusion Detection System to determine if the current configuration of the IDS results in adequate protection of NARA-sensitive and highly visible information

Audit Summaries

Evaluation of NARA's Computer Security Incident Response Capability

The overall objective of our evaluation was to determine if NARA is capable of responding to computer security-related incidents, such as computer viruses, unauthorized user activity, and serious software vulnerabilities, in an efficient and timely manner. Specifically, we assessed whether (a) the agency has established and tested a formal computer incident response capability; (b) the agency has established a process for prompt, centralized reporting of computer incidents, and are monitoring and tracking them until resolved; (c) NARA personnel are trained to recognize and handle incidents; and (d) computer incident-related information is shared with appropriate organizations (e.g., FedCIRC and local law enforcement).

We found that NARA had not yet established a Computer Security Incident Response Capability (CSIRC), but actions were underway to remedy this condition. Therefore, we delayed our review until sufficient time had passed to enable the agency to establish such a capability. Since March 2002, NARA has made significant progress. Our review disclosed that (a) the agency issued regulations and guidance for reporting, tracking, and resolving computer security-related incidents; (b) NARA has been working on establishing an adequate formal process for responding to computer security incidents; (c) NARA has established a formal Computer Incident Response Team (CIRT) to provide help to users when a security incident occurs in the system; (d) to protect its IT resources, NARA has a multilayered defensive approach in place that includes firewalls and IDSs; and (e) NARA employees have received training related to the handling of computer security and security-related incidents (i.e., how to recognize and report them).

However, while NARA promulgated detailed guidance establishing a methodology for addressing security incidents, officials did not provide sufficient evidence to support that this guidance has been implemented. Such guidance is both necessary and warranted, but provides little practical value if not tested and formally implemented. Specifically, (a) required documentation, including an Initial Incident Report, Incident Logbook, and Final Incident Report, was not always prepared when a computer security incident was responded to; (b) an IT Information Repository has been established, but does not contain all the information required by the NARA CSIRC guidance; (c) regularly scheduled CSIRC meetings were not being held; (d) no CSIRC testing has been performed; and (e) a required CSIRC Operations Handbook was not prepared.

We also found that (a) NARA IT Security Services personnel were not consistently reporting computer security-related incidents to the FedCIRC; (b) NARA guidance did not require that the OIG always be notified when a significant computer security-related incident occurred; (c) the IDS alert system was not linked with NARA's CSIRC; (d) IDS alerts were not being investigated and resolved in a timely manner; and (e) IT support contractor performance could be adequately monitored.

We recommended that management take action to fully implement all requirements of the NARA CSIRC, March 24, 2003, guidance; revise the NARA CSIRC guidance to require that computer security-related incidents be reported to the FedCIRC; revise the NARA CSIRC guidance to require that IT Security Services personnel contact the OIG whenever a significant computer security-related incident occurs; request that an OIG representative serve on NARA's CIRT; request that the Information Resources Policy and Projects Division (NHP) require the contractor responsible for monitoring and operating the IDS to update policies and procedures for the IDS and CSIRC, linking them and requiring that IDS incidents be handled in the same manner as other computer security-related incidents; assign responsibility to a NARA employee for monitoring IDS contractor performance, ensuring that security-related incidents identified through the IDS are resolved in a timely manner and taking appropriate action when the contractor fails to resolve an IDS alert in a timely manner; and issue guidance concerning the preparation of Technical Direction Letters (TDLs), and request the contracting officer to amend the IT support services contract, requiring the contractor to provide adequate supporting documentation with its invoices. Management agreed with our findings and recommendations and started corrective actions. (Audit Report #04-16, dated June 22, 2004)

Evaluation of NARA Password Controls

This audit sought to validate whether selected passwords were in compliance with the directives established and promulgated by the NARA Information Technology (IT) Security Handbook - Technical Controls, and NARA 804-02. To accomplish the objective, we performed the following limited procedures: interviewed selected IT management; obtained and reviewed the master password file and made comparisons to the previous master file to ensure that the sample complied with the above-referenced requirements; and reviewed administrator passwords on a sample basis to ensure that the sample complied with the above-referenced requirements.

Many of the passwords reviewed during the audit were not in compliance with NARA guidance, specifically, the NARA IT Security Handbook - Technical Controls, and NARA 804-02. This condition existed as a direct result of users' failure to follow the established standards and management's failure to ensure that users complied with the above-referenced guidance. As a result, the weak access controls governing administrator accounts and other user accounts could lead to additional incidents of successful penetration of NARANet, resulting in potential loss of data and a compromised network infrastructure. For example during our review of the Master Password file (MPF) we noted that:

  • 4 passwords (out of 76) were composed only of 7 characters
  • 29 servers had passwords that were the same on the January 30, 2004, Master Password file when compared to the June 10, 2004, MPF
  • 11 instances where the password for a particular server was identical to the password for at least one other server
  • 15 servers had passwords that did not contain special characters

We also observed a simple, yet easily identifiable, pattern for the passwords that were technically compliant with NARA IT Security Handbook–Technical Controls. However, in the event the network is successfully penetrated, as happened in the case of an internet response incident, this pattern would provide a perpetrator with the means to readily and easily decrypt other passwords for administrator accounts.

Additionally, our review noted that physical security controls over copies of the MPF were inadequate. Passwords were stored in an unencrypted (or clear text) format on compact disks/diskettes that were maintained in unlocked desk drawers. NARA lacked policies and procedures for maintaining and storing this sensitive information as defined by both NARA's IT Security Handbook–Technical Controls and NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook. As a result, the security of NARA's IT infrastructure was at risk.

We recommended that management take action to ensure that passwords: (a) meet the requirements of NARA's IT Security Handbook-Technical Controls, and NARA 804-02; (b) are changed every 90 days; (c) are unique to each server while not evidencing a pattern easily identifiable, and (d) are stored on properly secured and protected media. Management agreed with our findings and recommendations, and initiated corrective action. (Audit Report #04-23, dated September 05, 2004)

Review of NARA's Water and Sewer Billing Adjustment Charge from WSSC

The OIG issued an advisory report questioning $118,594 in charges levied against NARA by the Washington Suburban Sanitary Commission (WSSC) from January 2003 through February 2004. We questioned these additional charges because they were determined to be unreasonable according to the FAR and represented a fine, penalty, or tax that according to appropriations law NARA is not authorized to pay. Likewise, we have identified a potential annual cost avoidance of approximately $9,700 relating to the boilers at the National Archives building in College Park, Maryland, for which we believe sewer charges can be eliminated.

On October 16, 2003, NARA received a letter from the WSSC stating that water from the cooling tower was being discharged into the sewer system in violation of the Maryland Annotated Code and WSSC's policies. WSSC billed NARA an adjusted invoice of $128,112 for the period January 7, 2003, to January 9, 2004, because of these alleged violations. In the letter, WSSC claimed to have recently discovered that NARA was discharging water into the sewer system and back-billed NARA 12 months for all of the water going to the cooling tower. When the cooling tower was built a water meter was installed on the water going to the cooling tower, and the associated sewer usage was not billed to NARA, as the water was not supposed to run into the sewer system. In November 2003, NARA became aware of the problem and installed a meter on the water discharging from the cooling tower into the sewer in order to measure the amount of discharge into the sewer system. According to the meter, only 13 percent of the water that goes into the cooling tower is discharged into the sewer system. WSSC assumes that 100 percent of the water that enters the cooling tower is discharged into the sewer system.

We determined that NARA had been over billed by WSSC in the amount of $112,121 from January 2003 to December 2003. For January and February 2004, we determined that WSSC over billed NARA $3,309 and $3,164, respectively. The total over billed to NARA was $118,594. According to our calculations, the remaining amount due to WSSC for sewer usage for January 2003 to February 2004 is $9,518.

Additionally, we noted that the boilers used water that was not discharged into the sewer, but NARA is paying a sewer charge for all of the water that goes into the boilers. A log of the meter readings on the boilers indicates that they consumed approximately 1,875,000 gallons of water during the past year. However, no water from the boilers runs in the sewer system. Therefore, we suggested that NARA require WSSC to begin taking readings on the boilers and subtract that water usage from the sewer portion of the water bill. By obtaining a credit for the water that goes to the boilers, NARA could save approximately $9,700 per year. (Audit Report #04-15, dated May 11, 2004)

Review of a Contractor's Invoice for Utility Costs for the Lyndon B. Johnson (LBJ) Library

NARA management requested that the OIG perform an examination of a Lyndon B. Johnson (LBJ) Library invoice for $94,448 submitted by a contractor, to determine whether these costs were allowable. This invoice, dated September 18, 2003, contained utility costs for the period September 2002 to February 2003.

Our review revealed that the $94,448 invoice contained mathematical errors; upon correction the total should have been $121,496. Our review of the contract provisions disclosed no special terms or conditions with regard to billing of utility costs. Our review of previous invoices revealed that the costs in the adjusted invoice were reasonable when compared to these invoices.

The contractor installed a new water meter at the LBJ Library in August 2002. When readings were taken on the meter, a zero was omitted from the meter reading. As a result, the Contractor's original invoices to NARA for steam costs represented only 10 percent of actual usage. This error was not detected for six months. On September 18, 2003, the contractor submitted an invoice for $94,448 to correct the meter readings. Additional information provided by the contractor, as part of our review, showed that the contractor had under billed NARA by $27,048 due to mathematical errors. Realizing their error, the contractor submitted a revision to the invoice for the amounts not billed. However, the revised invoice was billed to NARA under the FY#2004 contract, using the current accounting code for FY#2004. We recommended that this invoice be reissued using the accounting code associated with the FY#2003 contract, to match the period in which the costs were incurred. By requiring the contractor to re-bill, NARA can utilize residual FY#2003 funds; therefore, allowing NARA to expend current FY#2004 funds to support ongoing programs and operations. We found that the costs contained in the revised invoice for $121,496 is allowable and appropriate for payment. (Audit Report #04-17, dated June 4, 2004)

Assessment of NARA's Efforts to Comply with New Facility Standards

This review assessed whether NARA is taking measures necessary to address the records storage facility requirements effective October 1, 2009. Likewise, the auditors reviewed NARA's efforts to ensure that other entities that store or will store Federal records will be able to comply with these legal requirements.

The auditors sought detailed documentation on NARA's methodology and funding stream for its full compliance with its own implementation deadline of October 1, 2009. NARA could not provide sufficient information for evaluation of its efforts. At the conclusion of fieldwork, the breakdown of NARA facilities and their status related to compliance with the 2009 standards was as follows: (1) 3 facilities are considered compliant but have not received certification; (2) 4 facilities are designated as new construction and designed to be in compliance with the standards (only 2 are under construction); (3) 10 facilities have cost estimates to bring them up to 2009 compliance, but dates to commence work have not been established; and (4) 2 facilities lack determination of status.

NARA funding estimates for 14 of these projects currently rests at approximately $34 million, with $14 million for new construction and $20 million for rehabilitation and repair work. NARA officials could not provide the auditors with a defined methodology to address this estimated funding requirement. The fund stream is not likely to come from one source but rather from a "tool box" or blend of sources ranging from appropriated funds, General Services Administration (GSA) loans, revenue receipts, and other potential sources. Thus, at this time, the auditors did not have a basis to validate that all costs had been identified and funds secured to ensure NARA's ability to fully comply with NARA's FY 2009 records storage requirements.

Certain government agencies have opted to either house their own records or contract with parties other than NARA to store their Federal records. In those cases, NARA regulations state that agencies are to obtain prior written approval from NARA before establishing, relocating, or contracting for a records center if the facility is over 25,000 cubic feet. NARA is to review submitted documentation to ensure that the facility demonstrates full compliance with the standards, determine whether a visit to the facility is necessary to determine compliance, inform the agency of its decision within 45 calendar days, provide a current report of approved records storage facilities to senior management each quarter, and maintain the central registry of records storage facilities approved to store Federal records.

To date, NARA has not addressed these requirements. NARA has not maintained the central registry of approved storage facilities. NARA officials point to a number of factors for this condition. For example, only one facility has been approved to store Federal records, and agencies holding their own records have not made formal requests to NARA for certification. The effect of this condition is that NARA is not providing sufficient guidance and direction to other Federal agencies. As a result, Federal records could be at undue risk of damage and destruction.

We made six recommendations that, upon implementation, should assist NARA managers in reaching the mandated deadline, improving the monitoring of facilities storing Federal records, and identifying and documenting facilities that are approved to hold records. Management concurred with our recommendations and initiated corrective action. (Audit Report #04-13, dated May 14, 2004).

Evaluation of the First Performance Period Award Fee Determination Process for the Fixed-Price-Award-Fee (FPAF) Contract with a NARA Contractor

At the request of management, we reviewed and evaluated documentation supporting a fee determination in the Office of Human Resources and Information Services (NH's) Award Fee Determination Report, and the Contractor's self-evaluation, for the first performance period of a NARA contractor.

Based on our review, the evaluation effort performed by NARA officials and the Contractor's self-evaluation provided an insufficient basis on which to make a determination of the reasonable amount of award fee to be paid to the contractor. Our conclusion was based on the following: (1) instead of being responsible for monitoring a specific area of contractor performance for which they may have had some expertise or involvement, the Fee Determination Official (FDO) required the three Performance Monitors (PMs) to evaluate every Technical Criteria Area included in the award fee determination process; (2) PMs did not receive documented orientation and guidance, or documented specific instructions applicable to monitoring their assigned areas; (3) PMs did not prepare monthly Performance Monitor Reports detailing their evaluations of contractor performance and submit them to the FDO, as required by the Award Fee Plan; (4) PMs did not provide us with any documentation they prepared that supported the monitoring effort performed or the results of their monitoring efforts, nor did they identify any contractor-supplied documentation, other than weekly and monthly Program Status Reports, that they used to evaluate performance; and (5) the PMs and the FDO could not provide us with even one page of documentation produced (meeting minutes, notes, discussion papers, etc.) for any meetings held during the six-month evaluation period to discuss contractor performance. In addition, we were unable to conclude that the Contractor's ITSS 6-Month Self-Evaluation prepared for NHT provided accurate quantitative information for consideration by the FDO.

Because of the difficulty, and considerable amount of time, associated with reviewing and evaluating six months of past performance, we recommended that negotiations be held to determine the amount of award fee to be paid to the contractor for the first performance period. Additionally, we issued audit report #04-22 to NH detailing the results of our review of the process and procedures used to administer the award fee provision of the contract we reviewed. (Audit Memorandum #04-18, dated June 8, 2004)

Audit of NARA's Administration of the Information Technology Support Services Contract Award Fee

The purpose of this review was to determine whether NARA personnel effectively administered the award fee provisions of the network management task order, ensuring that the award fee payments made to the contractor were fair and reasonable. Our review disclosed that responsible NARA officials did not comply with FAR requirements in the selection and award of the Information Technology Support Services (ITSS) award fee contract. In addition, NARA personnel were unable to demonstrate that they exercised adequate oversight of contractor performance as a basis for formulating the award fee for the initial performance period. As a result, the agency cannot be assured that the award fee paid to the contractor for the first evaluation period accurately and fairly represented performance that exceeded contract requirements. Establishing an effective process for administering the contract's award fee provision is necessary to protect the financial assets of the Government.

Specifically, we found that

  1. NARA officials did not comply with all FAR requirements for solicitations involving fixed-price-award-fee (FPAF) contracts. Specifically, (1) no benefit-cost analysis was conducted; (2) there were no documented procedures describing how Performance Monitors would evaluate the Contractor's performance; and (3) no award fee board was established to assist with the administration of the ITSS task order award fee.
  2. NARA has not established an effective process for administering the award fee on the ITSS contract. Specifically, we found that (1) NARA did not have documented policies and procedures for structuring and administering award fee contracts; (2) an excessive administrative burden was placed on Performance Monitors because the Fee Determination Official (FDO) did not limit their assignments to evaluation of specific areas of contractor performance; (3) Performance Monitors did not receive training related to their award fee responsibilities; (4) the monitors were unable to provide any documentation they prepared that supported the monitoring effort performed or the results of their monitoring efforts; and (e) contractor evaluation criteria for the award fee were vague.

We recommended that management take action to (1) issue documented policies and procedures for structuring and administering award fee contracts, and for developing award fee payment structures that will encourage contractor excellence; (2) assign Performance Monitors specific areas of contractor performance to evaluate, instead of requiring them to evaluate all the evaluation areas included in the Award Fee Plan; (3) provide training to all personnel involved in the award fee process; (4) require Performance Monitors and the FDO to document evaluation effort performed and conclusions, including the rationale for ratings and award fee amounts; document meetings held to discuss contractor performance; and prepare monthly Performance Monitor Reports; and (5) implement more effective, clearly defined award fee evaluation criteria for the ITSS contract, and require Performance Monitors to provide specific examples of good and/or bad contractor performance in their summary evaluations. Management concurred with our findings and recommendations, and initiated corrective actions. (Audit Report #04-22, dated September 21, 2004)

Review of NARA's Contract for the Telephone System

We performed a review of NARA's telephone system upgrade to determine if the system acquired complied with the FAR and NARA Directive 801, Review of Information Technology Investments, requirements. According to NARA officials, the telephone system forms the bedrock of core functionality through which the Federal Government services its citizens'. Based upon results of several studies, the agency decided to upgrade the system as it constituted one of the weakest areas related to customer satisfaction, and to enhance the NARA system nationwide. Our review disclosed that the new telephone system was procured in compliance with the FAR and NARA Directive 801 requirements. Because there were no findings, we issued an Audit Memorandum commending management on following pertinent guidelines in acquiring the telephone system upgrade. (Audit Memorandum #04-21, dated August 2, 2004)

Follow-Up Review of OIG Report #00-02, Review of NARA's Process for Investing in Information Technology

The objective of this review was to determine if the revised NARA 801 guidance incorporated the recommendations made in OIG Report No. 00-02, Review of NARA's Process for Investing in IT Projects (April 17, 2000) and adequately and appropriately addressed the findings contained in that report. Our review identified that, while management reported all recommendations closed, two, in fact, should have continued to be classified as "open."

Specifically, our review revealed that while management established four criteria for designating systems with differing levels of effort and detail in the planning and development process, it failed to incorporate specifics about the level of rigor or detail required based upon designations. The failure to adequately document the level of rigor and types of analyses required based on systems designation as low, medium, or high level of effort results in a process that is ambiguous and hinders efforts to affect a uniform and systematic process on system development. Clarifying this process would strengthen risk-analysis and benefit-cost analysis, strengthening product and project planning overall.

Additionally, our review disclosed that NARA has not adopted the training plan it defined in its action plan in response to OIG Report No. 00-02. Our review revealed that while "informal" risk management and cost-benefit analysis training was being provided by some NH staff members to other NH staff and product owners; formal classroom training had not been scheduled. Management has not yet established competencies for project managers, nor developed a training program and/or guidance for all members of the Investment Analysis Team and NARA project managers, product owners, and others who require a better understanding of costs assessment, benefits definition and quantification, and risk assessments. We made two recommendations with which management concurred, and it initiated corrective action. (Audit Report #04-14, dated June 23, 2004)

Management Letters

Hacker Exploits NARA IT Vulnerability

During the period, we alerted the Archivist and management to an incident that exposed a significant weakness in the NARA IT infrastructure. Specifically, on May 27, 2004, NARA was notified by an outside organization that an infected host on the NARA network was used as a platform for attack on its computer network. This incident coincided with what has been categorized by NARA IT managers as an internal NARA "slow internet response incident." Three days prior to these incidents, on May 24, 2004, a hacker cracked the administrative password on an affected network component server and successfully logged on. This activity went undetected for 43 hours due to the lack of a viable Network Intrusion Detection System. Preliminary facts point to human error on the part of a contract employee that exposed failure in the NARA architecture, security protocol, and operations, which culminated in adverse events, the extent of which have yet to be fully ascertained.

After notification from the outside organization, the infected NARA server and related desktop machines were physically removed from the network and remitted to the OIG for custody and subsequent forensic analysis. At this time, the NARA OIG is working with the assistance of computer forensic investigators assigned to the NASA OIG to analyze the data that resides on the units and preserve and protect evidence of any criminal act. Post "mirroring" of the hard drives, the equipment will be returned to NH for appropriate scrubbing and subsequent restoration to service. (Management Letter #04-20, dated June 24, 2004)

Information on NARA's Public Website Puts NARA at Risk

During the period we alerted the Archivist and management of an existing condition that put NARA at risk. Specifically, the OIG identified that NARA Visa purchase card information including name of the approving official, name of the cardholder, and purchase limit resides on NARA's public website. This information, coupled with other available information on the NARA public website such as employees' e-mail addresses, puts NARA at risk for exploitation by individuals engaging in "phishing." "Phishing" attacks seek to trick account holders into divulging sensitive personal or financial information such as bank account numbers, personal identification numbers, and social security numbers through the use of e-mails that appear to come from trusted financial institutions or retailers. This vulnerability has already been exploited in NARA and is the subject of an ongoing OIG investigation.

Employee e-mail addresses, when paired with the name of credit card holders, work addresses, telephone numbers, approving officials, and credit limits, are useful elements for supporting a successful phishing attack. To minimize the risk of "phishing" and protect the agency and its employees, we suggested that the Archivist take the following actions: revise the Visa purchase card information list to reflect the same information that the Department of Justice reports in its list, and remove employee e-mail addresses from the NARA public website or coordinate with the Information Technology Security Office (NHI) security to come up with a solution that minimizes risks to NARA (Management Letter #04-19, dated June 21, 2004)

Top of Page


Investigations

Investigative Case Summaries
Theft of NARA Historical Documents

The OIG received information that a NARA historical document was listed for auction on the Internet. OIG recovered this document and is currently pursuing recovery of other documents in an ongoing investigation. We are working with the United States Attorney's Office towards criminal prosecution. To date, 38 NARA documents have been located and are being recovered, including a clipped signature. These documents are being sold for significant sums of money.

Recovery of a Presidential Pardon

On April 15, 2004, the NARA IG discovered a Presidential pardon on eBay, scheduled to be auctioned on April 25, 2004. This Presidential pardon granted to Nathaniel Derby by President Zachary Taylor in 1849 had been identified as stolen from NARA's Mid-Atlantic Regional Archives facility in Philadelphia, PA. This information was provided to NARA's General Counsel. On April 21, 2004, NARA's General Counsel sent a letter to the current owner of the document requesting return of the pardon to NARA. The pardon was subsequently returned to NARA.

This pardon was listed on an inventory of valuable materials stolen from the Mid-Atlantic Regional Archives and was used by the United States Attorney's Office in the criminal conviction of a former NARA employee. He was convicted of theft of Government records and served his sentence in Federal prison.

Missing Presidential Portrait

The OIG was notified that one of two official Presidential portraits of Franklin D. Roosevelt (FDR) was missing from the FDR library in Hyde Park NY. Subsequent investigative analysis identified that the portrait (left) was stored in a shipping crate with dimensions of 6 feet by 5 feet by 1 foot and weighed approximately 250 pounds. The portrait had not been viewed nor accounted for since receipt from the National Archives Building, Washington, DC, in August 2001. The lack of sound internal controls paired with the window of opportunity for theft resulted in a lack of a productive investigative trail. Likewise, the area in which the shipping crate had been housed was the subject of significant renovations. The missing portrait and housing may have been inadvertently discarded during the renovation, but it is more likely it was the subject of theft. The OIG registered the FDR portrait into the FBI's Stolen Art database and with INTERPOL. The OIG issued an investigative report defining the need for the review and update of the inventory management system at the FDR Library.

Child Pornography

In December 2002, a routine audit revealed that several NARA employees were accessing pornographic websites from their NARA-owned computers. Some of the website addresses accessed indicated the potential presence of child pornography. A subsequent investigation showed that a NARA employee was viewing child pornography from his NARA workstation. The employee was terminated and the investigation was worked with the FBI. The subject was indicted and pled guilty to one count of possession of child pornography on his personal computer. Sentencing is scheduled for October 2004.

Another investigation revealed that on multiple occasions an employee used a NARA computer to access a website containing child pornography content. The employee admitted to the OIG that he used his computer to visit pornographic websites between 2001 and early 2003, some of which included child pornography content. This case was declined for criminal prosecution. The employee was suspended from work for one week.

Alleged Contractor Fraud

The OIG received information from the Office of Regional Records Services (NR) that a train carrying IRS records from NARA's records center in Laguna Niguel, CA, to NARA's Records Center in Ft. Worth, TX, derailed. NR was concerned that the contractor violated the terms of the contract. Specifically, under the contract, records were to be shipped by truck, and not by rail. Our investigation revealed that the contractor did in fact ship the records by rail. NARA disputed payment for the derailed shipment. This resulted in a cost avoidance for NARA of $1,273.70.

Hacker Attack

The OIG received information that a NARA computer system had been compromised by an outside entity. Upon investigation, we learned that the security protocols on the affected system had not been properly configured. This deficiency allowed an unknown individual to anonymously send remote commands to the targeted computer and instruct it to upload an executable file from a known hacker website. Although the OIG did not successfully identify the perpetrator, we did make constructive recommendations to NARA management that will prevent such occurrences in the future.

Government Purchase Card Abuse

Our investigation revealed that a NARA employee, on one occasion, used her Government Purchase Card to make personal purchases. The employee resigned her position in lieu of termination.

Time and Attendance Errors

OIG Investigations received a complaint alleging fraudulent time and attendance (T/A) record keeping by a NARA timekeeper. Our investigation revealed there were errors in the T/A record keeping. These were minor, the most significant being a credit to an employee of 20.5 hours. No one routinely inspected the timekeeper's procedures. The supervisor relied on the timekeeper's leave calculations when approving leave. At the time of this investigation, the timekeeper left employment with NARA. The affected division conducted a review of related policies and procedures and initiated a T/A review.

Investigative Case Updates

NARA Employee Splits Purchases with Government Credit Card to Exceed Purchase Authority

The OIG received information that a NARA employee routinely "split" single purchases on their Government Purchase Card (GPC) into multiple transactions in order to pay invoices without exceeding their monetary purchase authority. Our investigation revealed that a NARA contractor independently created invoices with billable amounts below the purchase authority threshold of the employee's GPC, after being informed of the threshold amount by the employee. The contractor said it took this action without the knowledge or consent of the employee. Additionally, we found that, on at least one occasion, a NARA director instructed and authorized the employee to split purchases on their GPC without approval from the NARA Acquisitions Services Division and with the knowledge that this action was in violation of both the FAR and NARA policy directives. Update: NARA management advised that the director who had authorized the split purchase retired, so no action was taken against him. However, the employee who signed for the purchase was counseled.

NARA Employees Fail to Report Money Found at Presidential Library

An employee at a Presidential library inquired into a $100 bill that was reportedly turned over to Security. Security verified that no one turned in a $100 bill. Our investigation revealed that another employee found a $100 bill at the admissions counter. The employee sealed the $100 bill in an envelope and waited a couple weeks to see if anyone reported the money missing. When no one did, the employee split the money with a co-worker. This case was declined for criminal prosecution. Update: One employee was suspended, and the other received a reprimand.

Alleged Misuse of Government Vehicles

The OIG received information alleging that NARA motor vehicle operators were using government-owned vehicles (GOVs) for personal business. We investigated this matter but were unable to establish any specific violation of law or regulation. Our investigation did, however, identify weaknesses in management controls regarding GOV accountability. We recommended that NARA install Global Positioning Systems (GPS) on all motor pool GOVs at NARA, College Park. Update: The Facilities and Materiel Management Services Division (NAF) purchased GPS for the GOVs at NARA, College Park. NAF is also purchasing an events scheduler website to assist with vehicle scheduling.

Misuse of Government Credit Card

We received an allegation that an employee had misused her supervisor's Government Purchase Card to pay for her son's tuition at a local community college. To conceal the charges, the employee obtained authorization to attend courses herself, and later made false entries in the NARA financial management system to make the charges appear legitimate. The employee was provided the opportunity to resign prior to issuance of a termination letter. The subject provided a written statement admitting to the misuse. The case was presented to the United States Attorney's Office in Maryland and was accepted for prosecution. The subject resigned from her position with NARA and was criminally charged with three counts of theft (misdemeanor). Update: In September 2004, the subject was sentenced to one year's probation, 50 hours of community service, and a $25 special assessment fee. The subject independently made full restitution to the college, and the amount was credited back to the Government Purchase Card.

Employee Disciplined for Time and Attendance Abuse

The OIG received an allegation that a NARA employee had been forging a timecard. After investigating this matter, it was referred to the Employee Relations & Benefits Branch (NHHR) for administrative handling. The employee was administratively suspended for one day without pay for failing to adhere to NARA policy regarding timekeeping. Update: In May 2004, the OIG received another allegation on this employee concerning similar administrative issues. The matter was referred to NHHR. The employee became the subject of a proposed removal action by NHHR, and resigned in lieu of termination.

Significant External Investigative Referrals

A newspaper article reported that the president of the Clinton Presidential Foundation had given a tour to media personnel that included the intended area of the vault for the Clinton Library's classified material. The media was able to photograph the area, possibly compromising the security measures being implemented. Since the project does not fall under the purview of the NARA OIG, the matter was referred to the CIA OIG for investigation. NARA's Security Management Branch warned the individual not to conduct such tours in the future and to reschedule certain events.

We received a report that there was spillage of classified material onto unclassified networks. Information labeled as unclassified was sent from the Department of State (DOS). Upon review, NARA discovered that the computer contained classified information. NARA computers were sanitized. This matter was referred to DOS OIG.

Press reports indicated that material that potentially would have become Archives material was destroyed by Federal Aviation Administration (FAA) personnel following the events of September 11, 2001. This matter was brought to the attention of the FAA OIG (Department of Homeland Security OIG) who is investigating the matter and will keep NARA informed.

NARA received a mailing with white powder that mentioned the President but did not contain threats. The Federal Protective Service (FPS) and local law enforcement responded. FPS said that due to the absence of threats it did not merit criminal prosecution. FPS referred the matter to the Federal Bureau of Investigation and United States Secret Service as it also mentioned Senators John Kerry and John Edwards.

Significant Internal Investigative Referrals

Three referrals were made to NARA Security Management Branch. One was a complaint that people were cheating on the lunchroom prepaid food cards and on the photocopying machines in the research room. Another was that NARA employees were receiving mail from correctional institutes. The third involved an employee threatening a security guard.

The OIG received 22 requests for military records. All 22 requests were referred to NARA's National Personnel Records Center.



OIG HOTLINE

The OIG Hotline provides a prompt, effective, and confidential channel for reporting fraud, waste, abuse, and mismanagement to the OIG. In addition to receiving telephone calls at a toll-free Hotline number and letters to the Hotline post office box, we also accept email communication from NARA's internal network or the Internet through the Hotline email system.

Operational controls protect the identity of Hotline sources. OIG special agents promptly and carefully review calls, letters, and email to the Hotline. We investigate allegations of suspected criminal activity or civil fraud and conduct preliminary inquiries on non-criminal matters to determine the proper disposition. Where appropriate, referrals are made to the OIG Audit Staff or to NARA management.

The following table summarizes Hotline activity for this reporting period:

Cases Opened* 1
Further Inquiry 14
Cases Referred Outside the OIG 167
No Action Necessary 62
Total Hotline Contacts 244

*Cases included in investigative workload statistics.

Top of Page


Management Assistance

On May 11, 2004, the OIG issued Advisory Report #04-15, Review of NARA's Water and Sewer Billing Adjustment Charge from the WSSC (See page 16). WSSC back-billed NARA $128,112 for discharge of water from NARA's cooling tower into the sewer system in 2003. NARA disagrees with WSSC's billing scheme and continues to pursue an administrative remedy. Since the issuance of the audit report, the OIG has assisted the General Counsel's Office (NGC) with NARA's dispute over the water bill. NARA sent a letter to the Maryland Public Service Commission (PSC) asking them to determine whether the charges in question are reasonable. The PSC reviewed the agency's request and granted NARA a hearing on this matter.

On July 22, 2004, NGC and OIG officials attended a pre-hearing conference in Baltimore, MD, to discuss scheduling and procedural matters before the PSC. On July 28, 2004, NARA officials from NGC and OIG attended a hearing at WSSC with the Disputes Resolution Board (DRB). The OIG assisted NGC with the discovery process, including requests for documents and interrogatories. The OIG continues to assist NGC by providing research and reviewing documents obtained during the ongoing discovery process. Additionally, the OIG continues to provide assistance in calculating the financial implications of this dispute. A hearing will be held in FY#2005 at the PSC, which NGC and OIG officials will attend.

Top Ten Management Challenges

Under the authority of the Inspector General Act, the NARA OIG conducts and supervises independent audits, investigations, and other reviews to promote economy, efficiency, and effectiveness and prevent and detect fraud, waste, and mismanagement. To fulfill that mission and help NARA achieve its strategic goals, we have aligned our programs to focus on areas that we believe represent the agency' most significant challenges. We have identified those areas as NARA's top ten management challenges. These challenges are listed below.

1. Electronic Records Archives (ERA)

NARA, in research and development collaboration with national and international partners, is building an Electronic Records Archives (ERA) with the goal of ensuring the preservation of, and access to, Government electronic records. The pace of technological progress makes formats in which the records are stored obsolete within a few years, threatening to make them inaccessible even if they are preserved intact.

ERA is to be a comprehensive, systematic, and dynamic means of preserving virtually any kind of electronic record, free from dependence on any specific hardware or software. The ERA system is targeted to make it possible for Federal agencies to transfer any type or format of electronic record to the National Archives so that citizens' can locate records of interest and the National Archives can deliver these materials in a usable format.

NARA's challenge is to build a system that will accommodate historical, current, and future formats of electronic records. To mitigate the risks associated with development and acquisition of an advanced electronic archival system, Congress directed NARA to reassess the ERA project schedule based on estimates of the amount of work and resources required to complete each task. Beginning on October 1, 2002, NARA was required to submit to Congress a quarterly report on the status of the project' schedule, budget, and expenditures as measured against a reported baseline; a prioritization of project risks and their mitigation efforts; and corrective actions taken to manage identified schedule slippage, cost overruns, or quality problems that might occur. By 2007, NARA plans to have initial operating capability for ERA with incremental improvements that will eventually result in full system capability. The challenge will be to deliver and maintain a functional ERA system that will preserve electronic records for as long as needed.

2. Electronic Records Management (ERM)

NARA directs one of 24 Government-wide initiatives, the Electronic Records Management (ERM) initiative. The ERM initiative will provide guidance to agencies in managing and transferring to NARA, in an increasing variety of data types and formats, their permanent electronic records. For many years, Federal records were created on paper and stored in files and boxes with NARA. Now, electronic records are created by Government agencies at an astounding rate, challenging NARA to find ways to manage and preserve them. In 2002, NARA became a key player in E-Government and managing partner for the E-Government ERM initiative. E-Government is part of President Bush's management agenda aimed at making it easier for citizens' to obtain high-quality service from the Federal Government while reducing the cost of delivering those services. During 2002, NARA enlisted partner agencies, developed a detailed plan for accomplishing its objectives, and issued the first guidance on transferring email records to NARA.

NARA and its Government partners are challenged with trying to figure out how to manage electronic records in an electronic manner in order to make ERM and E-government work more effectively.

3. Improving Records Management

NARA's mission is to ensure that Federal officials and the American public have ready access to essential evidence. One way NARA addresses its mission is by assisting agencies with the management of their records from the time that those records are created. Without effective records management, records needed to document citizens' rights, actions for which Federal officials are responsible, and the historical experience of our nation will be at risk of loss, deterioration, or destruction. According to the NARA Strategic Plan, to minimize these risks, NARA will work in active partnership with the Administration, Federal officials, the Congress, and Federal courts to help them create, identify, appropriately schedule, and manage record material. This will enable the Government to preserve records as long as they are needed to protect rights, ensure accountability, document the national experience, and to destroy records as soon as it is practical to do so when they are no longer needed.

NARA must work with Federal agencies to make scheduling, appraisal, and accessioning processes more effective and timely. The challenge is how best to accomplish this component of our overall mission and identify and react to agencies with critical records management needs.

4. Information Technology Security

Since FY 2000, the Archivist has identified computer security as a material weakness in his assurance statements to the President. While corrective steps have been taken, some actions have not been completed, and the agency continues to work on additional measures to strengthen NARA's overall information technology (IT) security posture. The authenticity and reliability of our electronic records and information technology systems are only as good as our IT security infrastructure. Each year, the risks and challenges to IT security continue to evolve. NARA must ensure the security of its data and systems or risk undermining the agency's credibility and ability to carry out its mission.

IT security becomes even more critical as NARA increases its visibility through the implementation of E-government initiatives that expand online services to the public. The more NARA increases electronic access to its services and records, the more vulnerable the agency is to intrusions, viruses, privacy violations, fraud, and other abuses of its systems. The risk related to IT security is endemic to all Federal agencies and has been identified by the GAO as one of its top ten high-risk challenges.

5. Expanding Public Access to Records

In a democracy, the records of its archives belong to its citizens'. NARA's challenge is to more aggressively inform and educate our customers about the services we offer and the essential evidence to which we can provide access. NARA envisions expanding opportunities for individual citizens', educational institutions, and Federal agencies to make use of those records. New technologies are making it easier to reach all users in their homes, schools, and workplaces. NARA must increase partnerships with government agencies at all levels and with universities and corporate communities to take advantage of new means to bring the holdings of the National Archives to people no matter where they are located.

Mastering this challenge requires that NARA listen to its customers, and improve access to records in ways that meet customer needs and customer service standards. This will require NARA to enhance activities such as creating comprehensive catalogs and indexes for our holdings so that users can find the records they need; make documentary material available through the Internet; improve reference service; and help Presidents at the beginning of their administrations plan for public access to their records in Presidential libraries.

6. Meeting Storage Needs of Growing Quantities of Records

NARA-promulgated regulation, 33CFR, Part 1228, "Disposition of Federal Records," Subpart K, "Facility Standards for Records Storage Facilities," requires all facilities that house Federal records to meet defined physical and environmental requirements by fiscal year 2009.

Specifically, in January 2000, NARA revised the regulations for public and private facilities that store Federal records to (1) improve the environment and safeguards for Federal records by incorporating stricter facility standards and advances in sprinkler technology; (2) reflect building design measures that may prevent or minimize fire and water damage to records; and (3) ensure uniform facility standards for all records centers, both public and private, that store and protect Federal records. NARA's challenge is to ensure compliance with these regulations internally as well as by other agencies that house Federal records.

7. Preservation Needs of Records

NARA cannot provide public access to records, to support researchers needs, unless it can preserve them for as long as needed. Providing public access to records for future generations requires that NARA assess the preservation needs of the records, provide storage that retards deterioration, and treat or duplicate and reformat records at high-risk for deterioration. NARA must preserve paper records and motion pictures, audio recordings, videotapes, still photography, aerial photography, microfilm and other microforms, and maps and charts in a variety of formats in our holdings. NARA must ensure that its risk management program adequately identifies and addresses all records needing preservation in a timely manner.

As in the case of our national infrastructure (bridges, sewer systems, etc.), NARA holdings grow older daily and are degrading. NARA is challenged to address the following questions: are we effectively identifying those holdings that are both most at risk and most important in terms of priority. Who makes this determination, upon what criteria is it based, and is it being soundly and properly applied? Are resources and the technology available and sufficient to meet the preservation needs of these records?

8. Improving Financial Management

By inclusion under the Accountability of Tax Dollars Act of 2002, NARA is required to prepare audited financial statements in compliance with prescribed standards subject to independent audit. This will present a challenge to NARA, especially as the Office of Management and Budget accelerates the due date for submitting consolidated audited financial statements and other performance reports into a combined Performance and Accountability Report.

The Federal Government has a stewardship obligation to prevent fraud, waste, and abuse; to use tax dollars appropriately; and to ensure financial accountability to the President, the Congress, and the American people. Timely, accurate, and useful financial information is essential for making day-to-day operating decisions; managing the Government' operations more efficiently, effectively, and economically; meeting the goals of the Federal financial management reform legislation (Chief Financial Officers Act); supporting results-oriented management approaches; and ensuring accountability on an ongoing basis.

In identifying improved financial performance as one of its five Government-wide initiatives, the President' Management Agenda (PMA) stated that a clean financial audit is a basic prescription for any well-managed organization, and recognized that "Most federal agencies that obtain clean audits only do so after making extraordinary, labor-intensive assaults on financial records." Further, the PMA stated that without sound internal controls and accurate and timely financial information, it is not possible to accomplish the President' agenda, to secure the best performance and highest measure of accountability for the American people.

The agency will be challenged in its ability to comply with the newly issued Accountability of Tax Dollars Act of 2002 much as Chief Financial Officer (CFO) agencies were challenged in the initial year following the passage of the CFO Act.

9. Physical Security

NARA must maintain adequate levels of physical security over our facilities and holdings to ensure the safety and integrity of persons and holdings within our facilities. This is especially critical in light of the new realities that face this nation post-September 11, and the risk that our holdings may be pilfered by persons for a variety of motivations, defaced, or destroyed by fire or other natural disasters.

The Archivist has identified security of collections as a material weakness under the Financial Manager' Financial Integrity Act (FMFIA) reporting process. Our facilities hold records that serve to document the rights of citizens', the actions of Government officials, and the national experience. They also hold a new class of records identified as Records of Concern (ROC). These are records that could be useful to individuals or entities in the planning and conduct of hostile acts against this nation.

Three primary challenges facing NARA are to (1) provide quality service to our customers while instituting reasonable internal controls to prevent theft and to maintain documentation to support recovery of disenfranchised holdings and subsequent prosecution of those who would steal from NARA, (2) take every reasonable appropriate measure possible to limit access to ROC and act expeditiously in coordinating efforts with appropriate law enforcement entities as warranted and appropriate, and (3) protect and safeguard our facilities themselves and the employees who work in our facilities and to mitigate the potential for damage and destruction through both natural and deliberately precipitated acts.

10. Strengthening Human Capital

The General Accounting Office (GAO) has identified human capital as a Government-wide high risk. Strategic human capital management should be the centerpiece of any serious change management initiative or any effort to transform the cultures of Government agencies. Serious human capital shortfalls, however, continue to erode the ability of many agencies, and threaten the ability of others, to economically, efficiently, and effectively perform their missions. According to GAO, the major problem is the lack of a consistent strategic approach to marshaling, managing, and maintaining the human capital needed to maximize Government performance and ensure its accountability. People are an agency' most important organizational asset. An organization' people define its character, affect its capacity to perform, and represent the knowledge base of the organization. Agencies can improve their performance by the way that they treat and manage their people, and building commitment and accountability through involving and empowering employees.

NARA's challenge is to adequately assess its human capital needs in order to effectively recruit, retain, and train people with the technological understanding and content knowledge that NARA needs for future success. According to the NARA Strategic Plan, NARA must include preparation for training leaders for tomorrow in its plans. Further, NARA must help current staff members with traditional archival training to add skills necessary for working with new technologies. In addition, NARA must replace valuable staff members lost to retirement with staff able to deal with records in the electronic information age. Moreover, NARA must partner with universities and professional associations to determine educational requirements for the 21st century.

Top of Page


Reporting Requirements

MANDATED BY THE INSPECTOR GENERAL ACT OF 1978, AS AMENDED

REQUIREMENT SUBJECT PAGE
Section 4(a)(2) Review of legislation and regulations 11
Section 5(a)(1) Significant problems, abuses, and deficiencies 13-29
Section 5(a)(2) Significant recommendations for corrective action 13-29
Section 5(a)(3) Prior significant recommendations unimplemented 43
Section 5(a)(4) Summary of prosecutorial referrals 43
Section 5(a)(5) Information or assistance refused 43
Section 5(a)(6) List of reports issued 40
Section 5(a)(7) Summaries of significant reports 13-29
Section 5(a)(8) Audit Reports Questioned Costs 41
Section 5(a)(9) Audits Reports Funds put to better use 42
Section 5(a)(10) Prior audit reports unresolved 43
Section 5(a)(11) Significant revised management decisions 43
Section 5(a)(12) Significant revised management decisions with which the OIG disagreed 43

STATISTICAL SUMMARY OF INVESTIGATIONS

Investigative Workload
Cases Pending 47
Allegations received this reporting period (2 proactive cases) 45

Cases opened this reporting period

17

Cases closed this reporting period

30

Cases carried forward this reporting period

17

Categories of Investigations

Fraud

1

Conflict of Interest

1

Contracting Irregularities

0

Misconduct

5

Larceny (theft)

7

Torts

0

Other

3

Investigative Results

Cases pending prosecutive action (from the previous reporting period)

1

Cases referred for prosecutive action

1

Cases where prosecutive action was declined

0

Indictments and Warrants (from the previous reporting period)

0

Convictions

2

Administrative Remedies

Employee(s) terminated

0

Employee(s) resigned in lieu of termination

2

Employee(s) suspended

2

Employee(s) given letter of reprimand or warnings

1

Employee(s) Counseled

1

Value of Funds or Property Recovered

Cash Recoveries

$2,970.70

Property Recoveries (Historical Documents

38

LIST OF REPORTS ISSUED - Requirement 5(a)(6)

Report No.

Title

Date

Questioned Costs

Unsupported Costs

Funds Put to Better Use

04-13

Assessment of NARA's Efforts to Comply with New Facility
Standards

05/14/2004

0

0

0

04-14

Follow-Up Review of OIG Report #00-02, Review of NARA's Process for Investing in IT Projects

06/23/2004

0
0
0

04-15

Review of NARA's Water and Sewer Billing Adjustment Charge from WSSC

05/11/2004

118,594
0
9,700

04-16

Evaluation of NARA's Computer Security Incident Response Capability

06/22/2004

0
0
0

04-17

Review of a Contractor' Invoice for Utility Costs for the Lyndon B. Johnson Library

06/04/2004

0
0
0

04-18

Evaluation of the First Performance Period Award Fee Determination
Process for the ITSS Fixed-Price-Award-Fee Contract

06/08/2004

0
0
0

04-21

Review of NARA's Contract for the Telephone System

08/02/2004

0
0
0

04-22

Review of NARA's Administration of the Information Technology Support Services (ITSS) Contract Award Fee

09/21/2004

0
0
0

04-23

Evaluation of NARA's Password Controls

09/15/2004

0
0
0

AUDIT REPORT(S) WITH QUESTIONED COSTS

Category

Number of
Reports
DOLLAR VALUE

Questioned
Costs
Unsupported
Costs

A. For which no management decision has been made by the commencement of the reporting period

2

$2,236,578

$1,117,622

B. Which were issued during the reporting period

1

$118,594

0

Subtotals (A + B)

3
$2,355,172
$1,117,622

C. For which a management decision has been made during the reporting period

0
0
0

(i) dollar value of disallowed cost

0
0
0

(ii) dollar value of costs not disallowed

0

0

0

D. For which no management decision has been made by the end of the reporting period

3

$2,355,172

$1,117,622

E. For which no management decision was made within 6 months

3

$2,355,172

$1,117,622

AUDITS REPORTS WITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE - Requirement 5(a)(9)

CATEGORY NUMBER DOLLAR VALUE

A. For which no management decision has been made by the commencement of the reporting period

1
$16,801

B. Which were issued during the reporting period

1
$9,700

Subtotals (A + B)

1
$26,501

C. For which a management decision has been made during the reporting period

0
0

(i) dollar value of recommendations that were agreed to by management

0
0

Based on proposed management action

0
0

Based on proposed legislative action

0
0

(ii) dollar value of recommendations that were not agreed to by management

0
0

D. For which no management decision has been made by the end of the reporting period

1
$26,501

E. For which no management decision was made within 6 months of issuance

1
$26,501

REQUIREMENT

CATEGORY
SUMMARY

5(a)(3)

Prior significant recommendations unimplemented

None

5(a)(4)

Summary of prosecutorial referrals

None

5(a)(5)

Information or assistance refused

None

5(a)(10)

Prior audit reports unresolved

None

5(a)(11)

Significant revised management decisions

None

5(a)(12)

Significant revised management decisions with which the OIG disagreed

None

Top of Page

PDF files require the free Adobe Reader.
More information on Adobe Acrobat PDF files is available on our Accessibility page.

Office of the Inspector General (OIG) >

The U.S. National Archives and Records Administration
1-86-NARA-NARA or 1-866-272-6272