NARA gives guidance on managing Web records

The National Archives and Records Administration is advising webmasters and records managers to reuse their IT system risk assessments to establish records management controls. NARA also recommends performing a risk mitigation to ensure the authenticity, integrity and usefulness of agency information on their Web sites.

The importance of risk assessments and mitigation were a major part of a new guidance NARA released late last week. The document, which was almost seven years in the making, is a high-level guidance to improve and standardize the management of agency Web sites and online records, said Howard Lowell, director of NARA's modern records program.

'Managing Web records properly is essential to effective Web site operations, especially the mitigation of the risks an agency faces by using the Web to carry out agency business,' NARA noted in the guidance.

The guidance is broken into three sections'general background, responsibilities and requirements; managing Web records; and scheduling Web records'and each part tries to answer common questions agency webmasters and records officers may have.

'Agencies have been waiting for us to come out with this guidance,' said Nancy Allard, a senior policy specialist at NARA. 'They have been waiting for us to tell them how to put their hands around the Web and then they can ask more specific questions.'

Agencies should conduct a risk assessment of their Web sites by evaluating certain factors such as records management threats, visibility, consequences of compromised records and sensitivity of the records.

Once an agency has determined its Web site vulnerabilities, NARA recommends mitigating those risks by:

  • Documenting the systems used to create and maintain Web records


  • Ensuring that the Web records are created and maintained in a secure environment

  • Implementing standard operating procedures for the creation, use, and management of Web records and maintaining adequate written documentation of those procedures

  • Creating and maintaining Web records according to these documented standard operating procedures

  • Training agency staff in the standard operating procedures

  • Developing a retention schedule for Web records and obtaining official NARA approval of that retention schedule.


'We are asking agencies to incorporate the IT systems risk analysis they already did into how they are managing the Web,' Allard said. 'Over the last few years, agencies have developed a bigger appreciation on the need to manage Web information.'
NARA also suggests taking frequent snapshots of the Web site as historical documentation, and tracking changes to the site between snapshots. Additionally, the agency addresses ways to preserve links to other sites and scheduling Web record transfer to NARA.
Allard said NARA will present the information to the CIO Council and agency records managers. The agency also may develop specific documents based on agencies' need to further explore one or more areas of the guidance.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group