One moment, processing...

Message Image  

I Support DOD 5015.2; and Encourage ALL Federal Agencies to Adopt It

By Mark Mandel posted Jun 04, 2013 3:58 PM

  

Here's the longer version of my title: Why I Not Only Support the DoD 5015.02-STD Standard, I Encourage all Federal Agencies to Adopt it.  A Counterpoint to Don Lueder’s Post.

[Editor's Note:: Read Don Lueders' original post: On Why I No Longer Support the DoD 5015.2 Standard. You can also read another voice in the debate, Ron Layel: To Support or Not Support the DoD 5015.2 Standard (Some pet peeves and views on the debate from a RIM practioner's perspective)]

Don, your analysis is very detailed and on the mark.  5015.02-STD is in need of an update to reflect how RM is done these days.  However, I disagree with your assessment that somehow the standard should not be supported as is.

Here are some of the reasons I not only support the standard for the U.S. federal government, I encourage all agencies to adopt it as a baseline for selected products.

First of all, let’s examine what is in the DoD 5015.02-STD specification:

·       Base certification (Baseline)

o   Chapter 2, Mandatory Requirements

o   Chapter 5, Transfers

o   Chapter 6, Non-Mandatory Features

·       Chapter 3 is Management of Classified Records (Classified)

·       Chapter 4 is Managing Records for the Privacy Act and the Freedom of Information Act (FOIA & PA)

The Joint Interoperability Test Command (JITC) provides a list of certified products: http://jitc.fhu.disa.mil/cgi/rma/reg.aspx. DoD organizations may only purchase records management products that are on this list.

The key point in understanding how to take advantage of the standard is that the certification does not reflect how an agency will actually use Records Management.  It is based on an outdated paradigm of user based records declaration that does not include inheritance of records classification, role or process based classification, or auto classification.  Nevertheless, the standard provides some key guidance that is of significant benefit to federal agencies.

There are a number of key market drivers in the federal market at this time.  A key driver is the NARA/OMB Managing Government Records Directive, OMB 12-18 http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-18.pdf.   This directive mandates that all permanent records be managed in digital format by 2019.  The directive additionally calls for management of email in electronic format in a Records Management system by 2016.

Therefore all agencies are making plans to implement enterprise wide solutions to meet these requirements.

At the same time several other market drivers support this new paradigm:

·       “Cloud First” – an initiative from Vivek Kundra, the former federal CIO, that requires all agencies to move new IT systems to the cloud if possible, to lower operating costs and to consolidate applications.  Many agencies have already moved their email solutions to the cloud and are looking at other applications as well.

·       PortfolioStat – an initiative supported by Steven Van Roekel, the current federal CIO, that requires all agencies to reduce duplicative solutions and modernize business processes to improve the way government works. “We must use IT as a strategic asset and drive cost savings to pay for new and emerging technologies that can fundamentally improve the way government does business.”

·       Audit Readiness – an effort from the Department of Defense that mandates that all DoD organizations be “audit ready” by 2016, meaning they have to be able to pass financial audits for financial transactions and asset management.  The key to this initiative is to retain all elements of a business transaction throughout its lifecycle – in electronic form - so that it can be easily located for audits.

·       Cyber Security – the increasing threat of malware and hacking focuses support of solutions that wrap content with layers of security and access controls.

·       Increasing visibility of privacy and compliance requirements such as FOIA, Privacy Act, HIPPA and more.

The solution to all of the requirements, in part, is the implementation of an Enterprise Content Management (ECM) (as part of an Enterprise Information Management strategy) solution that is integrated with most key business applications.  This solution provides Information Governance throughout the lifecycle of all content, providing standardized metadata, security and access controls, version control, workflow and Business Process Management, federated and advanced search, eDiscovery, email archiving, auto-classification, FOIA and much more, using a unified repository for unstructured records.  Records Management is a key component of this infrastructure, providing the basis for records retention, legal holds, disposition, and intelligent storage management. The RM component must provide management of both electronic and physical records.

The Records Management component of this approach is based on a streamlined, simplified “Big Bucket” Records Retention Schedule.  Most, if not all, agencies are in the process of reviewing and modernizing their schedules, and NARA is doing this for their General Records Schedule.

Some agencies, such as the U.S. Department of Interior, have already implemented this approach, in the cloud. DOI is currently ingesting 30 million (Google) emails per month into their ECM solution, using auto-classification and Records Management, and are rolling out the full set of ECM features across the enterprise:  http://www.prnewswire.com/news-releases/us-department-of-the-interior-deploys-opentext-cloud-based-enterprise-content-management-solution-162897386.html.

So, given this macro set of trends driving the modernization of records management throughout the federal government, how does the 5015.02-STD standard fit in?

As part of the Managing Government Records program, all agencies are in the process of defining the taxonomy for their records, how to transfer records to NARA, and more.  Currently the danger is that agencies will each do their own thing, resulting in a chaotic, disparate approach that is inconsistent at best.  There are Communities of Interest that are working towards defining metadata and transfer standards for electronic records and email.

The danger here is that these groups may come up with approaches that do not reflect best practices or that compound issues to make it harder rather than easier to meet the objectives of the directive consistently across the government.

Therefore I recommend to all agencies that they adopt the 5015.02-STD standard and make it a requirement in their enterprise architecture.

Why?

  • It sets mandatory metadata standards for all records, including for different kinds of files such as email, photos, and office documents
  • It defines the best methodology for destruction of electronic records at the end of their lifecycle
  • It provides a standard approach for transfer of records from one agency to another, and for transfer from an agency to NARA
  • It defines metadata requirements for classified records
  • It defines requirements for FOIA and Privacy Act solutions

If all agencies purchase solutions that are 5015.02-STD certified, it promotes a level of consistency across the government.  Working groups and Communities of Interest should work with JITC to improve and modernize the standard rather than to adopt new, and perhaps contradictory, standards.  All new approaches should look at 5015.02-STD as the baseline and build on it.

For example, Baseline certification includes mandatory metadata standards for all records.  As Don points out, many of these metadata fields can be onerous in the real world if a user has to enter the data.  However, in actual practice most, if not all, of these fields can be automatically populated by the system if it is properly implemented. Records classification inheritance, role and process based classification and auto classification are the tools today that make meeting these requirements largely transparent to the end user.  While these approaches are not included in the specification,it is the consistency of what is collected, based on mandatory metadata requirements, that is most important.

NARA has implemented an ambitious electronic content management and accessioning application called ERA – Electronic Records Archive.  All agencies must ultimately transfer their permanent records in digital form to NARA by 2019.  The JITC specification includes Chapter 5, Transfers, that provides a standardized metadata schema to support this requirement.  Again, it is not complete or perfect, but it provides a starting point for all agencies that supports consistency – rather than reinventing the wheel, so to speak, agencies should start with the standard and build upon it.

So, in summary, I heartily agree with Don that the standard is in dire need of modernization.  It is my understanding that changes are being made to the certification process as we speak, moving to “Perpetual” certification for products and to allow certification of “Component” products that are targeted at a subset of RM or ECM requirements, as long as they partner with a broader solution provider.  It is a start. 

The key takeaway is that while the standard is not perfect, agency adoption provides a baseline of consistency that is very valuable to the government as a whole, especially in these times of rapid solution consolidation and modernization.  Agencies and vendors should work collaboratively with JITC to promote modernization and evolution of the standard to meet the new market realities.  Modernization of the standard must consider that many agencies have been using it for a number of years and that the best approach is to add requirements or augment existing ones, to minimize impact on existing record collections.

The reality is that virtually all ECM vendors provide Records Management as a key component of their solution, and they are all certified to at least the Baseline 5015.02-STD standard.  These products range from open source to very inexpensive to large enterprise class ECM suites, so agencies can pick from a large range of solutions that are readily available, in all price ranges.  All of these vendors have invested years of work in compliance and many of the issues Don points out are really moot for most organizations, given that meeting the standard does not imply - in any way - how you actually implement your ECM solution and RM processes.

While I encourage all federal agencies to adopt the standard, especially given the Managing Government Records directive, commercial organizations should consider it as well – consistency being the key.

5 comments
221 views

Tag

Comments

Jun 10, 2013 11:01 AM

A related topic is how agencies should design their RM enterprise strategy.
The trend today is for agencies (I am talking US Federal and DoD) to adopt an enterprise strategy that is in the Cloud. This is the most comprehensive approach and it meets many complementary requirements, such as:
eDiscovery/FOIA
Reduced Storage Requirements
Information Governance for all content
Audit Readiness
Email management
RM and other compliance
Using this approach, agencies can purchase these services in the cloud, integrated with their office apps, email, SharePoint, ERP and other apps. RM is managed behinds the scenes, tranparent to the end user.
The key items that need to be addressed in the RM community is what metadata should be required (recognizing that all permanent records will be transferred to NARA and it would be great if there was consistency across all agencies), how to transfer electronic content (including email) in a format that can be archived and actually retrieved within NARA's ERA.
Agencies should not be concerned with the programatic interfaces of RM services or other details like this - any agency that focuses on those kinds of details will fail - there is no budget, IT projects cannot possibly address all the components of an enterprise implementation, and IT seldom knows all the permutations of RM and related domains such as eDiscovery, email archiving, auto classification and the like, which all need to be available for an entperprise approach to be successful.
To sum it up - RM should be a set of services available to an agency as part of a larger, enterprise infrastructure that includes FOIA, eDiscovery, Information Governance, legal holds, advanced search, BPM and much much more.

Jun 10, 2013 10:44 AM

Ron, very interesting comments about MoReq 2010, ISO 16175, and the Object Management Group’s Records Management Services, etc.
Vendors such as OpenText who are global in nature support the standards of each country - the U.K and EU, Australia, Canada, South Africa and so on each have their own standards for RM, FOIA, Privacy and so on. In many cases they overlap, however we vendors must support whatever each country requires. The result is products that are very flexible and full featured, which can be configured in many different ways.
For the US, coming up with something new to replace what we already have is a daunting task - lots of intertia and politics.
Building on what we have is simply more pragmatic.
As to the Managing Gov Records directive ignoring 5015.02, I am told that NARA does not believe all agencies "can afford" solutions that are compliant. This is untrue. There are compliant products in all price ranges.

Jun 09, 2013 3:06 PM

Mark, see below a longer version of one good debate brings to mind --
1. Why are the discussions and serious work on standards for managing Government electronic records in the US always limited to DoD 5015.2, as though it is the only existing standard? As you very convincingly point out, this standard is so outdated and inadequate in many ways as compared to others such as MoReq 2010, ISO 16175 and the Object Management Group’s Records Management Services (RMS) specification. For MoReq 2010 I can only assume that it is the “NIH” factor (not the federal health institute); because in my view it addresses many of the problems you “cite with 5015. I don’t get why this is dismissed here as being just “the European standard”. And, the OMG RMS directly responds to one of your major problems with 5015 – i.e. that it is essentially a standard for “stand-alone Records Management applications (which) haven’t existed for almost a decade”. As I understand it, the whole purpose of the DMS that a consortium of NARA, federal agency Records & IT reps., and industry partners undertook was to create a set of requirements and specifications for RM functionality that can be “baked in” to any system/application to run in the background as a service. For any standard/specification to be useful in today’s government IT/RIM environment, it must allow for a “manage in place” strategy that does not assume a centralized RMA repository for all electronic Official Records or valued information assets.

Jun 09, 2013 2:57 PM

Actually from my RIM practitioner perspective, the NARA/OMB failure to address this is worse than giving tacit approval to ingnore 5015.2. For reasoning on this, see below a portion of longer set of "pet peeve" comments I posted to Don Luedders' piece --
3. Why is the work and debate on systems standards for Record Information Management (RIM) in Federal Govt. dominated by systems vendors and industry analysts who also make their livings advising technology companies on how to position their products to maximize sales to government and private sector customers? Don, I’m not directing this concern to you and your industry colleagues, as your experience and insight is very much valued and needed. However, isn’t it about time that NARA and my colleagues (those of us who actually practice RIM & IG in government) step up and take the lead? I for one am very concerned that whatever standard emerges to replace 5015.2 (or even worse if 5015.2 should be mandated), must not be driven by what is in the best business interests of vendors, but rather by what is really required and what is workable for the government RIM/IG practitioners who will have to live with it and attempt to make it work. To this point, I fully agree with those who have earlier posted responses to your blog, that there was a huge opportunity missed when NARA and OMB did not take a more thoughtful and direct stance on these standards (including rescission of NARA’s prior “endorsement” of 5015.2 for use by civilian federal agencies) in the Managing Federal Records Directive (MFRD) issued August 2012. If they are not yet ready to adopt an existing standard (e.g. MoReq 2010, ISO 16175, or OMG-DMS), which I’m pretty sure they are not; then they should at least lay out a clear direction with milestone and deadline to get it done. Of course, I believe this new direction should require active participation by agency Records Officers/RIM/IG practitioners, while also continuing to involve industry/technology/consultant experts. By not addressing this in the MFRD NARA/OMB have perpetuated a huge dilemma for federal agencies – requiring effective management of electronic records residing in all IT systems, without clear and effective guidance on how to achieve it.

Jun 07, 2013 7:08 PM

Mark - Thanks for your analysis which I agree with. The DoD 5015.2 standard is in need of an update in the areas that Don Lueders points out, and many others, but it is a difficult leap of faith to argue as Don did in his subsequent comments that the OMB Managing Government Records Directive gave agencies tacit approval to ignore the standard. Mike Alsup