Records Modernization Checklist

1. Regular records management (RM) program audits, evaluations and frequent updating and validation of vital records inventory.
2. Clear metrics and performance measures to validate RM effectiveness.
3. Quick response and clear accountability for Freedom of Information Act (FOIA) requests.
4. Integrated internal controls to ensure the reliability, authenticity, integrity, usability and preservation of electronic records throughout its lifecycle.
5. A clearly identified digitization strategy to convert permanent records created in hard copy or other analog formats to digital format.
6. Integrated management of electronic records regardless of storage location (both on-prem and cloud).
7. Automated systems for capturing, assigning necessary metadata and classifying electronic information as it is created or enters the organization.
8. Incorporation of automated records management functionality into all electronic information systems.
9. Documented and approved procedures to enable the migration of records and associated metadata to new storage media or formats as technology changes.
10. Documented and approved policies and systems for eventual transfer of all electronic records to the National Archives and Records Administration (NARA).

Source: Compiled by John Mancini (Content Results) from the NARA Federal Agency Records Management 2021 Annual Report

Source Data: NARA, N=260, Federal Electronic Records and Email Maturity Model Report 2021.

Per NARA, “A successful records management program has a governance framework, articulated policy and clear standards. For electronic records management this is particularly important due to fragility, security vulnerabilities and other unique characteristics of electronic records.”

NARA notes that only 47% of agencies have policies about the management of permanent electronic records that address all the following key requirements:

• The identification of RM roles and responsibilities.
• Scheduling, managing and transferring permanent electronic records to NARA.
• The use of tools for digital signatures.
• Notification and reporting procedures for unauthorized access, use, alteration, alienation or deletion of electronic records.
• The inclusion of RM into agency information resources management strategic plans.
• The inclusion of RM into the agency’s Capital Planning and Investment Control process.
• The inclusion of RM into the agency’s Systems Development Life Cycle process.

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Three Tips for Improving Agency RM Accountability

1. Improve Senior Agency Official for Records Management (SAORM) understanding of the strategic implications of effective information governance.
   • In a recent Association for Intelligent Information Management (AIIM) survey of both government and business records and information technology (IT) professionals, 45% of organizations said their senior executives are “not engaged at all” or only “somewhat engaged” when it comes to information governance. This needs to change.
   • Given rapid changes in underlying information technologies, SAORM engagement is key to RM modernization.
2. Align RM goals with broader information management goals.
   • RM is nothing new for agencies. What is new is the move away from paper-based RM and the need to embrace true digital government. Something bigger is now in play—an increasing connection between information governance and agency strategy.
3. Link agency RM goals with departmental and individual goals.
   • Are RM responsibilities assigned to a network of records liaison officers (RLOs) in program and field offices, and are RM responsibilities included in their job descriptions and responsibilities?
   • Have RM responsibilities been clearly outlined to all employees?
   • Only 51% of agencies report that, “Relevant stakeholders, including agency senior leadership, are consistently and actively involved in creating and approving all records management policies.”

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Three Ways M-19-21 Impacts FOIA Readiness

1. Records management maturity is directly tied to FOIA Readiness.
   • The NARA 2016-18 FOIA Advisory Committee recommended considering features that will help facilitate FOIA readiness when acquiring electronic records management software, electronic mail software and other records-related IT. “As the federal government increases its reliance on electronic data systems, it is important to ensure that agencies have the means to effectively and efficiently pull information out of these systems in response to FOIA requests.”
2. Automated FOIA search and export functionality is key to constituent responsiveness.
   • The technology capabilities required to automate FOIA searches and exports are the same digital records and metadata capabilities required for effective records management modernization.
   • Governance capabilities that bridge paper, as well as on-prem and cloud records, are key to seamless FOIA responsiveness.
3. Updated retention schedules and an automated disposition process need to keep pace with information inflows.
   • The quality of FOIA responsiveness is a direct function of how well retention schedules are updated and the ability to automatically classify incoming information into those retention schedules.

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Six Signs That Core Information Governance Controls are Lacking

(Source: AIIM Certified Information Professional Study Guide)

1. Organizations keep information beyond its usefulness to the organization. This increases costs and potential legal liabilities and can significantly increase the risks associated with a data breach or other information loss or disclosure.
2. Responses to inquiries take too long: from a customer service perspective, from an internal operational perspective, and even in terms of responses to legal or regulatory requests.
3. The organization stores too much redundant, obsolete and trivial information. This could include things like personal files, a folder called “1999 Forecasts,” a folder called “Bill’s Files,” and so forth.
4. There is significant uncertainty as to whether a particular document is the correct version, the most up-to-date version or just a copy.
5. There is information or information-related systems that seem to have no specific owner –or in some cases multiple owners such that nobody takes responsibility for it.
6. The use of personal devices—flash drives, smart phones, personal email—to access corporate systems is uncontrolled or ungoverned.

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Five Tips for Creating an Effective Digitization Strategy

1. Understand that digitization at scale is more complicated than scanning.
   Accurately converting paper records to digital records on an enterprise level requires specialized project management experience, state of the art equipment, hands-on techniques and secure world-class conversion facilities. Given the complexity, many agencies choose to outsource this function.
2. Calculate ALL the costs of digitization.
   Organizations must consider its needs for accessing internal resources, including for staff and space, as well as for the potential cost to outsource.
3. Understand what you are digitizing.
   Digitization goes beyond scanning standard-size documents and can also include photos, oversized documents, bound books, microfilm, microfiche and aperture cards.
4. Comply with quality requirements.
   As a result of the pending NARA regulations requiring (Federal Agencies Digital Guidelines Initiative) FADGI-3 image and scanning process quality levels for permanent records, FADGI-3 quality levels will likely become the defacto standard for all scanned records.
5. Avoid manual processes.
   Use automated recognition technologies to assign required metadata at the time of conversion.

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Four Issues to Consider in Thinking About the Cloud

(Source: AIIM Certified Information Professional Study Guide)

1. Security: There is perhaps no greater concern for organizations contemplating the cloud than security. No organization wants to join the ever-growing list of data breaches. However, with very few exceptions, one can make an argument that cloud-based solutions are more secure than most organizations’ on-prem solutions.
2. Data Sovereignty: The idea of data sovereignty is that different jurisdictions, especially countries, have different laws around data storage, privacy and data protection. A related topic is that of data residency—that is, the requirement, typically for government data, to reside exclusively within its country of origin.
3. Uptime and Availability: Many organizations have concerns that their cloud-based systems could go down, rendering the information they contain inaccessible for some period. At the same time, it is possible that the vendor might go out of business, or change business models, such that access to data is permanently removed.
4. Vendor Lock-in: Even if the vendor does not go out of business, at some point the organization may wish to move its data to another application or provider for any number of reasons.

Source Data: NARA, N=260, Federal Electronic Records and Email Maturity Model Report 2021

Per NARA, “Agencies must have control over permanent electronic records to ensure adequate capture, management, preservation and transfer to NARA in acceptable electronic formats along with the appropriate metadata. Organizations can automate such control in dedicated records management systems or implemented manually in shared drives, data repositories or other types of storage. Additionally, IT systems must support the implementation of RM regulations and local policies and provide access to permanent electronic records throughout their lifecycles, which can span decades.”

Systems for permanent records must:

• Comply with approved records schedules;
• Allow permanent electronic records to be located, retrieved, accessed, presented; interpreted and updated wherever they reside throughout their full lifecycles;
• Automate security and management of permanent electronic records over time in accordance with NARA requirements; and
• Generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing permanent electronic records, including the ability to:
  • Audit/track use of the records, including all events and actions related to the record by person entities and non-person entities;
  • Audit/track actions changing the level of record access;
  • Audit/track changes in the location of permanent records; and
  • Generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing permanent electronic records.

Source Data: NARA, N=260, Federal Electronic Records and Email Maturity Model Report 2021

Six Records Management Questions to Ask About Your Current Systems

(Source: AIIM Certified Information Professional Study Guide)

According to a recent AIIM survey, the biggest issues in creating an effective information governance policy are the usual suspects: 1) Having the right people at the table (37%); 2)Enforcing the policy once it is completed (34%); and 3) Translating the policy into system rules (31%). As you think about each of your current information systems and these issues, here are six questions to ask that will help highlight where RM modernization gaps exist:

1. How old is the system and where is it in its lifecycle? That is, is the system a current version and/or still supported by the vendor?
2. Is the system customized or integrated with any other systems?
3. Where is the system physically located? This is often a significant issue for multinational organizations, and governmental entities, because of privacy and data protection concerns.
4. Who owns the system (and therefore the data on it)? The IT group is often a custodian, but ultimately the business is the steward and owner of the information on those systems.
5. How will you find out where rogue or shadow IT systems, likely unsupported by IT, are being used? Common examples include file sharing systems, personal email and communications applications.
6. How will you find where “one-off” tools like Access databases, Lotus Notes applications, authoring tools, business-deployed SaaS applications and single-seat applications are being used?

Source Data: NARA, 2021 Records Management Self-Assessment, N=264, totals may not add to 100% due to rounding.

Five Tips for Creating a Future-Proof Migration Strategy

The over-arching rule in future-proofing critical agency information is to understand exactly what information you have, where you have it, and how it is used. Specifically,

1. What file formats are used for your records? Format obsolescence arises because, like storage media, many file formats quickly fall out of fashion; and worse yet, those that do not are superseded by new versions. Standardized archival formats like PDF/A should be considered for files that need to be retained for significant periods of time.
2. To the best of your knowledge, how will the mix of file formats change in the future? Format obsolescence arises because, like storage media, many file formats quickly fall out of fashion; and worse yet, those that do not are superseded by new versions. And the more proprietary or complex the file formats, the more challenges they present to long-term access. Wherever possible, organizations should use standardized file formats; if those do not meet their needs, they should look at formats with significant market share as they are more likely to be supported over time.
3. What is the condition of the storage media upon which an organization stores all the records and their backups? Understand ALL the variable factors involved in long-term information preservation that extend beyond the formal electronic RM system, including servers, disk drives, networks, PCs, viewing/screen hardware and operating systems.
4. Avoid “big-bang” migrations; manage information in place whenever possible. When undertaking a migration, clearly understand why you are migrating, from where, and to where. Many migrations involve movement of office documents from unmanaged media (individual hard drives and departmental and organizational shared drives) to more structured management environments.
5. As agencies standardize on M365, it becomes increasingly critical to understand the native governance and compliance capabilities of the M365 platform. Particularly, because of COVID-driven remote worker needs, most organizations are adopting the M365 platform for knowledge work; very few, though, understand how to automate the governance of this content.

Source Data: NARA, N=260, Federal Electronic Records and Email Maturity Model Report 2021

Digitization requirements for permanent records are about to become more challenging and confusing.

• NARA and the Office of Management and Budget (OMB) have proposed regulations (still pending) on digitization standards for permanent records.
  • “Permanent records are approved by the Archivist of the United States as having sufficient historical or other value that warrants continuing to preserve them beyond the time agencies need the records for administrative, legal or fiscal purposes. Agencies retain permanent records for administrative, legal or fiscal purposes for a specific period. At the end of the scheduled retention period, they then transfer permanent records to the legal custody of the National Archives… The standards in this proposed rulemaking apply retroactively to digitized permanent records that have not been transferred to the National Archives. If agencies determine their previously digitized records are not in compliance with these standards, re-digitizing may be necessary.”
• The reason for the regulations is that there is no consistent definition for image quality, particularly when it comes to levels of image quality necessary to assure long-term document preservation. The pending regulation outlines a set of image scanning performance parameters that agencies must meet for permanent records and notes, “these parameters equate to FADGI three-star aimpoints and tolerance ranges.”
• FADGI provides a quantitative alternative to definitions of image quality that rely on dots per inch (DPI) or the “appearance” of a document. In addition, the proposed image quality standards are focused on the consistency, integrity and auditability of the scanning and capture process itself (vs. the quality of an individual document), a key factor when operating at scale.
• Anticipating final passage of the regulation, many solution providers and federal agency end users have begun to speculate on the practical implications of what meeting “FADGI three-star aimpoints and tolerance ranges” means in an operational environment. This has led to a confusing array of “FADGI-compliant” and “FADGI-capable” claims by solution providers, a confusion that will get much worse once the regulation becomes final and FADGI-3 requirements begin to be included into request for proposals (RFPs). There are also unanswered questions related to how and who will determine whether past records comply, and if not, who will fund the efforts required to rescan them.