"Must Have" 1 – Regular records management program audits, evaluations and frequent updating and validation of vital records inventory

  • When was your agency’s directive(s) last reviewed and/or revised to ensure it includes all new records management policy issuances and guidance?
    39% of agencies need to update their records directive(s).
    Three percentage points higher year over year from last year.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Three Issues to Consider as You Examine How RM Controls Need to Change with M-19-21

    1. Recognize that many agencies are falling behind –
      • The rapid pace of technology change means that organizations can no longer rely on old paper-based records management assumptions.
      • Per the NARA Inspector General report, “Federal Agencies are still using old schedules approved in the 1980s and 1990s that do not reflect current business practices.”
    2. RM needs to be an agency-wide priority –
      • According to AIIM, the biggest challenges associated with an effective records management program are: 1) Having the right people at the table; 2) Enforcing the policy once it is completed; and 3) Translating the policy into system rules. All of these require actions and commitment beyond that of records officials; they require senior management commitment.
    3. Ask the right questions about internal RM controls (per NARA) –
      • Does your agency have a program of evaluations/inspections/audits, conducted on an annual cycle or similar timetable, to ensure the records management program is efficient, effective and compliant?
      • Following evaluations/inspections/audits, is a written report prepared on the findings and recommendations and presented to senior management?
      • Are recommendations following evaluations/inspections/audits acted upon, and are after-action plans put into effect and evaluated to ensure compliance?

"Must Have" 2 – Clear metrics and performance measures to validate records management effectiveness

  • Has your agency established performance goals for its records management program?
    72% of agencies have established broad records management performance goals.
    Five percentage points lower year over year from last year.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Four Tips for Improving Agency Records Management Accountability

    1. Senior Agency Official for Records Management (SAORM) understanding of the strategic implications of M-19-21 –
      • In a recent AIIM survey of both government and business records and IT professionals, 45% of organizations said their senior executives are “not engaged at all” or only “somewhat engaged” when it comes to Information Governance. This needs to change.
      • M-19-21 is not just a “box-checking” exercise; it represents a key inflection point in the transition to digital government.
      • Given rapid changes in underlying information technologies, SAORM engagement is key to the change management implications of M-19-21.
    2. Alignment of record management goals and broader information management goals –
      • Records management is nothing new for agencies. What is new is the action to move away from paper-based record management and embrace true digital government. Something bigger is now in play – an increasing connection between information governance and agency strategy.
    3. Linkage of records management goals with the agency’s strategic goals (per NARA, some examples) –
      • Identifying and scheduling all paper and non-electronic records by the end of FY 2018
      • Developing computer-based records management training modules by the end of FY 2018
      • Planning and piloting an electronic records management solution for email by the end of FY 2019
      • Updating records management policies by the end of the year
      • Conducting records management evaluations of at least one program area each quarter
    4. “Flow down” of agency records management goals to departmental and individual goals –
      • Are RM responsibilities assigned to a network of records liaison officers (RLOs) in program and field offices, and are RM responsibilities included in their job descriptions and responsibilities?
      • Have RM responsibilities be clearly outlined to all employees?

"Must Have" 3 – Quick response and clear accountability for FOIA requests

  • How does your agency handle duplicate records when processing FOIA requests?
    Only 29% of agencies have an automated approach to FOIA duplicates.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Three Ways M-19-21 Impacts FOIA Readiness

    1. M-19-21 Compliance is directly tied to FOIA Readiness –
      • The NARA 2016-18 FOIA Advisory Committee recommended considering features that will help facilitate FOIA readiness when acquiring electronic records management software, electronic mail software and other records-related information technology (IT). “As the federal government increases its reliance on electronic data systems, it is important to ensure that agencies have the means to effectively and efficiently pull information out of these systems in response to FOIA requests.”
    2. Automated FOIA search and export functionality –
      • The technology capability required to automate FOIA searches and exports is the same digital records and metadata capability required for M-19-21 compliance.
      • Governance capabilities that bridge paper, on-prem and cloud records are key to seamless FOIA responsiveness.
    3. Updated retention schedules and automated disposition processes –
      • The quality of FOIA responsiveness is a direct function of retention schedules that are kept up to date and the ability to automatically classify incoming information into those retention schedules.

"Must Have" 4 – Integrated internal controls to ensure the reliability, authenticity, integrity, usability and preservation of electronic records throughout the lifecycle

  • Are records and information in your agency managed throughout their lifecycle [creation/capture, classification, maintenance, retention and disposition]?
    39% of agencies lack the ability to manage information throughout its lifecycle.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Six Signs That Core Information Governance Controls are Lacking

    (Source: AIIM Certified Information Professional Study Guide)

    1. Information is kept beyond its usefulness to the organization. This increases costs and potential legal liabilities and can significantly increase the risks associated with a data breach or other information loss or disclosure.
    2. Responses to inquiries take too long: from a customer service perspective, from an internal operational perspective, and even in terms of responses to legal or regulatory requests.
    3. The organization stores too much redundant, obsolete and trivial information. This could include things such as personal files, a folder called “1999 Forecasts,” a folder called “Bill’s Files,” and so forth.
    4. There is significant uncertainty as to whether a particular document is the correct version, the most up-to-date version or just a copy.
    5. There is information or information-related systems that seem to have no specific owner – or in some cases multiple owners such that nobody takes responsibility for it.
    6. The use of personal devices – flash drives, smart phones, personal email – to access corporate systems is uncontrolled or ungoverned.

"Must Have" 5 – A clearly identified digitization strategy to convert permanent records created in hard copy or other analog formats to digital format

  • Does your agency have a digitization strategy to reformat permanent records created in hard copy or other analog formats (e.g., microfiche, microfilm, analog video, and analog audio)?
    61% of agencies lack a clearly articulated digitization strategy.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Five Tips for Creating an Effective Digitization Strategy

    1. Digitization at scale is more complicated than scanning
      Accurately converting paper records to digital records on an enterprise level requires specialized project management experience, state-of-the-art equipment, hands-on techniques and secure world-class conversion facilities. Given the complexity, many agencies choose to outsource this function.
    2. Calculate ALL the costs
      Access to internal resources, including staff and space, needs to be considered, as does the potential cost to outsource.
    3. Understand what you are digitizing
      Digitization goes beyond scanning standard-size documents and can also include photos, oversized documents, bound books, microfilm, microfiche and aperture cards.
    4. Comply with quality requirements
      Scanning should be done in a consistent manner with FADGI (Federal Agencies Digital Guidelines Initiative) guidelines.
    5. Avoid manual processes
      Use automated recognition technologies to assign required metadata at the time of conversion.

"Must Have" 6 – Integrated management of electronic records regardless of storage location (both on-prem and cloud)

  • Does your agency have documented and approved policies for cloud service use that includes recordkeeping requirements and handling of federal records?
    Less than 60% have cloud records under control.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Four Issues to Consider in Thinking About the Cloud

    (Source: AIIM Certified Information Professional Study Guide)

    1. Security – There is perhaps no greater concern for organizations contemplating the cloud than security. No organization wants to join the ever-growing list of data breaches. However, with very few exceptions, an argument can be made that cloud-based solutions are more secure than most organizations’ on-prem solutions.
    2. Data Sovereignty – The idea of data sovereignty is that different jurisdictions, especially countries, have different laws around data storage, privacy and data protection. A related topic is that of data residency – that is, the requirement, typically for government data, to reside exclusively within its country of origin.
    3. Uptime and Availability – Many organizations have concerns that their cloud-based systems could go down, rendering the information they contain inaccessible for some period of time. At the same time, it’s possible that the vendor might go out of business, or change business models, such that access to data is permanently removed.
    4. Vendor Lock-in – Even if the vendor doesn’t go out of business, at some point the organization may wish to move its data to another application or provider for any number of reasons.

"Must Have" 7 – Automated systems for capturing, assigning necessary metadata and classifying electronic information as it is created or enters the organization

  • How often does your agency evaluate, monitor or audit staff compliance with the agency’s policies for email preservation and the management of electronic messages including text messages, chat/instant messages, voice messages, and messages created.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    12 Tips to Get Your Information Capture Basics in Order

    (Source: AIIM Certified Information Professional Study Guide)

    A new generation of information capture technologies are uniquely positioned to help organizations address the problem set created by information chaos – the explosion in the formats, speeds and volumes of information entering the agency. Here are 12 steps to an effective information capture program:

    1. Identify sources of content to be captured (e.g., paper, microfilm, email, born‐digital, legacy sources such as file shares).
    2. Explain the challenges associated with managing digital information (e.g., determining what to capture and how, the dynamic nature of some digital information, how formats impact capture and management).
    3. Select the appropriate file format for creating and capturing content based on business requirements (e.g., target audiences, access to content over time, regulatory requirements).
    4. Determine the impact of using proprietary file formats on information creation, capture and access.
    5. Identify specific types of content to capture that provide unique challenges (e.g., email, social media, forms, rich media) and determine how to capture them (e.g., using a digital asset management system).
    6. Distinguish between structured and unstructured information and the differences in how they are managed.
    7. Determine methods for extracting and capturing data from structured applications.
    8. Determine methods for capturing structured data using electronic forms.
    9. Develop a process for capturing content (e.g., what to capture, approvals, audits).
    10. Determine strategy for capture (e.g., day-forward, backfile conversion, on‐demand, and factors that contribute to each).
    11. Select the appropriate file format(s) for captured images based on business requirements (e.g., number of pages, compression, need for Web‐based access, need for public access, bandwidth).
    12. Identify issues associated with file conversion (e.g., between formats, from digital to analog).

"Must Have" 8 – Incorporation of automated records management functionality into all electronic information systems

  • Does your agency ensure that records management functionality—including the capture, retrieval and retention of records according to agency business needs and NARA-approved records schedules—is incorporated into the design, development and implementation?

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Six Records Management Questions to Ask About Your Current Systems

    (Source: AIIM Certified Information Professional Study Guide)

    According to a recent AIIM survey, the biggest issues in creating an effective information governance policy are the usual suspects: 1) Having the right people at the table (37%); Enforcing the policy once it is completed (34%); and 3) Translating the policy into system rules (31%). As you think about each of your current information systems and these issues, here are six questions to ask that will help highlight where M-19-21 gaps exist:

    1. How old is the system and where is it in its lifecycle? That is, is the system a current version and/or still supported by the vendor?
    2. Is the system customized or integrated with any other systems?
    3. Where is the system physically located? This is often a significant issue for multinational organizations, and governmental entities, because of privacy and data protection concerns.
    4. Who owns the system (and therefore the data on it)? IT is often a custodian, but ultimately the business is the steward and owner of the information on those systems.
    5. How will you find out where rogue or shadow IT systems, likely unsupported by IT, are being used? Common examples include file sharing systems, personal email and communications applications.
    6. How will you find where “one-off” tools like Access databases, Lotus Notes applications, authoring tools, business-deployed SaaS applications and single-seat applications are being used?

"Must Have" 9 – Documented and approved procedures to enable the migration of records and associated metadata to new storage media or formats as technology changes

  • Does your agency have documented and approved procedures to enable the migration of records and associated metadata to new storage media or formats?
    Nearly half of agencies likely to have challenges as platforms modernize.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=247, totals may not add to 100% due to rounding.

    Four Tips for Creating a Future-Proof Migration Strategy

    The over-arching rule in future-proofing critical agency information is to understand exactly what information you have, where you have it, and how it is used. Specifically,

    1. What file formats are your records in? Format obsolescence arises because, like storage media, many file formats quickly fall out of fashion; and worse yet, those that do not are superseded by new versions. Standardized archival formats like PDF/A should be considered for files that need to be retained for significant periods of time.
    2. To the best of your knowledge, how will the mix of the file formats change in the future? Format obsolescence arises because, like storage media, many file formats quickly fall out of style. Worse yet, those that do not are superseded by new versions. What’s more, the more proprietary or complex the file formats, the more challenges they present to long-term access. Wherever possible, organizations should use standardized file formats; if those do not meet their needs, they should look at formats with significant market share as they are more likely to be supported over time.
    3. What is the condition of the storage media upon which all records and their backups are stored? Understand ALL of the variable factors involved in long-term information preservation that extend beyond the formal electronic RM system, including servers, disk drives, networks, PCs, viewing/screen hardware and operating systems.
    4. Avoid “big-bang” migrations; manage information in place whenever possible. When undertaking a migration, clearly understand why you are migrating, from where, and to where. Many migrations involve movement of Office documents from unmanaged media (individual hard drives and departmental and organizational shared drives) to more structured management environments, and these “tactical” migrations should be addressed differently from those that are undertaken for long-term preservation concerns.

"Must Have" 10 – Documented and approved policies and systems for eventual transfer of all electronic records to NARA

  • Does your agency have a process or strategy for managing permanent electronic records and related metadata in an electronic form?
    Nearly 30% of agencies are going to have challenges meeting the M-19-21 transfer timeline.

    Source Data: NARA, 2019 Records Management Self-Assessment, N=255, totals may not add to 100% due to rounding.

    Core Elements of an Effective Electronic Records Transfer Strategy

    After December 31, 2022, all agencies will transfer permanent records to NARA in electronic formats and with appropriate metadata, in accordance with NARA regulations and transfer guidance, except where an agency has been granted an exception under procedures to be developed by NARA.

    Per NARA:

    “It is probably easiest to transfer records on Compact-Disk, Read Only Memory (CD-ROM) or Digital Versatile Disc (DVD), because agencies typically have the drives for this media and it’s inexpensive. Other acceptable media include magnetic tape and tape cartridges, such as Digital Linear Tape (DLT). You may also use File Transfer Protocol (FTP). Additional types of media, such as external hard drives, may be acceptable if discussed in advance with the accessioning program unit.”

    NARA guidelines for specific content types are:

    • Textual records – use plain ASCII or in Portable Document Format (PDF) or format or scanned images.
    • Scanned images of textual records – the preferred formats are Tagged Image File Format (TIFF) and Portable Network Graphics (PNG). Graphics Interchange Format (GIF) and, Basic Image Interchange Format (BIIF) are also acceptable.
    • Data files and databases – convert tables to files with fixed-length fields or fields defined by delimiters.
    • Digital geospatial data – Spatial Data Transfer Standard (SDTS) or Geography Markup Language (GML) records incorporate preferred formats that are evolving, so contact NARA for assistance.
    • Digital photographic records – Tagged Image File Format (TIFF) and File Interchange Format (JFIF, JPEG) are also acceptable.
    • Web Records – Hypertext Markup Language (HTML) and other formats such as TIFF or PDF that either are embedded in the HTML or referenced by it.