Saving the Story
The Department of Defense has set the gold standard for electronic
records management, an area that not only touches all federal agencies,
but also businesses and industries in the private sector.
By Karen E. Thuermer
The Department of Defense has set the gold standard for electronic records management (ERM), an area that not only touches all federal agencies, but also businesses and industries in the private sector that have an interest in retaining and maintaining records.
Through its Directive 5015.2, DoD has developed a set of baseline functional requirements or standards required for records management application (RMA) software used by DoD components in implementing their records management programs. It also defines required system interfaces and search criteria that RMAs must support, and describes the minimum records management requirements that must be met based on current National Archives and Records Administration (NARA) regulations. NARA has endorsed DoD 5015.2-STD and the RMA compliance testing program.
While seemingly arcane, the records management standards are critical not only for preserving military history, but also for ensuring accurate performance in a wide range of department operations, from personnel to logistics. If it does not maintain proper records, advocates warn, DoD is at risk of losing a bit of its story, and undermining its effectiveness, every day.
These standards are so well developed, and under such constant review, that those vendors that become 5015.2 certified are akin to receiving the “Good Housekeeping Seal of Approval,” analysts say. Since DoD stepped forward and implemented its Directive 5015.2-STD, the standards have been accepted by not only the federal government and U.S. military, but also in the commercial world.
That’s because RMA is distinct from document management. Document management only stores information, while RMA categories documents and incorporates rules regarding when certain documents may be discarded. Consequently, although DoD 5015.2 is specifically mandated for defense systems, the standard is becoming a de facto benchmark for all government agencies.
Compliance Testing
To certify that a RMA is compliant with the DoD 5015.2 standard, the Defense Information Systems Agency’s Joint Interoperability Test Command (JITC) in Fort Huachuca, Ariz., is charged with overseeing the certification of vendors that provide RMA software. The JITC also provides assistance in assessing whether systems are ready for testing and assistance in clarifying requirements in DoD 5015.2-STD.
DoD policy permits only compliant products to be acquired by DoD organizations. Products that have been successfully tested are listed in the compliant product register. Additionally, vendor and product information are available through the compliant product register.
To become certified, vendors must meet certain minimum requirements outlined by DoD 5015.2-STD. Regardless of organizational and site-specific needs, JITC tests and certifies software against the 5015.2 requirements and keeps a record of those applications that have passed muster.
JITC officials point out, however, that while most vendors involved in the DoD Directive 5015.2 have a long history of working with the department, specific offices may not have a good understanding of their legal responsibilities when it comes to ERM. Most federal agencies are also challenged by RMA.
Consequently, on April 25, 2007, DoD entered its third version of 5015.2-STD. Major additions to Version 3 of DoD 5015.2-STD, “Design Criteria Standard for Electronic Records Management Applications,” include requirements to support the Freedom of Information Act (FOIA), Privacy Act, and interoperability. The new standard is now available on the Websites of the Defense Technical Information Center and JITC.
Version 3 defines the basic requirements based on operational, legislative and legal needs that must be met by RMA products acquired by DoD and its components. DoD requires that standards be reviewed and revised as often as necessary to keep them relevant and current.
Among Version 3’s new requirements is the ability to create alerts whenever any changes take place in the metadata fields of the documents. It also restricts the metadata access and requires the ability to routinely check the integrity of the data and make certain it hasn’t been tampered with. Version 3 includes requirements to help promote interoperability in terms of records transfer, and introduces some functional requirements for meeting Privacy Act and FOIA responsibilities.
Version 3 focuses on identifying functionality to be incorporated into applications that support an agency’s legal recordkeeping requirements. Version 3 will also offer the warfighter benefits such as ensuring that records that document their actions are captured, protected and incorporated into the national experience. It also ensures that the warfighter receives the correct compensation, as well as tracking support contracts to put materiel in the supply chain, tracking orders and paying out benefits.
Information Governance
CA recently became the first company to offer a product certified with complying with Version 3 of the 5015.2-STD.
The standard is critical to everyone in the records management community, according to William Manago, CA’s director of business analysis and information governance.
“This includes industry professionals, vendor suppliers and users of electronic records management systems,” Manago said. “For the vendor community, the standard describes the functional capabilities that must be provided to properly manage the authenticity, reliability, integrity and usability of records. For the user community, the standard’s certification process provides an independent assessment and gold seal of approval that certified products have successfully demonstrated compliance with the stringent requirements of the standard.”
One factor in winning approval for CA’s product was its comprehensive development program dedicated to improving records and information governance products.
“As the DoD standard is updated, the new requirements become integrated into the core set of development specifications for the product line,” Manago explained. “As a result of the new standard, we have expanded our metadata capability to include additional multi-value fields, enhanced our security models to include user customizable features, added a new RMA-to-RMA transfer (import and export) capability, enhanced our vital record review cycle controls and enhanced our disposition processing tools.”
The new version of the standard also caused significant changes in the company’s certification testing process and test case procedures.
“As the first vendor to be certified, we were able to assist the JITC test team in the validation and refinement of the new test cases,” he said.
Overall, CA positions records and information management as a core component of an overall philosophy called information governance—an approach that comprehensively manages, controls and discovers enterprise information to ensure organizational content is protected, accessible and retained according to business objectives.
“With CA information governance, companies are better positioned to mitigate risks, minimize costs and remain agile to quickly adapt to changes in laws, client requirements, user needs and growth,” Manago explained.
CA information governance addresses three key areas: retention management of records and vital knowledge assets, e-mail management and enterprise discovery.
“CA Records Manager is a key component of the CA information governance solution and is used by our customers to implement best practices to help them effectively govern their information,” he added.
CA’s records management solution includes integrated physical, electronic and e-mail records management, which unifies and integrates all records under one file plan/management console for consistent application of policy, legal holds and searches; federated records management, which effectively manages disparate silos of content and meshes with organizational goals of consistency, centralized management, risk mitigation and faster information access; records life cycle management and policy controls, which control and retain records according to legal, regulatory and business requirements throughout their life cycle; robust security; instantaneous access; circulation and warehouse management of physical records; and report and audit.
Classified Records
JITC will be making minor adjustments to the baseline test cases and moderate changes to the managing classified records test cases as a result of a test completed in late April with Feith, a software vendor.
Feith, with its Feith Document Database (FDD), successfully passed both JITC’s baseline and the managing classified records option.
“This is the fourth time that we have been tested by JITC,” said Don Feith, president of the firm. “JITC tests us every two years.”
JITC was pleased with the results, Feith contended, because FDD is a fully integrated and automated records management solution in which both electronic and paper records are managed and disposed of based on DoD 5015.2.
Making this test different than those in the past is the requirement in Version 3 that software must offer thin-client interfaces. “Nothing was required to be loaded on the client Web station,” said Feith, whose firm has offered thin-client technology since 1996.
“We were one of the first to bring document management and imaging workflow software to the Web,” he revealed.
FDD integrates with Oracle Apps, J.D. Edwards, SAP and other legacy applications, and incorporates Feith’s Mail iQ and Instant Message iQ solutions. “The applications make it possible to drag boxes onto a drawing and connect them to create workflow rules,” Feith said. “By using our Forms iQ solutions, creating the Web forms that are required for the DoD 5015.2 specification and running them through our workflow, we passed the test. This was just an application of our standard product. We did not modify our product. Our standard product is powerful enough to take these rules and run them.”
The FDD platform handles all processes involved in the collection, indexing, archiving and disposition of electronic records.
Feith also provides both an online capability for examining archived electronic messages and a means of auditing the messaging retention system. It’s available in both server and browser-based configurations to allow user access to specifically requested archived electronic messages and attachments.
“The main thing that differentiates our product from others is we have a very powerful workflow and electronic forms capability inside our Feith Document Database,” Feith stressed. “We can take the rules and configure them to pass the test. We did this with a general product. It was just a matter of configuring the product to meet the specifications.”
Research for this story was assisted by Jana Gallatin, DoD 5015.2-STD compliance test officer. ♦
