oversight

Electronic Records: Management and Preservation Pose Challenges

Published by the Government Accountability Office on 2003-07-08.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Technology,
                          Information Policy, Intergovernmental Relations,
                          and the Census, Committee on Government
                          Reform, House of Representatives
For Release on Delivery
Expected at 10 a.m. EDT
Tuesday, July 8, 2003     ELECTRONIC RECORDS
                          Management and
                          Preservation Pose
                          Challenges
                          Statement of Linda D. Koontz
                          Director, Information Management Issues




GAO-03-936T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. However, because this work may contain copyrighted images or
other material, permission from the copyright holder may be necessary if you wish to
reproduce this material separately.
                                                July 8, 2003


                                                ELECTRONIC RECORDS
                                                Management and Preservation Pose
Highlights of GAO-03-936T, a testimony          Challenges
before the Subcommittee on Technology,
Information Policy, Intergovernmental
Relations, and the Census, Committee on
Government Reform, House of
Representatives




The difficulties of managing,                   As reported in GAO’s past work, most electronic records—including
preserving, and providing access to             databases of major federal information systems—remained unscheduled:
the vast and rapidly growing                    that is, their value had not been assessed, and their disposition—to
volumes of electronic records                   destruction or archives—had not been determined. In addition, records of
produced by federal agencies
                                                historical value were not being identified and provided to NARA; as a result,
present challenges to the National
Archives and Records                            they were at risk of loss. NARA has begun to address these problems by
Administration (NARA), the                      taking steps to improve federal records management programs; among other
nation’s recordkeeper and                       things, it has (1) updated guidance to reflect new types of electronic records,
archivist. Complex electronic                   (2) devised a strategy for raising awareness among senior agency
records are being created in                    management of the importance of good federal records management, and
volumes that make them difficult to             (3) devised a comprehensive approach to improving agency records
organize and keep accessible.                   management that includes inspections and identification of risks and
These problems are compounded                   priorities. Through these and other actions, NARA is making progress, but its
as computer hardware, application               approach to improving records management does not include provisions for
software, and even storage media                using inspections to evaluate the efficacy of its governmentwide guidance,
become obsolete, as they may leave
                                                and an implementation plan for the approach has yet to be established.
behind electronic records that can
no longer be read. As a result,                 Without these elements, the risk is increased that federal records
valuable government information                 management problems will persist.
may be lost. GAO was requested to
testify, among other things, on                 In addition to its efforts to improve records management, NARA is also
NARA’s recent actions to address                acquiring ERA as a means to archive all types of electronic records and
the challenges of electronic records            make them accessible. GAO found, however, that NARA faces significant
management, including its effort to             challenges in acquiring ERA, a major information system. While NARA has
address the problem of preserving               made progress in building its organizational capabilities for acquiring major
electronic records by acquiring an              information systems, it has not developed adequate policies, plans and
advanced Electronic Records                     practices to guide the ERA acquisition or established the means to track the
Archive (ERA).
                                                cost and schedule of the project. Unless NARA addresses these and other
                                                issues, the ERA system may not meet user expectations, and NARA may not
                                                have the information required to control the cost of the system or the time it
                                                will take to complete it.

                                                Master Copies of Electronic Records in NARA’s Archives




www.gao.gov/cgi-bin/getrpt?GAO-03-936T.

To view the full product, click on the link
above.                                          Source: NARA.
For more information, contact Linda Koontz at
(202) 512-6240 or koontzl@gao.gov.
    Mr. Chairman and Members of the Subcommittee:
    I appreciate the opportunity to participate in the Subcommittee’s
    hearing on the challenges of records management in an electronic
    era. As you know, agencies are increasingly moving to an
    operational environment in which electronic—rather than paper—
    records are used to document their activities and business
    processes. This migration to an increasingly electronic environment
    is likely to accelerate in light of the E-Government Act of 2002,
    which encourages the expansion of electronic government.1
    This transformation is leading to improvements in the way federal
    agencies work and interact with each other and with the public, but
    it has also led to the generation of vast and rapidly growing volumes
    of electronic records. These records need to be properly managed,
    as they provide documentation and information that are necessary
    for essential government functions and for protecting government
    and citizen interests. Also, a small percentage of documents and
    other records are sufficiently significant that they must be preserved
                                          2
    in archives for the historical record.
    Overall responsibility for the government’s electronic records lies
    with the National Archives and Records Administration (NARA),3
    whose mission is twofold: (1) oversight of records management,
    which governs the life cycle of records (creation, maintenance and
    use, and disposition), and (2) archiving, which is the permanent
    preservation of documents and other records of historical interest.
    In carrying out these missions, NARA and agencies use a process
    known as scheduling to assess the value of records and determine
    their disposition.
    As requested, in my remarks today, I will begin by providing some
    perspective on records management and its importance to the
    government in today’s environment. In addition, I will
•   describe the challenges that the government faces in managing and
    preserving electronic records,
•   summarize the results of our June 2002 report on electronic records
    management issues,




    1
     Electronic government refers to the use of technology, particularly Web-based Internet applications,
    to enhance the access to and delivery of government information and services to citizens, business
    partners, employees, other agencies, and other entities.
    2
        Of the total number of federal records, less than 3 percent are designated permanent.
    3
        NARA’s regulations implementing the Federal Records Act are found at 36 CFR 1200-1280.

    Page 1                                                                                      GAO-03-936T
                   •   provide information on NARA’s actions since we issued our report
                       and assess its progress in responding to the recommendations we
                       made to improve governmentwide records management, and
                   •   assess NARA’s efforts to acquire an advanced electronic record
                       archive (ERA), intended to preserve and provide access to
                       electronic records.
                       Our evaluation of records management challenges and issues is
                       based on our June 2002 report, entitled Information Management:
                       Challenges in Managing and Preserving Electronic Records. To
                       update NARA actions since our report, we analyzed key documents
                       and plans, and we interviewed appropriate agency officials. Our
                       assessment of NARA’s efforts to acquire ERA reflects the results of
                       ongoing work, the results of which will be reported in August 2003.
                       We performed our update work from June to July 2003 in
                       accordance with generally accepted auditing standards.


Results in Brief
                       The rapid evolution of information technology is creating challenges
                       in managing and preserving electronic records. Complex electronic
                       records are increasingly being created in a decentralized
                       environment and in volumes that make it difficult to organize them
                       and make them accessible. Further, storage media themselves are
                       affected by the dual problems of obsolescence and deterioration: for
                       example, few computers today have disk drives that can read
                       information stored on 8 or 5¼-inch diskettes, even if the diskettes
                       themselves remain readable. These problems are compounded as
                       computer hardware and application software become obsolete, as
                       they may leave behind electronic records that can no longer be read.
                       Unless these challenges are addressed, valuable government
                       information may be lost forever.
                       Our past work has shown that while NARA has responded to the
                       challenges associated with managing and preserving electronic
                       records, most electronic records—including databases of major
                       federal information systems—remained unscheduled, and records of
                       historical value were not being identified and provided to NARA; as
                       a result, they were at risk of loss. A number of factors contributed to
                       this condition:
                   •   NARA acknowledged that its policies and processes on electronic
                       records had not yet evolved to reflect the modern recordkeeping


                       Page 2                                                     GAO-03-936T
    environment: records created electronically in decentralized
    processes.
•   Records management programs were generally afforded low priority
    by federal agencies. A related issue was that agency management
    had not given priority to acquiring the more sophisticated and
    expensive information technology required to manage records in an
    electronic environment.
•   NARA was also not performing systematic inspections of agency
    records programs. Such inspections are important as a means to
    evaluate individual agency records management programs, assess
    governmentwide progress in improving records management, and
    identify agency implementation issues and areas where guidance
    needs to be strengthened.
    We recommended that NARA develop strategies for raising agency
    management awareness of the importance of records management
    and for performing systematic inspections.
    In the year since our report was issued, NARA has taken steps to
    improve its guidance and address the lack of technology tools. In
    response to our recommendations, it has devised a reasonable
    strategy for raising awareness among senior agency management. In
    addition, it has devised a comprehensive approach to improving
    agency records management that includes inspections and
    identification of risks and priorities, but its approach does not
    include provisions for using inspections to evaluate the efficacy of
    its governmentwide guidance, and an implementation plan for the
    approach has yet to be established. Until NARA fully addresses the
    need to assess and improve agency records management programs
    and develop an implementation plan, the risk is increased that
    records management programs will continue to show the
    weaknesses that led to the scheduling and disposition problems that
    we and NARA described in earlier work.
    To address the problems associated with preserving electronic
    records in a rapidly changing technological environment, NARA is
    acquiring ERA, an advanced archiving system whose acquisition
    presents significant challenges. First, while NARA has made
    progress in strengthening its organizational capabilities for acquiring
    major information systems, these capabilities are not fully
    established. For example, NARA has completed some elements of
    an information security program; however, several key areas—such
    as developing individual system security plans—have not yet been
    addressed. Second, the policies, plans, and practices that NARA is
    using to acquire ERA do not in many cases conform to standards or

    Page 3                                                     GAO-03-936T
                 to applicable federal acquisition guidance. Finally, NARA is unable
                 to objectively track the cost and schedule of the ERA project.
                 Unless NARA improves its acquisition planning, the risk is increased
                 that the ERA system will fail to meet user expectations, and that
                 NARA will not have the information required to control the cost of
                 the system or the time it will take to complete it. In view of these
                 risks, we have recommended that NARA address weaknesses in its
                 acquisition policies, plans, and practices and its ERA schedule.


Background
                 NARA’s mission is to ensure “ready access to essential evidence” for
                 the public, the president, the Congress, and the Courts. NARA’s
                                                                     4
                 responsibilities stem from the Federal Records Act, which requires
                 each federal agency to make and preserve records that
             •   document the organization, functions, policies, decisions,
                 procedures, and essential transactions of the agency and
             •   provide the information necessary to protect the legal and financial
                 rights of the government and of persons directly affected by the
                 agency’s activities.
                 Federal records must be managed to ensure that the information
                 that they contain is available when needed. According to NARA,
                 without effective records management, the records needed to
                 document citizens’ rights, actions for which federal officials are
                 responsible, and the historical experience of the nation will be at
                 risk of loss, deterioration, or destruction.
                 Records management is defined as the policies, procedures,
                 guidance, tools and techniques, resources, and training needed to
                 design and maintain reliable and trustworthy records systems.
                 Records must be managed throughout their life cycle: from creation,
                 through maintenance and use, to final disposition. Temporary
                 records—those used in everyday operations but lacking historic
                 value—are ultimately destroyed. Permanent records—those judged
                 to be of historic value—are preserved through archiving.
                 With NARA’s oversight and assistance, each agency is responsible
                 for managing its own records at all phases of the life cycle, with the
                 exception of the archiving of permanent records (which is NARA’s
                 responsibility).


                 4
                     44 U.S.C. chapters 21, 29, 31, and 33.

                 Page 4                                                       GAO-03-936T
NARA Is Responsible for Oversight of Records Management and for Archiving
                                  NARA is responsible for
                              •   issuing records management guidance;
                              •   working with agencies to implement effective controls over the
                                  creation, maintenance, and use of records in the conduct of agency
                                  business;
                              •   providing oversight of agencies’ records management programs; and
                              •   providing storage facilities for certain temporary agency records.
                                  The Federal Records Act also authorizes NARA to conduct
                                  inspections of agency records and records management programs.

Records Are Managed through Scheduling
                               NARA works with agencies to identify and inventory records; to
                               appraise their value; and to determine whether they are temporary
                               or permanent, how long the temporary records should be kept, and
                               under what conditions both the temporary and permanent records
                               should be kept. This process is called scheduling. No record may be
                               destroyed unless it has been scheduled. Thus, for temporary records
                               the schedule is of critical importance, because it provides the
                               authority to dispose of the record after a specified time.
                                  Records are governed by schedules that are either (1) specific to an
                                  agency or (2) general—that is, common to several agencies or
                                  across the government. According to NARA, records covered by
                                  general records schedules make up about a third of all federal
                                  records. For the other two thirds, NARA and the agencies must
                                  agree upon specific records schedules. Once a schedule has been
                                  approved, the agency must issue it as a management directive, train
                                  employees in its use, apply its provisions to temporary and
                                  permanent records, and evaluate the results.

Guidance Addresses Electronic Records
                                While the Federal Records Act covers documentary material
                                regardless of physical form or media, records management and
                                archiving were until recently largely focused on handling paper
                                documents. With the advent of computers, both records
                                management and archiving have had to take into account the
                                creation of records in varieties of electronic formats.
                                  NARA’s basic guidance for the management of electronic records is
                                  in the form of a regulation at 36 CFR Part 1234. This guidance is

                                  Page 5                                                    GAO-03-936T
    supplemented by the issuance of periodic NARA bulletins and a
    records management handbook, Disposition of Federal Records.
    For electronic records, NARA’s guidance sets forth two basic
    requirements.
•   First, agencies are required to maintain an inventory of all agency
    information systems. The inventory should identify (1) the system’s
    name, (2) its purpose, (3) the agency programs supported by the
    system, (4) data inputs, sources, and outputs, (5) the information
    content of databases, and (6) the system’s hardware and software
    environment.
•   Second, NARA requires agencies to schedule the electronic records
    maintained in their systems. Agencies must schedule those records
    either under specific schedules (completed through submission and
    approval of Standard Form 115, Request for Records Disposition
    Authority) or pursuant to a general records schedule. NARA relies
    on this combination of inventory and scheduling requirements to
    ensure that management of agency electronic records is consistent
    with the Federal Records Act.
    NARA has also established a general records schedule for electronic
    records. General Records Schedule 20 (GRS 20) authorizes the
    disposal of certain categories of temporary electronic records. It has
    been revised several times over the years in response to
    developments in information technology, as well as legal challenges.
    GRS 20 applies to electronic records created both in computer
    centers engaged in large-scale data processing and in the office
    automation environment. GRS 20 authorizes the disposal of certain
    types of electronic records associated with large data base systems,
    (such as inputs, outputs, and processing files), as well as the
    deletion of the electronic version of records on word processing and
    electronic mail systems once a recordkeeping copy has been made.
    Since most agency recordkeeping systems are paper files, GRS 20
    essentially authorizes agencies to destroy E-mail and word-
    processing files once they are printed. (Recall that records not
    covered by a general records schedule may not be destroyed unless
    authorized by a records schedule that has been approved by NARA.)
    GRS 20 does not address many common products of electronic
    information processing, particularly those that result from the now
    prevalent distributed, end-user computing environment. For
    example, although the guidance addresses the disposition of certain
    types of electronic records associated with large databases, it does
    not specifically address the disposition of electronic databases
    created by microcomputer users. In addition, GRS 20 does not
    Page 6                                                    GAO-03-936T
                                 address more recent forms of electronic records such as Web pages
                                 and portable document format (PDF) files.5

NARA Archives Permanent Records of Historical Interest
                              As the nation’s archivist, NARA accepts for deposit to its archives
                              those records of federal agencies, the Congress, the Architect of the
                              Capitol, and the Supreme Court that are determined to have
                              sufficient historical or other value to warrant their continued
                              preservation by the U.S. government. NARA also accepts papers and
                              other historical materials of the Presidents of the United States,
                              documents from private sources that are appropriate for
                              preservation (including electronic records, motion picture films, still
                              pictures, and sound recordings), and records from agencies whose
                              existence has been terminated.
                                 To ensure that permanent electronic records are preserved, each
                                 agency must transfer electronic records to NARA in accordance
                                 with the agency’s records disposition schedule. NARA accepts for
                                 archiving electronic records that are in text-based formats, such as
                                 databases and certain text-based geographic information system
                                        6
                                 (GIS) files. In addition, NARA accepts E-mail records and
                                 attachments, several forms of scanned images of text files, and PDF
                                 files. It does not accept Web pages, word processor files, or
                                 relational databases. (Although NARA does not as yet accept such
                                 files for archiving, they must still be scheduled.)7

Agencies Are Beginning to Automate Management of Electronic Records
                                 In response to the difficulty of manually managing electronic
                                 records, agencies are turning to automated records management
                                 applications to help automate electronic records management
                                 lifecycle processes. The primary functions of these applications
                                 include categorizing and locating records and identifying records
                                 that are due for disposition, as well as storing, retrieving, and
                                 disposing of electronic records that are maintained in repositories.

                                 5
                                  PDF is a proprietary format of Adobe Systems, Inc., that preserves the fonts, formatting, graphics,
                                 and color of any source document, regardless of the application and platform used to create it.
                                 6
                                   A geographic information system is a computer system for capturing, storing, checking, integrating,
                                 manipulating, analyzing, and displaying data related to positions on the Earth’s surface. Typically, a
                                 GIS is used for handling maps of one kind or another. These might be represented as several different
                                 layers where each layer holds data about a particular kind of feature (e.g., roads). Each feature is
                                 linked to a position on the graphical image of a map.
                                 7
                                  NARA’s requirements for the transfer of agency electronic records are provided through 36 CFR Part
                                 1228. NARA’s Web site provides further guidance on this topic under the heading Permanent E-
                                 Records Transfers to NARA Deliverables.
                                 (http://www.archives.gov/records_management/initiatives/transfer_to_nara.html)

                                 Page 7                                                                                 GAO-03-936T
                             Also, some applications are beginning to be designed to
                             automatically classify electronic records and assign them to an
                             appropriate records retention and disposition category.
                             The Department of Defense (DOD), which is pioneering the
                             assessment and use of records management applications, has
                             published application standards and established a certification
                             program.8 DOD standard 5015.2, endorsed by NARA, includes the
                             requirement that records management applications acquired by
                             DOD components after 1999 be certified to meet this standard.9

NARA Is Currently Pursuing Initiatives Related to Electronic Records Management
                             NARA is pursuing other interrelated efforts that address records
                             management (including electronic records). Three major initiatives
                             are
                         •   NARA’s effort on Redesign of Federal Records Management;
                         •   the Electronic Records Management initiative, one of 25 e-
                             government initiatives sponsored by the Office of Management and
                             Budget (OMB), and
                         •   the acquisition of an advanced Electronic Records Archives (ERA).
                             In 2000, NARA began a three-stage effort to redesign federal records
                             management. First, in 2001, NARA produced a report based on
                             information on federal records management that it collected and
                                       10
                             analyzed. Second, it used this report as a starting point to revise
                             the regulations, policies, and processes for managing federal
                             records and to develop a set of strategies to support federal records
                             management. As a result of this analysis, in July 2002 NARA issued a
                             draft proposal for the redesign of federal records management.
                             Third, based on comments received on the proposal, it is developing
                             a redesigned records scheduling, appraisal, and accessioning
                             process, as well as prototype and functional requirements for
                             automated tools for the redesigned process. The redesign is planned
                             as a multiyear process (2003 to 2006), during which NARA intends


                             8
                              Department of Defense, Design Criteria Standard for Electronic Records Management Software
                             Applications, DOD 5015.2-STD (November 1997)
                             (http://www.dtic.mil/whs/directives/corres/html/50152std.htm).
                             9
                              DOD 5015.2-STD requires that records management applications be able to manage records
                             regardless of their media.
                             10
                               SRA International, Inc., Report on Current Recordkeeping Practices within the Federal Government
                             (Dec. 10, 2001) (http://www.nara.gov/records/rkreport.html). This document reports results from two
                             sources: a recordkeeping study performed by NARA’s contractor, SRA International, and a series of
                             records system analyses performed by NARA staff.

                             Page 8                                                                              GAO-03-936T
                      to address the scheduling and appraisal of federal records in all
                      formats.
                      The overall purpose of the Electronic Records Management (ERM)
                      initiative is to help agencies better manage their electronic records,
                      so that records information can be effectively used to support timely
                      and effective decision making, enhance service delivery, and ensure
                      accountability. The initiative is intended to provide a variety of tools
                      to address immediate and longer term agency needs. NARA is the
                      managing partner agency for the overall ERM initiative.
                      The goals for the advanced ERA system are that it will be able to
                      preserve and provide access to any kind of electronic record, free
                      from dependency on any specific hardware or software, so that the
                      agency can carry out its mission into the future. NARA plans for
                      ERA to be a distributed system, allowing storage and management
                      of massive record collections at a variety of installations, with
                      accessibility provided via the Internet. NARA is planning to build the
                      system in five increments, with the last increment scheduled to be
                      complete in 2010.


Inherent Features of Electronic Records Make Management and
Preservation Challenging
                      The rapid evolution of information technology makes the task of
                      managing and preserving electronic records complex and costly.
                      Part of the challenge of managing electronic records is that they are
                      produced by a mix of information systems, which vary not only by
                      type but by generation of technology: the mainframe, the personal
                      computer, and the Internet. Each generation of technology brought
                      in new systems and capabilities without displacing the older
                      systems.11 Thus, organizations have to manage and preserve
                      electronic records associated with a wide range of systems,
                      technologies, and formats. These records are stored in specific
                      formats and cannot be read without software and hardware—
                      sometimes the specific types of hardware and software on which
                      they were created.
                      Several factors contribute to the challenge of managing and
                      preserving electronic records:



                      11
                           International Council on Archives, Guide for Managing Electronic Records from an Archival
                      Perspective (Paris: February 1997).

                      Page 9                                                                                GAO-03-936T
•   Massive volumes of electronic data require automated solutions.
    Electronic records are increasingly being created in volumes that
    pose a significant technical challenge to our ability to organize them
    and make them accessible. For example, among the candidates for
    archiving are military intelligence records comprising more than
    1 billion electronic messages, reports, cables, and memorandums, as
    well as over 50 million electronic court case files. Managing such
    large volumes is clearly not possible without automation.
•   Control of electronic records is difficult in a decentralized
    computing environment.
    The challenge of managing electronic records significantly increases
    with the decentralization of the computing environment. In the
    centralized environment of a mainframe computer, it is easier to
    identify, assess, and manage electronic records than it is in the
    decentralized environment of agencies’ office automation systems,
    where every user is creating electronic files that may constitute a
    formal record and thus should be preserved.
•   The complexity of electronic records precludes simple transfer to
    paper.
    Electronic records have evolved from simple text-based files to
    complex digital objects that may contain embedded images (still and
    moving), drawings, sounds, hyperlinks, or spreadsheets with
    computational formulas. Some portions of electronic records, such
    as the content of dynamic Web pages, are created on the fly from
    databases and exist only during the viewing session. Others, such as
    E-mail, may contain multiple attachments, and they may be threaded
    (that is, related E-mail messages are linked into send–reply chains).
    These records cannot be converted to paper or text formats without
    the loss of context, functionality, and information.
•   Obsolescent and aging storage media put electronic records at risk.
    Storage media are affected by the dual problems of obsolescence
    and decay. They are fragile, have limited shelf life, and become
    obsolete in a few years. For example, few computers today have
    disk drives that can read information stored on 8- or 5¼-inch
    diskettes, even if the diskettes themselves remain readable.
•   Electronic records are dependent on evolving software and
    hardware.
    Electronic records are created on computers with software ranging
    from word-processors to E-mail programs. As computer hardware
    and application software become obsolete, they may leave behind

    Page 10                                                     GAO-03-936T
                        electronic records that cannot be read without the original hardware
                        and software.


Past GAO Work Highlighted Electronic Records Challenges
                        In June 2002,12 we reported that NARA had responded to the
                        challenges associated with managing and preserving electronic
                        records. However, most electronic records—including databases of
                        major federal information systems—remained unscheduled, and
                        records of historical value were not being identified and provided to
                        NARA; as a result, they were at risk of loss. A number of factors
                        contributed to this condition:
                    •   NARA acknowledged that its policies and processes on electronic
                        records had not yet evolved to reflect the modern recordkeeping
                        environment: records created electronically in decentralized
                        processes.
                    •   Records management programs were generally afforded low priority
                        by federal agencies. A related issue was that agency management
                        had not given priority to acquiring the more sophisticated and
                        expensive information technology required to manage records in an
                        electronic environment.
                    •   NARA was also not performing systematic inspections of agency
                        records programs. Such inspections are important as a means to
                        evaluate individual agency records management programs, assess
                        governmentwide progress in improving records management, and
                        identify agency implementation issues and areas where guidance
                        needs to be strengthened.
                        We also provided some confirmation of NARA’s findings regarding
                        records scheduling and disposition: our review at four agencies
                        (Commerce, Housing and Urban Development, Veterans Affairs, and
                        State) elicited a collective estimate that less than 10 percent of
                        mission-critical systems were inventoried. As a result, for these four
                        agencies alone, over 800 systems had not been inventoried, and the
                                                                                           13
                        electronic records maintained in them had not been scheduled.
                        Scheduling the electronic records in a large number of major

                        12
                         U.S. General Accounting Office, Information Management: Challenges in Managing and Preserving
                        Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002).
                        13
                          According to information collected by the Office of Management and Budget in November 1999 as
                        part of the federal government’s effort to assess the Year 2000 computing challenge, 6,435 mission-
                        critical systems were reported at the 24 major agencies. For the 4 agencies we reviewed, the number of
                        mission-critical systems was reported to be 907. Subcommittee on Government Management,
                        Information, and Technology, House Committee on Government Reform, Federal Government Earns B+
                        on a Final Y2K Report Card, news release (Washington, D.C.: Nov. 22, 1999).

                        Page 11                                                                              GAO-03-936T
                          information systems presents an enormous challenge, particularly
                          since it generally takes NARA, in conjunction with agencies, well
                          over 6 months to approve a new schedule.
                          Failure to inventory systems and schedule records places these
                          records at risk. The absence of inventories and schedules means
                          that NARA and agencies have not examined the contents of these
                          information systems to identify official government records,
                          appraised the value of these records, determined appropriate
                          disposition, and directed and trained employees in how to maintain
                          and when and how to dispose of these records. As a result,
                          temporary records may remain on hard drives and other media long
                          after they are needed or could be moved to less costly forms of
                          storage. In addition, there is increased risk that these records may
                          be deleted prematurely while still needed for fiscal, legal, and
                          administrative purposes. Further, the lack of scheduling presents
                          risks to the preservation of permanent records of historic
                          significance.

Guidance on Management of Electronic Records Was Not Up to Date
                          NARA acknowledged in 2001 that its policies and processes on
                          electronic records had not yet evolved to reflect the modern
                          recordkeeping environment: records created electronically in
                                                   14
                          decentralized processes. Despite repeated attempts to clarify its
                          electronic records guidance through a succession of bulletins, the
                          guidance was incomplete and confusing. It did not provide
                          comprehensive disposition instructions for electronic records
                          maintained in many of the common types of formats produced by
                          federal agencies, including Web pages and spreadsheets. To support
                          their missions, many agencies had to maintain such records—often
                          in large volumes—with little guidance from NARA.

Agency Records Management Programs Had Low Priority and Did Not Have Technology
Tools
                          NARA’s study concluded that records management was not even “on
                          the radar scope” of agency leaders. Further, records officers had
                          little clout and did not appear to have much involvement in or
                          influence on programmatic business processes or the development
                          of information systems designed to support them. New government

                          14
                           National Archives and Records Administration, An Overview of Three Projects Relating to the
                          Changing Federal Recordkeeping Environment (January 2001)
                          (http://www.nara.gov/records/rmioverview.html).

                          Page 12                                                                            GAO-03-936T
                          employees seldom received any formal, initial records management
                          training. One agency told NARA that records management was
                          “number 26 on our list of top 25 priorities.”
                          Further, records management is generally considered a “support”
                          activity. Since support functions are typically seen as the most
                          dispensable in agencies, resources for and focus on these functions
                          are often limited. Also, as NARA’s study noted, federal downsizing
                          may have negatively affected records management and staffing
                          resources in agencies.
                          In our June 2002 report, we recommended that the Archivist of the
                          United States address the priority problem by developing a
                          documented strategy for raising agency senior management
                          awareness of and commitment to records management principles,
                          functions, and programs.
                          Related to the priority issue is the need for appropriate information
                          technology tools to respond to the technical challenge of electronic
                          records management: for electronic records to be managed
                          effectively, agencies require a level of technology that was not
                          necessary for paper-based records management programs. Unless
                          management is focused on records management, priority is not
                          given to acquiring or upgrading the technology required to manage
                          records in an electronic environment. Agencies that do invest in
                          electronic records management systems tend to do so because they
                          value good records management and have a critical need to retrieve
                          information efficiently. In other agencies, despite the growth of
                          electronic media, agency records systems are predominantly in
                          paper format rather than electronic. According to NARA’s study,
                          many agencies were either planning or piloting information
                          technology initiatives to support electronic records management,
                          but their movement to electronic systems is constrained by the level
                          of financial support provided for records management.

Inspections of Agency Records Management Programs Were Limited
                          NARA is responsible, under the Federal Records Act, for conducting
                          inspections or surveys of agency records and records management
                          programs and practices. Its implementing regulations require NARA
                          to select agencies to be inspected (1) on the basis of perceived need
                          by NARA, (2) by specific request by the agency, or (3) on the basis
                          of a compliance monitoring cycle developed by NARA.15 In all
                          instances, NARA is to determine the scope of the inspection. Such

                          15
                               CFR 1220.54 (a).

                          Page 13                                                   GAO-03-936T
                      inspections provide not only the means to assess and improve
                      individual agency records management programs but also the
                      opportunity for NARA to determine overall progress in improving
                      agency records management and identify problem areas that need to
                      be addressed in its guidance.
                      In 2000, NARA changed its method of performing inspections: rather
                      than performing a small number of comprehensive agency reviews,
                      it instituted an approach that it refers to as “targeted assistance.”
                      NARA decided that its previous approach to inspections was
                      basically flawed, because it could reach only about three agencies
                      per year,16 and because the inspections were often perceived
                      negatively by agencies, resulting in a list of records management
                      problems that agencies then had to resolve on their own. Under the
                      targeted assistance approach, NARA works with agencies, providing
                      them with guidance, assistance, or training in any area of records
                      management.
                      However, we pointed out in our June 2002 report that this approach,
                      although it may improve records management in the targeted
                      agencies, is not a substitute for systematic inspections and
                      evaluations of federal records programs. Targeted assistance has
                      significant limitations because it is voluntary and, according to
                      NARA, initiated by agency request. Thus, only agencies requesting
                      assistance are evaluated, and the scope and the focus of the
                      assistance are not determined by NARA but by the requesting
                      agency.
                      In light of these limitations, we recommended in June 2002 that the
                      Archivist develop a documented strategy for conducting systematic
                      inspections of agency records management programs to
                      (1) periodically assess agency progress in improving records
                      management programs and (2) evaluate the efficacy of NARA’s
                      governmentwide guidance.


NARA Is Continuing to Respond to Records Management Challenges,
but Its Progress on Inspections is Limited
                      Since June 2002, NARA has taken steps to strengthen its guidance,
                      to address the low priority accorded to records management
                      programs and the associated lack of technology tools, and to revise
                      its approach to inspections as part of a comprehensive strategy for
                      16
                         Between 1996 and 2000, NARA performed 16 inspections of agency records management programs;
                      only 2 of the 24 major executive departments or agencies were reviewed, with most evaluations
                      focused on component organizations or independent agencies.

                      Page 14                                                                         GAO-03-936T
                         assessing agencies’ management of records. However, NARA’s plans
                         to implement its comprehensive new strategy are not yet complete.
                         Although the strategy describes a reasonably systematic approach
                         that allows NARA to focus its resources appropriately and to use
                         inspections and other interventions to assess and improve federal
                         records management, it does not yet include a description of how
                         NARA will establish an ongoing program.

NARA Is Improving Records Management Guidance
                         Since our 2002 report, NARA has taken steps to update its guidance
                         on electronic records management in various areas. For example,
                         although 36 CFR Part 1234, the basic guidance on electronic
                         records, has not been updated to reflect new types of electronic
                         records, NARA has produced a variety of guidance on electronic
                         records. A new General Records Schedule, GRS 24, “Information
                         Technology Operations and Management Records,” was issued on
                         April 28, 2003. In addition, “Records Management Guidance for PKI-
                         Unique Administrative Records,” which was jointly developed by
                         NARA and the Federal Public Key Infrastructure Steering
                         Committee’s Legal/Policy Working Group, was issued on March 14,
                         2003. As part of its e-government initiative, NARA has just released
                         guidance on evaluating funding proposals for electronic records
                         management systems through capital planning processes.
                                                                                 17
                         NARA has also supplemented its disposition guidance as a result of
                         the project on transfer of permanent electronic records under its e-
                         government initiative: this guidance covers transferring permanent
                         E-mail records and attachments, several forms of scanned images of
                         text files, and PDF, and it expanded the methods by which agencies
                         could transfer electronic records to NARA for archiving. NARA is
                         also planning to expand the capability of its current systems for
                         archiving electronic records by accommodating additional
                         electronic record formats and volumes. However, according to
                         NARA, agencies have not yet transferred electronic records in these
                         formats to NARA; these records may not be scheduled or may not
                         yet be eligible for transfer.
                         In addition, as part of the policy analysis in its effort to redesign
                         federal records management, NARA has stated that it plans to
                         identify policies, procedures, regulations, and guidance that would
                         need to be modified in light of the proposed redesign.



                         17
                              These requirements are found in 36 CFR Part 1228.

                         Page 15                                                    GAO-03-936T
Efforts Continue to Raise the Priority of Agency Records Management Programs and
Address Technology Issues
                             In response to our recommendation that it develop a documented
                             strategy for raising agency senior management awareness of records
                             management, NARA devised a strategy intended to raise awareness
                             of the importance of agency records management. The strategy
                             includes two goals:
                         •   increased senior-level awareness of the importance of records
                             management, particularly electronic records management, across
                             the federal government and in specific agencies, and
                         •   increased senior-level understanding of how effective records
                             management programs support the business needs of specific
                             agencies and the federal government as a whole.
                             As part of its strategy, NARA identified a number of activities that its
                             senior leaders will conduct, including briefing agency program
                             leaders on the importance of records and information management
                             in general and on specific issues (such as electronic record keeping
                             requirements, litigation exposure, and vital records), participating in
                             establishing or closing out certain targeted assistance agreements,
                             and pursuing promotional activities such as making speeches and
                             holding conferences.
                             NARA has also developed an implementation plan, which
                             establishes goals, timeframes, and required resources for fiscal year
                             2003. For example, the plan contains a goal of conducting six agency
                             briefings by the end of September; three have been completed to
                             date, and a fourth has been scheduled for mid-July. A similar
                             implementation plan for fiscal year 2004 is to be developed by
                             September 1.
                             NARA’s strategy for raising senior agency management awareness
                             appears reasonable, and if carried out effectively could help to
                             mitigate the problem of the low priority given to records
                             management.
                             Since our June 2002 report, some steps have also been taken to
                             address the lack of technology tools to manage electronic records.
                             In January 2003, NARA recommended that agencies use version 2 of
                             DOD standard 5015.2, which sets forth a set of requirements for
                             records management applications, including that they be able to
                             manage records regardless of their media. The effort to promulgate
                             this standard was part of the electronic information management
                             standards project under the ERM initiative. Under the standard,
                             DOD is to certify records management applications as meeting the

                             Page 16                                                     GAO-03-936T
                           standard; as of the end of June 2003, DOD had certified 43
                           applications. The availability of applications that conform to the
                           standard may be helpful in encouraging agencies to adopt records
                           management systems that address electronic records.

NARA Plans Comprehensive Approach to Improving Agency Records Management
                           In response to its own mission needs and our recommendations of
                           June 2002 regarding its inspection program, NARA has documented
                           a new strategy for assessing agencies’ management of records. This
                           strategy is described in draft documents that describe NARA’s plans
                           for setting priorities and for conducting inspections and studies. The
                           new approach is now being piloted with the Department of
                           Homeland Security; the results of the pilot—expected by September
                           30, 2003—will determine whether it is extended governmentwide.
                           The main features of the draft strategy are as follows:
                       •   NARA will evaluate agencies and work processes in terms of risk to
                           records, implications for legal rights and accountability, and the
                           quantity and value of the permanent records; it will focus its
                           resources on high-priority areas. This process of assessing risks and
                           priorities will involve NARA staff with subject-matter and agency
                           expertise, and it will address records management governmentwide.
                       •   NARA plans to use a variety of means to address areas identified for
                           attention through its risk and priority assessment. Among the means
                           being considered are targeted assistance, records management
                                                      18
                           studies, and inspections. The strategy indicates that NARA has
                           changed its approach to targeted assistance: Rather than using it
                           only when an agency requests assistance, NARA intends to
                           recommend that an agency accept targeted assistance when NARA
                           has identified records management issues at that agency that require
                           attention. In addition, NARA plans to perform studies on records
                           management best practices as a means not only to encourage good
                           records management practices throughout government, but also to
                           recognize agencies whose records management programs have
                           exemplary features. According to the strategy, inspections will be
                           conducted only under exceptional circumstances, when the risk to
                           records is deemed high, and after other means have failed to
                           mitigate risks (e.g., targeted assistance, training, and so on).
                       •   NARA intends to focus on the core functions of the federal
                           government, rather than on individual agencies. It will use as its

                           18
                            Other means include standard and tailored training programs, certification programs for records
                           managers, and various forms of advocacy.

                           Page 17                                                                             GAO-03-936T
                      starting point the business areas defined in the Business Reference
                      Model19 of the Federal Enterprise Architecture.20 By focusing on the
                      Business Reference Model’s broad activities and work processes,
                      which cut across agency lines, NARA may inspect a single agency or
                      a group of agencies in one line of business.
                      Although NARA’s strategy appears to be a reasonably systematic
                      approach that allows it to focus its resources appropriately and to
                      use inspections and other interventions to assess and improve
                      federal records management, it is not yet complete. Specifically, the
                      draft strategy does not yet include a description of how NARA will
                      establish an ongoing program. For example, the priority assessment
                      plan does not indicate whether NARA will revise its risk
                      identification process as circumstances warrant, or if this a single-
                      time occurrence. NARA officials have said that the agency will
                      update its priority and risk assessments periodically, but this is not
                      yet reflected in the plan. Further, the strategy states that the results
                      of studies may be used to improve guidance, but it does not create a
                      similar feedback loop for inspection results. While records
                      management guidance may benefit from the “best practices”
                      identified in studies, inspection results could also identify areas
                      where guidance needs to be clarified, augmented, and strengthened.
                      Finally, no implementation plan or schedule for this new strategy
                      has yet been devised.
                      Without a strategy that provides for establishing an ongoing
                      program that includes a feedback cycle, as well as complete
                      implementation plans that fully reflect that strategy, NARA’s efforts
                      to assess records management programs may not provide it with the
                      information that it needs to improve its guidance and to support its
                      redesign of federal records management.


NARA’s Acquisition of ERA Continues to Face Risks
                      In addition to its efforts to improve records management across the
                      government, NARA is also acquiring ERA as a means to archive all
                      types of electronic records and make them accessible, regardless of
                      changes to hardware and software over time. However, NARA faces
                      significant challenges in acquiring ERA. ERA will be a major

                      19
                         The Business Reference Model is a function driven framework for describing the business operations
                      of the federal government independent of the agencies that perform them.
                      20
                         The Federal Enterprise Architecture is a business-based foundation that provides a common
                      framework for governmentwide improvements in key areas such as performance measurement and e-
                      government. The Office of Management and Budget began development of the Federal Enterprise
                      Architecture in February 2002.

                      Page 18                                                                             GAO-03-936T
    information system; NARA has no previous experience in acquiring
    major information systems. Further, no comparable electronic
    archive system is now in existence, in terms of either complexity or
    scale. Finally, technology necessary to address some key
    requirements of ERA is not commercially available and will have to
    be developed. In light of these challenges, NARA will face significant
    difficulties in its ERA acquisition unless it addresses
•   its information technology (IT) organizational capabilities;
•   ERA system acquisition policies, plans, and practices; and
•   its ability to control ERA’s cost and schedule.
    NARA has indicated that it needs to strengthen its IT organizational
    capabilities and has been taking steps to do so in three key areas:
•   IT investment management provides a systematic method for
    agencies to minimize risks while maximizing the return on IT
    investments.
•   An enterprise architecture provides a description—in useful models,
    diagrams, and narrative—of the mode of operation for an agency. It
    provides a perspective on agency operations both for the current
    environment and for the target environment, as well as a transition
    plan for sequencing from the current to the target environment.
    Managed properly, an enterprise architecture can clarify and help
    optimize the dependencies and relationships among an agency’s
    business operations and the underlying IT infrastructure and
    applications that support these operations.
•   Information security is an important consideration for any
    organization that depends on information systems to carry out its
    mission. Our study of security management best practices found
    that leading organizations manage their information security risk
    through an ongoing cycle of risk management.
    NARA has made progress in strengthening these capabilities, but
    these efforts are incomplete. For example, NARA has improved its
    IT investment management. However, although it is continuing to
    develop an enterprise architecture, NARA does not plan to complete
    its target architecture in time to influence the ERA system definition
    and requirements. In addition, it has completed some elements of an
    information security program, but several key areas have not yet
    been addressed (such as individual system security plans), and
    NARA has not assessed the security risks to its major information
    systems.



    Page 19                                                    GAO-03-936T
In addition, NARA has developed policies, plans, and practices to
guide the ERA acquisition, but these do not consistently conform to
industry standards and federal acquisition guidance. NARA has
chosen to follow Institute of Electrical and Electronics Engineers
(IEEE) standards21 in developing its policies, plans, and practices.
Examples of these include (1) a concept of operations that
describes the characteristics of a proposed system from the users’
viewpoint and provides the framework for all subsequent activities
leading to system deployment, (2) an acquisition strategy that
establishes how detailed acquisition planning and program
execution will be accomplished, and (3) a risk management plan to
identify potential problems and adjusting the acquisition to mitigate
them. However, key policy and planning documents are missing
elements that are required by the standards and federal acquisition
guidance: for example, the ERA acquisition strategy did not satisfy
15 of 32 content elements required by the relevant IEEE standard.
Further, NARA is unable to track the cost and schedule of the ERA
project. The ERA schedule does not include all program tasks and
lacks a work breakdown structure, which would include detail on
the amount of work and resources required to complete each task.
Unless NARA can address these issues, the risk is increased that the
ERA system will fail to meet user expectations, and that NARA may
not have the information required to control the cost of the system
or the time it will take to complete it.
In light of these risks, our briefing included recommendations to
NARA to address the weaknesses in its acquisition policies, plans
and procedures and to improve its ability to adequately track the
project’s cost and schedule.


In summary, NARA and the federal government face significant
challenges in managing electronic records, which are largely due to
the rapidly changing technological environment. While NARA is
responding to these challenges with its various initiatives, much
work remains to be done. Specifically, NARA has implemented our
recommendation to address the low priority given to records
management programs. The agency’s advocacy strategy, if
implemented effectively, could help raise awareness of the
importance of records management governmentwide. However,

21
  The Institute of Electrical and Electronics Engineers, 12207.0 Standard for Information
Technology—Software Life Cycle Processes; 12207.1 Standard for Information Technology—Software
Life Cycle Processes—Life Cycle Data; and 12207.2 Standard for Information Technology—Software
Life Cycle Processes—Implementation Considerations.

Page 20                                                                        GAO-03-936T
                    NARA has not fully responded to our recommendation for a
                    revitalized inspection program. Further, while it is making progress
                    in building its capacity to acquire a major system, it has not
                    developed adequate policies, plans, and practices to guide the ERA
                    acquisition or established an effective means to track the project’s
                    cost and schedule. Until NARA fully addresses these challenges, the
                    success of the ERA project remains at risk, the government may not
                    be able to gain control over the massive numbers of electronic
                    records that continue to grow every day, and permanent records of
                    historical value may be subject to loss.
                    Mr. Chairman, this concludes my statement. I would be pleased to
                    answer any questions that you or other members of the
                    subcommittee may have at this time.


Contact and Acknowledgements
                    If you should have any questions about this testimony, please
                    contact me at (202) 512-6222 or via E-mail at koontzl@gao.gov.
                    Other major contributors to this testimony included Tim Case,
                    Barbara Collier, Mirko Dolak, and Elena Epps.




(310375)

                    Page 21                                                  GAO-03-936T