United States General Accounting Office GAO Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, House of Representatives For Release on Delivery Expected at 10 a.m. EDT Tuesday, July 8, 2003 ELECTRONIC RECORDS Management and Preservation Pose Challenges Statement of Linda D. Koontz Director, Information Management Issues GAO-03-936T This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. July 8, 2003 ELECTRONIC RECORDS Management and Preservation Pose Highlights of GAO-03-936T, a testimony Challenges before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, House of Representatives The difficulties of managing, As reported in GAO’s past work, most electronic records—including preserving, and providing access to databases of major federal information systems—remained unscheduled: the vast and rapidly growing that is, their value had not been assessed, and their disposition—to volumes of electronic records destruction or archives—had not been determined. In addition, records of produced by federal agencies historical value were not being identified and provided to NARA; as a result, present challenges to the National Archives and Records they were at risk of loss. NARA has begun to address these problems by Administration (NARA), the taking steps to improve federal records management programs; among other nation’s recordkeeper and things, it has (1) updated guidance to reflect new types of electronic records, archivist. Complex electronic (2) devised a strategy for raising awareness among senior agency records are being created in management of the importance of good federal records management, and volumes that make them difficult to (3) devised a comprehensive approach to improving agency records organize and keep accessible. management that includes inspections and identification of risks and These problems are compounded priorities. Through these and other actions, NARA is making progress, but its as computer hardware, application approach to improving records management does not include provisions for software, and even storage media using inspections to evaluate the efficacy of its governmentwide guidance, become obsolete, as they may leave and an implementation plan for the approach has yet to be established. behind electronic records that can no longer be read. As a result, Without these elements, the risk is increased that federal records valuable government information management problems will persist. may be lost. GAO was requested to testify, among other things, on In addition to its efforts to improve records management, NARA is also NARA’s recent actions to address acquiring ERA as a means to archive all types of electronic records and the challenges of electronic records make them accessible. GAO found, however, that NARA faces significant management, including its effort to challenges in acquiring ERA, a major information system. While NARA has address the problem of preserving made progress in building its organizational capabilities for acquiring major electronic records by acquiring an information systems, it has not developed adequate policies, plans and advanced Electronic Records practices to guide the ERA acquisition or established the means to track the Archive (ERA). cost and schedule of the project. Unless NARA addresses these and other issues, the ERA system may not meet user expectations, and NARA may not have the information required to control the cost of the system or the time it will take to complete it. Master Copies of Electronic Records in NARA’s Archives www.gao.gov/cgi-bin/getrpt?GAO-03-936T. To view the full product, click on the link above. Source: NARA. For more information, contact Linda Koontz at (202) 512-6240 or email@example.com. Mr. Chairman and Members of the Subcommittee: I appreciate the opportunity to participate in the Subcommittee’s hearing on the challenges of records management in an electronic era. As you know, agencies are increasingly moving to an operational environment in which electronic—rather than paper— records are used to document their activities and business processes. This migration to an increasingly electronic environment is likely to accelerate in light of the E-Government Act of 2002, which encourages the expansion of electronic government.1 This transformation is leading to improvements in the way federal agencies work and interact with each other and with the public, but it has also led to the generation of vast and rapidly growing volumes of electronic records. These records need to be properly managed, as they provide documentation and information that are necessary for essential government functions and for protecting government and citizen interests. Also, a small percentage of documents and other records are sufficiently significant that they must be preserved 2 in archives for the historical record. Overall responsibility for the government’s electronic records lies with the National Archives and Records Administration (NARA),3 whose mission is twofold: (1) oversight of records management, which governs the life cycle of records (creation, maintenance and use, and disposition), and (2) archiving, which is the permanent preservation of documents and other records of historical interest. In carrying out these missions, NARA and agencies use a process known as scheduling to assess the value of records and determine their disposition. As requested, in my remarks today, I will begin by providing some perspective on records management and its importance to the government in today’s environment. In addition, I will • describe the challenges that the government faces in managing and preserving electronic records, • summarize the results of our June 2002 report on electronic records management issues, 1 Electronic government refers to the use of technology, particularly Web-based Internet applications, to enhance the access to and delivery of government information and services to citizens, business partners, employees, other agencies, and other entities. 2 Of the total number of federal records, less than 3 percent are designated permanent. 3 NARA’s regulations implementing the Federal Records Act are found at 36 CFR 1200-1280. Page 1 GAO-03-936T • provide information on NARA’s actions since we issued our report and assess its progress in responding to the recommendations we made to improve governmentwide records management, and • assess NARA’s efforts to acquire an advanced electronic record archive (ERA), intended to preserve and provide access to electronic records. Our evaluation of records management challenges and issues is based on our June 2002 report, entitled Information Management: Challenges in Managing and Preserving Electronic Records. To update NARA actions since our report, we analyzed key documents and plans, and we interviewed appropriate agency officials. Our assessment of NARA’s efforts to acquire ERA reflects the results of ongoing work, the results of which will be reported in August 2003. We performed our update work from June to July 2003 in accordance with generally accepted auditing standards. Results in Brief The rapid evolution of information technology is creating challenges in managing and preserving electronic records. Complex electronic records are increasingly being created in a decentralized environment and in volumes that make it difficult to organize them and make them accessible. Further, storage media themselves are affected by the dual problems of obsolescence and deterioration: for example, few computers today have disk drives that can read information stored on 8 or 5¼-inch diskettes, even if the diskettes themselves remain readable. These problems are compounded as computer hardware and application software become obsolete, as they may leave behind electronic records that can no longer be read. Unless these challenges are addressed, valuable government information may be lost forever. Our past work has shown that while NARA has responded to the challenges associated with managing and preserving electronic records, most electronic records—including databases of major federal information systems—remained unscheduled, and records of historical value were not being identified and provided to NARA; as a result, they were at risk of loss. A number of factors contributed to this condition: • NARA acknowledged that its policies and processes on electronic records had not yet evolved to reflect the modern recordkeeping Page 2 GAO-03-936T environment: records created electronically in decentralized processes. • Records management programs were generally afforded low priority by federal agencies. A related issue was that agency management had not given priority to acquiring the more sophisticated and expensive information technology required to manage records in an electronic environment. • NARA was also not performing systematic inspections of agency records programs. Such inspections are important as a means to evaluate individual agency records management programs, assess governmentwide progress in improving records management, and identify agency implementation issues and areas where guidance needs to be strengthened. We recommended that NARA develop strategies for raising agency management awareness of the importance of records management and for performing systematic inspections. In the year since our report was issued, NARA has taken steps to improve its guidance and address the lack of technology tools. In response to our recommendations, it has devised a reasonable strategy for raising awareness among senior agency management. In addition, it has devised a comprehensive approach to improving agency records management that includes inspections and identification of risks and priorities, but its approach does not include provisions for using inspections to evaluate the efficacy of its governmentwide guidance, and an implementation plan for the approach has yet to be established. Until NARA fully addresses the need to assess and improve agency records management programs and develop an implementation plan, the risk is increased that records management programs will continue to show the weaknesses that led to the scheduling and disposition problems that we and NARA described in earlier work. To address the problems associated with preserving electronic records in a rapidly changing technological environment, NARA is acquiring ERA, an advanced archiving system whose acquisition presents significant challenges. First, while NARA has made progress in strengthening its organizational capabilities for acquiring major information systems, these capabilities are not fully established. For example, NARA has completed some elements of an information security program; however, several key areas—such as developing individual system security plans—have not yet been addressed. Second, the policies, plans, and practices that NARA is using to acquire ERA do not in many cases conform to standards or Page 3 GAO-03-936T to applicable federal acquisition guidance. Finally, NARA is unable to objectively track the cost and schedule of the ERA project. Unless NARA improves its acquisition planning, the risk is increased that the ERA system will fail to meet user expectations, and that NARA will not have the information required to control the cost of the system or the time it will take to complete it. In view of these risks, we have recommended that NARA address weaknesses in its acquisition policies, plans, and practices and its ERA schedule. Background NARA’s mission is to ensure “ready access to essential evidence” for the public, the president, the Congress, and the Courts. NARA’s 4 responsibilities stem from the Federal Records Act, which requires each federal agency to make and preserve records that • document the organization, functions, policies, decisions, procedures, and essential transactions of the agency and • provide the information necessary to protect the legal and financial rights of the government and of persons directly affected by the agency’s activities. Federal records must be managed to ensure that the information that they contain is available when needed. According to NARA, without effective records management, the records needed to document citizens’ rights, actions for which federal officials are responsible, and the historical experience of the nation will be at risk of loss, deterioration, or destruction. Records management is defined as the policies, procedures, guidance, tools and techniques, resources, and training needed to design and maintain reliable and trustworthy records systems. Records must be managed throughout their life cycle: from creation, through maintenance and use, to final disposition. Temporary records—those used in everyday operations but lacking historic value—are ultimately destroyed. Permanent records—those judged to be of historic value—are preserved through archiving. With NARA’s oversight and assistance, each agency is responsible for managing its own records at all phases of the life cycle, with the exception of the archiving of permanent records (which is NARA’s responsibility). 4 44 U.S.C. chapters 21, 29, 31, and 33. Page 4 GAO-03-936T NARA Is Responsible for Oversight of Records Management and for Archiving NARA is responsible for • issuing records management guidance; • working with agencies to implement effective controls over the creation, maintenance, and use of records in the conduct of agency business; • providing oversight of agencies’ records management programs; and • providing storage facilities for certain temporary agency records. The Federal Records Act also authorizes NARA to conduct inspections of agency records and records management programs. Records Are Managed through Scheduling NARA works with agencies to identify and inventory records; to appraise their value; and to determine whether they are temporary or permanent, how long the temporary records should be kept, and under what conditions both the temporary and permanent records should be kept. This process is called scheduling. No record may be destroyed unless it has been scheduled. Thus, for temporary records the schedule is of critical importance, because it provides the authority to dispose of the record after a specified time. Records are governed by schedules that are either (1) specific to an agency or (2) general—that is, common to several agencies or across the government. According to NARA, records covered by general records schedules make up about a third of all federal records. For the other two thirds, NARA and the agencies must agree upon specific records schedules. Once a schedule has been approved, the agency must issue it as a management directive, train employees in its use, apply its provisions to temporary and permanent records, and evaluate the results. Guidance Addresses Electronic Records While the Federal Records Act covers documentary material regardless of physical form or media, records management and archiving were until recently largely focused on handling paper documents. With the advent of computers, both records management and archiving have had to take into account the creation of records in varieties of electronic formats. NARA’s basic guidance for the management of electronic records is in the form of a regulation at 36 CFR Part 1234. This guidance is Page 5 GAO-03-936T supplemented by the issuance of periodic NARA bulletins and a records management handbook, Disposition of Federal Records. For electronic records, NARA’s guidance sets forth two basic requirements. • First, agencies are required to maintain an inventory of all agency information systems. The inventory should identify (1) the system’s name, (2) its purpose, (3) the agency programs supported by the system, (4) data inputs, sources, and outputs, (5) the information content of databases, and (6) the system’s hardware and software environment. • Second, NARA requires agencies to schedule the electronic records maintained in their systems. Agencies must schedule those records either under specific schedules (completed through submission and approval of Standard Form 115, Request for Records Disposition Authority) or pursuant to a general records schedule. NARA relies on this combination of inventory and scheduling requirements to ensure that management of agency electronic records is consistent with the Federal Records Act. NARA has also established a general records schedule for electronic records. General Records Schedule 20 (GRS 20) authorizes the disposal of certain categories of temporary electronic records. It has been revised several times over the years in response to developments in information technology, as well as legal challenges. GRS 20 applies to electronic records created both in computer centers engaged in large-scale data processing and in the office automation environment. GRS 20 authorizes the disposal of certain types of electronic records associated with large data base systems, (such as inputs, outputs, and processing files), as well as the deletion of the electronic version of records on word processing and electronic mail systems once a recordkeeping copy has been made. Since most agency recordkeeping systems are paper files, GRS 20 essentially authorizes agencies to destroy E-mail and word- processing files once they are printed. (Recall that records not covered by a general records schedule may not be destroyed unless authorized by a records schedule that has been approved by NARA.) GRS 20 does not address many common products of electronic information processing, particularly those that result from the now prevalent distributed, end-user computing environment. For example, although the guidance addresses the disposition of certain types of electronic records associated with large databases, it does not specifically address the disposition of electronic databases created by microcomputer users. In addition, GRS 20 does not Page 6 GAO-03-936T address more recent forms of electronic records such as Web pages and portable document format (PDF) files.5 NARA Archives Permanent Records of Historical Interest As the nation’s archivist, NARA accepts for deposit to its archives those records of federal agencies, the Congress, the Architect of the Capitol, and the Supreme Court that are determined to have sufficient historical or other value to warrant their continued preservation by the U.S. government. NARA also accepts papers and other historical materials of the Presidents of the United States, documents from private sources that are appropriate for preservation (including electronic records, motion picture films, still pictures, and sound recordings), and records from agencies whose existence has been terminated. To ensure that permanent electronic records are preserved, each agency must transfer electronic records to NARA in accordance with the agency’s records disposition schedule. NARA accepts for archiving electronic records that are in text-based formats, such as databases and certain text-based geographic information system 6 (GIS) files. In addition, NARA accepts E-mail records and attachments, several forms of scanned images of text files, and PDF files. It does not accept Web pages, word processor files, or relational databases. (Although NARA does not as yet accept such files for archiving, they must still be scheduled.)7 Agencies Are Beginning to Automate Management of Electronic Records In response to the difficulty of manually managing electronic records, agencies are turning to automated records management applications to help automate electronic records management lifecycle processes. The primary functions of these applications include categorizing and locating records and identifying records that are due for disposition, as well as storing, retrieving, and disposing of electronic records that are maintained in repositories. 5 PDF is a proprietary format of Adobe Systems, Inc., that preserves the fonts, formatting, graphics, and color of any source document, regardless of the application and platform used to create it. 6 A geographic information system is a computer system for capturing, storing, checking, integrating, manipulating, analyzing, and displaying data related to positions on the Earth’s surface. Typically, a GIS is used for handling maps of one kind or another. These might be represented as several different layers where each layer holds data about a particular kind of feature (e.g., roads). Each feature is linked to a position on the graphical image of a map. 7 NARA’s requirements for the transfer of agency electronic records are provided through 36 CFR Part 1228. NARA’s Web site provides further guidance on this topic under the heading Permanent E- Records Transfers to NARA Deliverables. (http://www.archives.gov/records_management/initiatives/transfer_to_nara.html) Page 7 GAO-03-936T Also, some applications are beginning to be designed to automatically classify electronic records and assign them to an appropriate records retention and disposition category. The Department of Defense (DOD), which is pioneering the assessment and use of records management applications, has published application standards and established a certification program.8 DOD standard 5015.2, endorsed by NARA, includes the requirement that records management applications acquired by DOD components after 1999 be certified to meet this standard.9 NARA Is Currently Pursuing Initiatives Related to Electronic Records Management NARA is pursuing other interrelated efforts that address records management (including electronic records). Three major initiatives are • NARA’s effort on Redesign of Federal Records Management; • the Electronic Records Management initiative, one of 25 e- government initiatives sponsored by the Office of Management and Budget (OMB), and • the acquisition of an advanced Electronic Records Archives (ERA). In 2000, NARA began a three-stage effort to redesign federal records management. First, in 2001, NARA produced a report based on information on federal records management that it collected and 10 analyzed. Second, it used this report as a starting point to revise the regulations, policies, and processes for managing federal records and to develop a set of strategies to support federal records management. As a result of this analysis, in July 2002 NARA issued a draft proposal for the redesign of federal records management. Third, based on comments received on the proposal, it is developing a redesigned records scheduling, appraisal, and accessioning process, as well as prototype and functional requirements for automated tools for the redesigned process. The redesign is planned as a multiyear process (2003 to 2006), during which NARA intends 8 Department of Defense, Design Criteria Standard for Electronic Records Management Software Applications, DOD 5015.2-STD (November 1997) (http://www.dtic.mil/whs/directives/corres/html/50152std.htm). 9 DOD 5015.2-STD requires that records management applications be able to manage records regardless of their media. 10 SRA International, Inc., Report on Current Recordkeeping Practices within the Federal Government (Dec. 10, 2001) (http://www.nara.gov/records/rkreport.html). This document reports results from two sources: a recordkeeping study performed by NARA’s contractor, SRA International, and a series of records system analyses performed by NARA staff. Page 8 GAO-03-936T to address the scheduling and appraisal of federal records in all formats. The overall purpose of the Electronic Records Management (ERM) initiative is to help agencies better manage their electronic records, so that records information can be effectively used to support timely and effective decision making, enhance service delivery, and ensure accountability. The initiative is intended to provide a variety of tools to address immediate and longer term agency needs. NARA is the managing partner agency for the overall ERM initiative. The goals for the advanced ERA system are that it will be able to preserve and provide access to any kind of electronic record, free from dependency on any specific hardware or software, so that the agency can carry out its mission into the future. NARA plans for ERA to be a distributed system, allowing storage and management of massive record collections at a variety of installations, with accessibility provided via the Internet. NARA is planning to build the system in five increments, with the last increment scheduled to be complete in 2010. Inherent Features of Electronic Records Make Management and Preservation Challenging The rapid evolution of information technology makes the task of managing and preserving electronic records complex and costly. Part of the challenge of managing electronic records is that they are produced by a mix of information systems, which vary not only by type but by generation of technology: the mainframe, the personal computer, and the Internet. Each generation of technology brought in new systems and capabilities without displacing the older systems.11 Thus, organizations have to manage and preserve electronic records associated with a wide range of systems, technologies, and formats. These records are stored in specific formats and cannot be read without software and hardware— sometimes the specific types of hardware and software on which they were created. Several factors contribute to the challenge of managing and preserving electronic records: 11 International Council on Archives, Guide for Managing Electronic Records from an Archival Perspective (Paris: February 1997). Page 9 GAO-03-936T • Massive volumes of electronic data require automated solutions. Electronic records are increasingly being created in volumes that pose a significant technical challenge to our ability to organize them and make them accessible. For example, among the candidates for archiving are military intelligence records comprising more than 1 billion electronic messages, reports, cables, and memorandums, as well as over 50 million electronic court case files. Managing such large volumes is clearly not possible without automation. • Control of electronic records is difficult in a decentralized computing environment. The challenge of managing electronic records significantly increases with the decentralization of the computing environment. In the centralized environment of a mainframe computer, it is easier to identify, assess, and manage electronic records than it is in the decentralized environment of agencies’ office automation systems, where every user is creating electronic files that may constitute a formal record and thus should be preserved. • The complexity of electronic records precludes simple transfer to paper. Electronic records have evolved from simple text-based files to complex digital objects that may contain embedded images (still and moving), drawings, sounds, hyperlinks, or spreadsheets with computational formulas. Some portions of electronic records, such as the content of dynamic Web pages, are created on the fly from databases and exist only during the viewing session. Others, such as E-mail, may contain multiple attachments, and they may be threaded (that is, related E-mail messages are linked into send–reply chains). These records cannot be converted to paper or text formats without the loss of context, functionality, and information. • Obsolescent and aging storage media put electronic records at risk. Storage media are affected by the dual problems of obsolescence and decay. They are fragile, have limited shelf life, and become obsolete in a few years. For example, few computers today have disk drives that can read information stored on 8- or 5¼-inch diskettes, even if the diskettes themselves remain readable. • Electronic records are dependent on evolving software and hardware. Electronic records are created on computers with software ranging from word-processors to E-mail programs. As computer hardware and application software become obsolete, they may leave behind Page 10 GAO-03-936T electronic records that cannot be read without the original hardware and software. Past GAO Work Highlighted Electronic Records Challenges In June 2002,12 we reported that NARA had responded to the challenges associated with managing and preserving electronic records. However, most electronic records—including databases of major federal information systems—remained unscheduled, and records of historical value were not being identified and provided to NARA; as a result, they were at risk of loss. A number of factors contributed to this condition: • NARA acknowledged that its policies and processes on electronic records had not yet evolved to reflect the modern recordkeeping environment: records created electronically in decentralized processes. • Records management programs were generally afforded low priority by federal agencies. A related issue was that agency management had not given priority to acquiring the more sophisticated and expensive information technology required to manage records in an electronic environment. • NARA was also not performing systematic inspections of agency records programs. Such inspections are important as a means to evaluate individual agency records management programs, assess governmentwide progress in improving records management, and identify agency implementation issues and areas where guidance needs to be strengthened. We also provided some confirmation of NARA’s findings regarding records scheduling and disposition: our review at four agencies (Commerce, Housing and Urban Development, Veterans Affairs, and State) elicited a collective estimate that less than 10 percent of mission-critical systems were inventoried. As a result, for these four agencies alone, over 800 systems had not been inventoried, and the 13 electronic records maintained in them had not been scheduled. Scheduling the electronic records in a large number of major 12 U.S. General Accounting Office, Information Management: Challenges in Managing and Preserving Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2002). 13 According to information collected by the Office of Management and Budget in November 1999 as part of the federal government’s effort to assess the Year 2000 computing challenge, 6,435 mission- critical systems were reported at the 24 major agencies. For the 4 agencies we reviewed, the number of mission-critical systems was reported to be 907. Subcommittee on Government Management, Information, and Technology, House Committee on Government Reform, Federal Government Earns B+ on a Final Y2K Report Card, news release (Washington, D.C.: Nov. 22, 1999). Page 11 GAO-03-936T information systems presents an enormous challenge, particularly since it generally takes NARA, in conjunction with agencies, well over 6 months to approve a new schedule. Failure to inventory systems and schedule records places these records at risk. The absence of inventories and schedules means that NARA and agencies have not examined the contents of these information systems to identify official government records, appraised the value of these records, determined appropriate disposition, and directed and trained employees in how to maintain and when and how to dispose of these records. As a result, temporary records may remain on hard drives and other media long after they are needed or could be moved to less costly forms of storage. In addition, there is increased risk that these records may be deleted prematurely while still needed for fiscal, legal, and administrative purposes. Further, the lack of scheduling presents risks to the preservation of permanent records of historic significance. Guidance on Management of Electronic Records Was Not Up to Date NARA acknowledged in 2001 that its policies and processes on electronic records had not yet evolved to reflect the modern recordkeeping environment: records created electronically in 14 decentralized processes. Despite repeated attempts to clarify its electronic records guidance through a succession of bulletins, the guidance was incomplete and confusing. It did not provide comprehensive disposition instructions for electronic records maintained in many of the common types of formats produced by federal agencies, including Web pages and spreadsheets. To support their missions, many agencies had to maintain such records—often in large volumes—with little guidance from NARA. Agency Records Management Programs Had Low Priority and Did Not Have Technology Tools NARA’s study concluded that records management was not even “on the radar scope” of agency leaders. Further, records officers had little clout and did not appear to have much involvement in or influence on programmatic business processes or the development of information systems designed to support them. New government 14 National Archives and Records Administration, An Overview of Three Projects Relating to the Changing Federal Recordkeeping Environment (January 2001) (http://www.nara.gov/records/rmioverview.html). Page 12 GAO-03-936T employees seldom received any formal, initial records management training. One agency told NARA that records management was “number 26 on our list of top 25 priorities.” Further, records management is generally considered a “support” activity. Since support functions are typically seen as the most dispensable in agencies, resources for and focus on these functions are often limited. Also, as NARA’s study noted, federal downsizing may have negatively affected records management and staffing resources in agencies. In our June 2002 report, we recommended that the Archivist of the United States address the priority problem by developing a documented strategy for raising agency senior management awareness of and commitment to records management principles, functions, and programs. Related to the priority issue is the need for appropriate information technology tools to respond to the technical challenge of electronic records management: for electronic records to be managed effectively, agencies require a level of technology that was not necessary for paper-based records management programs. Unless management is focused on records management, priority is not given to acquiring or upgrading the technology required to manage records in an electronic environment. Agencies that do invest in electronic records management systems tend to do so because they value good records management and have a critical need to retrieve information efficiently. In other agencies, despite the growth of electronic media, agency records systems are predominantly in paper format rather than electronic. According to NARA’s study, many agencies were either planning or piloting information technology initiatives to support electronic records management, but their movement to electronic systems is constrained by the level of financial support provided for records management. Inspections of Agency Records Management Programs Were Limited NARA is responsible, under the Federal Records Act, for conducting inspections or surveys of agency records and records management programs and practices. Its implementing regulations require NARA to select agencies to be inspected (1) on the basis of perceived need by NARA, (2) by specific request by the agency, or (3) on the basis of a compliance monitoring cycle developed by NARA.15 In all instances, NARA is to determine the scope of the inspection. Such 15 CFR 1220.54 (a). Page 13 GAO-03-936T inspections provide not only the means to assess and improve individual agency records management programs but also the opportunity for NARA to determine overall progress in improving agency records management and identify problem areas that need to be addressed in its guidance. In 2000, NARA changed its method of performing inspections: rather than performing a small number of comprehensive agency reviews, it instituted an approach that it refers to as “targeted assistance.” NARA decided that its previous approach to inspections was basically flawed, because it could reach only about three agencies per year,16 and because the inspections were often perceived negatively by agencies, resulting in a list of records management problems that agencies then had to resolve on their own. Under the targeted assistance approach, NARA works with agencies, providing them with guidance, assistance, or training in any area of records management. However, we pointed out in our June 2002 report that this approach, although it may improve records management in the targeted agencies, is not a substitute for systematic inspections and evaluations of federal records programs. Targeted assistance has significant limitations because it is voluntary and, according to NARA, initiated by agency request. Thus, only agencies requesting assistance are evaluated, and the scope and the focus of the assistance are not determined by NARA but by the requesting agency. In light of these limitations, we recommended in June 2002 that the Archivist develop a documented strategy for conducting systematic inspections of agency records management programs to (1) periodically assess agency progress in improving records management programs and (2) evaluate the efficacy of NARA’s governmentwide guidance. NARA Is Continuing to Respond to Records Management Challenges, but Its Progress on Inspections is Limited Since June 2002, NARA has taken steps to strengthen its guidance, to address the low priority accorded to records management programs and the associated lack of technology tools, and to revise its approach to inspections as part of a comprehensive strategy for 16 Between 1996 and 2000, NARA performed 16 inspections of agency records management programs; only 2 of the 24 major executive departments or agencies were reviewed, with most evaluations focused on component organizations or independent agencies. Page 14 GAO-03-936T assessing agencies’ management of records. However, NARA’s plans to implement its comprehensive new strategy are not yet complete. Although the strategy describes a reasonably systematic approach that allows NARA to focus its resources appropriately and to use inspections and other interventions to assess and improve federal records management, it does not yet include a description of how NARA will establish an ongoing program. NARA Is Improving Records Management Guidance Since our 2002 report, NARA has taken steps to update its guidance on electronic records management in various areas. For example, although 36 CFR Part 1234, the basic guidance on electronic records, has not been updated to reflect new types of electronic records, NARA has produced a variety of guidance on electronic records. A new General Records Schedule, GRS 24, “Information Technology Operations and Management Records,” was issued on April 28, 2003. In addition, “Records Management Guidance for PKI- Unique Administrative Records,” which was jointly developed by NARA and the Federal Public Key Infrastructure Steering Committee’s Legal/Policy Working Group, was issued on March 14, 2003. As part of its e-government initiative, NARA has just released guidance on evaluating funding proposals for electronic records management systems through capital planning processes. 17 NARA has also supplemented its disposition guidance as a result of the project on transfer of permanent electronic records under its e- government initiative: this guidance covers transferring permanent E-mail records and attachments, several forms of scanned images of text files, and PDF, and it expanded the methods by which agencies could transfer electronic records to NARA for archiving. NARA is also planning to expand the capability of its current systems for archiving electronic records by accommodating additional electronic record formats and volumes. However, according to NARA, agencies have not yet transferred electronic records in these formats to NARA; these records may not be scheduled or may not yet be eligible for transfer. In addition, as part of the policy analysis in its effort to redesign federal records management, NARA has stated that it plans to identify policies, procedures, regulations, and guidance that would need to be modified in light of the proposed redesign. 17 These requirements are found in 36 CFR Part 1228. Page 15 GAO-03-936T Efforts Continue to Raise the Priority of Agency Records Management Programs and Address Technology Issues In response to our recommendation that it develop a documented strategy for raising agency senior management awareness of records management, NARA devised a strategy intended to raise awareness of the importance of agency records management. The strategy includes two goals: • increased senior-level awareness of the importance of records management, particularly electronic records management, across the federal government and in specific agencies, and • increased senior-level understanding of how effective records management programs support the business needs of specific agencies and the federal government as a whole. As part of its strategy, NARA identified a number of activities that its senior leaders will conduct, including briefing agency program leaders on the importance of records and information management in general and on specific issues (such as electronic record keeping requirements, litigation exposure, and vital records), participating in establishing or closing out certain targeted assistance agreements, and pursuing promotional activities such as making speeches and holding conferences. NARA has also developed an implementation plan, which establishes goals, timeframes, and required resources for fiscal year 2003. For example, the plan contains a goal of conducting six agency briefings by the end of September; three have been completed to date, and a fourth has been scheduled for mid-July. A similar implementation plan for fiscal year 2004 is to be developed by September 1. NARA’s strategy for raising senior agency management awareness appears reasonable, and if carried out effectively could help to mitigate the problem of the low priority given to records management. Since our June 2002 report, some steps have also been taken to address the lack of technology tools to manage electronic records. In January 2003, NARA recommended that agencies use version 2 of DOD standard 5015.2, which sets forth a set of requirements for records management applications, including that they be able to manage records regardless of their media. The effort to promulgate this standard was part of the electronic information management standards project under the ERM initiative. Under the standard, DOD is to certify records management applications as meeting the Page 16 GAO-03-936T standard; as of the end of June 2003, DOD had certified 43 applications. The availability of applications that conform to the standard may be helpful in encouraging agencies to adopt records management systems that address electronic records. NARA Plans Comprehensive Approach to Improving Agency Records Management In response to its own mission needs and our recommendations of June 2002 regarding its inspection program, NARA has documented a new strategy for assessing agencies’ management of records. This strategy is described in draft documents that describe NARA’s plans for setting priorities and for conducting inspections and studies. The new approach is now being piloted with the Department of Homeland Security; the results of the pilot—expected by September 30, 2003—will determine whether it is extended governmentwide. The main features of the draft strategy are as follows: • NARA will evaluate agencies and work processes in terms of risk to records, implications for legal rights and accountability, and the quantity and value of the permanent records; it will focus its resources on high-priority areas. This process of assessing risks and priorities will involve NARA staff with subject-matter and agency expertise, and it will address records management governmentwide. • NARA plans to use a variety of means to address areas identified for attention through its risk and priority assessment. Among the means being considered are targeted assistance, records management 18 studies, and inspections. The strategy indicates that NARA has changed its approach to targeted assistance: Rather than using it only when an agency requests assistance, NARA intends to recommend that an agency accept targeted assistance when NARA has identified records management issues at that agency that require attention. In addition, NARA plans to perform studies on records management best practices as a means not only to encourage good records management practices throughout government, but also to recognize agencies whose records management programs have exemplary features. According to the strategy, inspections will be conducted only under exceptional circumstances, when the risk to records is deemed high, and after other means have failed to mitigate risks (e.g., targeted assistance, training, and so on). • NARA intends to focus on the core functions of the federal government, rather than on individual agencies. It will use as its 18 Other means include standard and tailored training programs, certification programs for records managers, and various forms of advocacy. Page 17 GAO-03-936T starting point the business areas defined in the Business Reference Model19 of the Federal Enterprise Architecture.20 By focusing on the Business Reference Model’s broad activities and work processes, which cut across agency lines, NARA may inspect a single agency or a group of agencies in one line of business. Although NARA’s strategy appears to be a reasonably systematic approach that allows it to focus its resources appropriately and to use inspections and other interventions to assess and improve federal records management, it is not yet complete. Specifically, the draft strategy does not yet include a description of how NARA will establish an ongoing program. For example, the priority assessment plan does not indicate whether NARA will revise its risk identification process as circumstances warrant, or if this a single- time occurrence. NARA officials have said that the agency will update its priority and risk assessments periodically, but this is not yet reflected in the plan. Further, the strategy states that the results of studies may be used to improve guidance, but it does not create a similar feedback loop for inspection results. While records management guidance may benefit from the “best practices” identified in studies, inspection results could also identify areas where guidance needs to be clarified, augmented, and strengthened. Finally, no implementation plan or schedule for this new strategy has yet been devised. Without a strategy that provides for establishing an ongoing program that includes a feedback cycle, as well as complete implementation plans that fully reflect that strategy, NARA’s efforts to assess records management programs may not provide it with the information that it needs to improve its guidance and to support its redesign of federal records management. NARA’s Acquisition of ERA Continues to Face Risks In addition to its efforts to improve records management across the government, NARA is also acquiring ERA as a means to archive all types of electronic records and make them accessible, regardless of changes to hardware and software over time. However, NARA faces significant challenges in acquiring ERA. ERA will be a major 19 The Business Reference Model is a function driven framework for describing the business operations of the federal government independent of the agencies that perform them. 20 The Federal Enterprise Architecture is a business-based foundation that provides a common framework for governmentwide improvements in key areas such as performance measurement and e- government. The Office of Management and Budget began development of the Federal Enterprise Architecture in February 2002. Page 18 GAO-03-936T information system; NARA has no previous experience in acquiring major information systems. Further, no comparable electronic archive system is now in existence, in terms of either complexity or scale. Finally, technology necessary to address some key requirements of ERA is not commercially available and will have to be developed. In light of these challenges, NARA will face significant difficulties in its ERA acquisition unless it addresses • its information technology (IT) organizational capabilities; • ERA system acquisition policies, plans, and practices; and • its ability to control ERA’s cost and schedule. NARA has indicated that it needs to strengthen its IT organizational capabilities and has been taking steps to do so in three key areas: • IT investment management provides a systematic method for agencies to minimize risks while maximizing the return on IT investments. • An enterprise architecture provides a description—in useful models, diagrams, and narrative—of the mode of operation for an agency. It provides a perspective on agency operations both for the current environment and for the target environment, as well as a transition plan for sequencing from the current to the target environment. Managed properly, an enterprise architecture can clarify and help optimize the dependencies and relationships among an agency’s business operations and the underlying IT infrastructure and applications that support these operations. • Information security is an important consideration for any organization that depends on information systems to carry out its mission. Our study of security management best practices found that leading organizations manage their information security risk through an ongoing cycle of risk management. NARA has made progress in strengthening these capabilities, but these efforts are incomplete. For example, NARA has improved its IT investment management. However, although it is continuing to develop an enterprise architecture, NARA does not plan to complete its target architecture in time to influence the ERA system definition and requirements. In addition, it has completed some elements of an information security program, but several key areas have not yet been addressed (such as individual system security plans), and NARA has not assessed the security risks to its major information systems. Page 19 GAO-03-936T In addition, NARA has developed policies, plans, and practices to guide the ERA acquisition, but these do not consistently conform to industry standards and federal acquisition guidance. NARA has chosen to follow Institute of Electrical and Electronics Engineers (IEEE) standards21 in developing its policies, plans, and practices. Examples of these include (1) a concept of operations that describes the characteristics of a proposed system from the users’ viewpoint and provides the framework for all subsequent activities leading to system deployment, (2) an acquisition strategy that establishes how detailed acquisition planning and program execution will be accomplished, and (3) a risk management plan to identify potential problems and adjusting the acquisition to mitigate them. However, key policy and planning documents are missing elements that are required by the standards and federal acquisition guidance: for example, the ERA acquisition strategy did not satisfy 15 of 32 content elements required by the relevant IEEE standard. Further, NARA is unable to track the cost and schedule of the ERA project. The ERA schedule does not include all program tasks and lacks a work breakdown structure, which would include detail on the amount of work and resources required to complete each task. Unless NARA can address these issues, the risk is increased that the ERA system will fail to meet user expectations, and that NARA may not have the information required to control the cost of the system or the time it will take to complete it. In light of these risks, our briefing included recommendations to NARA to address the weaknesses in its acquisition policies, plans and procedures and to improve its ability to adequately track the project’s cost and schedule. In summary, NARA and the federal government face significant challenges in managing electronic records, which are largely due to the rapidly changing technological environment. While NARA is responding to these challenges with its various initiatives, much work remains to be done. Specifically, NARA has implemented our recommendation to address the low priority given to records management programs. The agency’s advocacy strategy, if implemented effectively, could help raise awareness of the importance of records management governmentwide. However, 21 The Institute of Electrical and Electronics Engineers, 12207.0 Standard for Information Technology—Software Life Cycle Processes; 12207.1 Standard for Information Technology—Software Life Cycle Processes—Life Cycle Data; and 12207.2 Standard for Information Technology—Software Life Cycle Processes—Implementation Considerations. Page 20 GAO-03-936T NARA has not fully responded to our recommendation for a revitalized inspection program. Further, while it is making progress in building its capacity to acquire a major system, it has not developed adequate policies, plans, and practices to guide the ERA acquisition or established an effective means to track the project’s cost and schedule. Until NARA fully addresses these challenges, the success of the ERA project remains at risk, the government may not be able to gain control over the massive numbers of electronic records that continue to grow every day, and permanent records of historical value may be subject to loss. Mr. Chairman, this concludes my statement. I would be pleased to answer any questions that you or other members of the subcommittee may have at this time. Contact and Acknowledgements If you should have any questions about this testimony, please contact me at (202) 512-6222 or via E-mail at firstname.lastname@example.org. Other major contributors to this testimony included Tim Case, Barbara Collier, Mirko Dolak, and Elena Epps. (310375) Page 21 GAO-03-936T
Electronic Records: Management and Preservation Pose Challenges
Published by the Government Accountability Office on 2003-07-08.
Below is a raw (and likely hideous) rendition of the original report. (PDF)