Sprehe: FBI gets it right
Bureau requires systems to be certified as complying with existing standard.
The FBI has received a truckload of bad press recently. So it is a pleasure to dwell on some good news coming out of the agency. In May, the FBI received an Archivist's Achievement Award from the National Archives and Records Administration for its electronic recordkeeping certification project.
The project is modeled on a widely used certification and accreditation process for information technology security. All FBI systems that process federal information must be certified and accredited as complying with a specific records management standard.
To be compliant, a system must be able to export records and associated metadata to an electronic records management system within the agency that is certified under the Defense Department's 5015.2-STD. Alternatively, an electronic records management system certified under the DOD standard can be part of a larger IT system.
An FBI records officer and the IT system owner must work together to determine whether a system processes federal records. Just as with security certification and accreditation, an FBI system that handles federal records cannot receive the authority to operate until it is certified and accredited as an electronic recordkeeping system.
Initially, the FBI's rule is being applied to new IT systems, but eventually, the Records Management Division will apply the process to existing systems.
The process allows a system to receive interim authority to operate if it will take some time to carry out the changes required to make it compliant. Under the same process, a designated official can grant emergency authority to operate systems that need to be created quickly to deal with emergencies, such as the sniper attacks in the Washington, D.C., region in 2002.
Most agencies put the onus on the records officer to ensure appropriate handling of electronic records. The FBI's novel approach shifts much of the burden to the source of the information the IT system that contains the records and the system's owner.
In the interest of full disclosure, I served as a consultant to the contractor that helped develop the FBI's project. All of the ideas for the process, however, originated in the bureau's Records Management Division.
I believe that the FBI has a superb idea that has value for every government agency. The idea is so good, in fact, that the Office of Management and Budget should consider incorporating it into everyone's favorite pest, OMB's Exhibit 300.
I recommend deleting the lines in Exhibit 300 under IT investments that pertain to electronic records and the Government Paperwork Elimination Act. That act has only limited applicability to public information collections. The Exhibit 300 form could be modified to ask: Does this investment implement electronic transactions or recordkeeping covered by the Federal Records Act? If so, is the system certified as being in compliance with 5015.2-STD?
That one change could largely solve the problem of capturing federal electronic records. Whether or not OMB acts on my suggestion, kudos to the FBI for developing and applying an effective way of managing federal records that are born digital.
Sprehe is president of Sprehe Information Management Associates in Washington, D.C. He can be reached at jtsprehe@jtsprehe.com.
NEXT STORY: On a bit of a holiday