ARMA METRO MARYLAND CHAPTERNOVEMBER 18 , 2010

Records Management, Transparency and Open Gov:

An Update from NARA

Overview

Open Government and NARANARA Bulletin on Cloud ComputingNARA Bulletin on Web 2.0/Social MediaNARA’s Use of Social Media

Disclaimer: The opinions expressed in this presentation are mine and do not represent any official position of the National Archives and Records Administration

NARA and Open Government http://archives.gov/open/

“Backbone of Open Government”

Federal agencies need to create and manage economically and effectively the records necessary to meet their business needs.

They need to maintain records long enough, and in a useable format, to protect citizen rights and assure government accountability.

And they need to ensure that records of archival value are preserved and made available for generations to come.

Records Control Repository

http://archives.gov/records-mgmt/rcs/

Provides access to scanned versions of records schedules that have been developed by Federal agencies and approved by the Archivist

From 1973 – presentNew schedules added as approved

NARA Bulletin 2010-05

Guidance on Managing Records in Cloud Computing Environments

Released: September 8, 2010http://go.usa.gov/x1u

http://archives.gov/records-mgmt/bulletins/2010/2010-05.html

Cloud Computing: Definition

NIST defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST Definition of Cloud Computing, Version 15, 10-07-2009)

NIST’s Essential Characteristics

On-demand self-service Increase storage, etc. automatically

Broad network access Capabilities are available over the network

Resource pooling The provider’s computing resources are pooled to serve multiple

consumers There is a sense of location independence; customer generally has

no control or knowledge over the exact location of resourcesRapid elasticity

Quickly scale out or scale in computing powerMeasured Service

automatically control and optimize resource through a metering capability

Cloud Computing – Service Models

Cloud Software as a Service (SaaS) Provider’s applications running on a cloud infrastructure Consumer does not manage or control the underlying cloud

infrastructure Web mail systems in the cloud

Cloud Platform as a Service (PaaS) Consumer-created or acquired applications created using

programming languages and tools supported by the provider Consumer does not manage or control the underlying cloud

infrastructure Cloud Infrastructure as a Service (IaaS)

Consumer receives computing resources that the consumer is able to deploy and run arbitrary software, which can include operating systems and applications

Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls)

Cloud Computing – Deployment Models

Private cloud Cloud is operated solely for an organization by the organization

or a third partyCommunity cloud

Cloud is shared by several organizations and supports a specific community that have mutual concerns

Public cloud Cloud is made available to the general public or a large industry

group and is owned by an organization selling cloud servicesHybrid cloud

Cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

Cloud Computing Use By Agencies

Team interviewed four agencies using cloudsAll received business benefits to solve various

problemsSome created private cloud others used

commercial offeringsAll had some issues with records management

One keeps everything, but is working to figure it out Two are still working on agreements that place

responsibility on participating agencies, but not the providing agency

So Is There A Problem?

PotentiallyIf the benefits of the drivers outweigh

perceptions of records management responsibilities

If cloud solutions are procured without consideration of records management requirements

If particular cloud deployments present insurmountable obstacles to exercising records management

Some RM Challenges

Cloud applications may lack the capability to implement records disposition schedules Maintaining records in a way that

maintains their functionality and integrity throughout the records’ full lifecycle

Maintaining links between the records and their metadata

Transfer of archival records to NARA according to NARA-approved retention schedules

Some RM Challenges

Depending on the application, vendors may not be able to ensure the complete deletion of records

Various cloud architectures lack formal technical standards governing how data are stored and manipulated in cloud environments

Some RM Challenges

A lack of portability standards may result in difficulty removing records for recordkeeping requirements or complicate the transition to another environment

Agencies and cloud service providers need to resolve issues if a cloud service ceases or changes dramatically

Meeting RM Challenges

Provisos1. Differences between service models affect how

and by whom (agency/contractor) records management activities can be performed

2. Service or Deployment Models used could affect where records are stored or created

PaaS and IaaS might contain no Federal records depending on how they are used

3. In SaaS model, records may often be held in contracted space

Meeting RM Challenges

Include RM staff in cloud computing solutionDefine which copy of records will be declared

as the agency’s record copy (value of records in the cloud may be greater than the value of the other set because of indexing or other reasons)

Include instructions for determining if records in a cloud environment are covered under an existing records retention schedule

Meeting RM Challenges

Include instructions on how all records will be captured, managed, retained, made available to authorized users, and retention periods applied

Include instructions on conducting a records analysis, including records scheduling

Include instructions to periodically test transfers of records to other environments, including agency servers, to ensure the records remain portable

Meeting RM Challenges

Include instructions on how data will be migrated, so records are readable throughout their entire life cycles

Resolve portability and accessibility issues through good records management policies and other data governance practices

Contracting

Agency is always responsible for its Federal records even if they are in contracted space

Agencies must ensure contractors are aware of the agencies’ RM responsibilities

Agencies must work with contractors to manage records

If a contractor quits the business, agencies must get the records back

Contracting

We created model language that informs all parties of RM responsibilities Working to add similar language to GSA’s apps.gov

storeAgencies can modify as needed, other clauses

can be included in contractsAgencies may be partners in a private or

community Include RM in MOUs or other agreements

NARA Bulletin 2011-02

Guidance on Managing Records in Web 2.0/Social Media Platforms

Released: October 20, 2010http://go.usa.gov/aUJ

http://archives.gov/records-mgmt/bulletins/2011/2011-02.html

What is the purpose of the Bulletin?

Guidance on managing records produced when using web 2.0/social media platforms

Expands on NARA's existing web guidance Implications of Recent Web Technologies for

NARA Web Guidance NARA Guidance on Managing Web Records

Not intended to provide agencies with model schedules or step-by-step guidance

What is Web 2.0 and Social Media?

Integrates web technology, social interaction, and content creation

Individuals or collaborations of individuals, create, organize, edit, comment on, combine, and share content

Agencies are using social media and web 2.0 platforms to connect people to government and to share information

Social Media Categories

Web Publishing

Social Networking

File Sharing/Storage

How are Federal records defined?

Provides definition of Federal Records based on Federal Records Act (44 U.S.C. 3301)

Refers to 36 C.F.R. 1222.10 for guidance on how agencies should apply the statutory definition of Federal records

27

Are Federal records created when agencies use web 2.0/social media platforms?

Agencies must determine records status (FRA and regulations)

Principles for analyzing, scheduling, and managing records are independent of the medium

Are Federal records created when agencies use web 2.0/social media platforms?

If any answers are YES, then content is likely a record: Is the information unique and not available

anywhere else? Does it contain evidence of an agency’s policies,

business, mission, etc.? Is this tool being used in relation to the

agency’s work? Is use of the tool authorized by the agency? Is there a business need for the information?

Noteworthy RM challenges associated with the use of web 2.0/social media

Public expectations that all content is both permanently valuable and accessible

Content located in multiple places Recordkeeping in a collaborative environment Ownership and control of data that resides with a third

party Interactive content management Identification of record series Implementation of schedules, including transfer and full

deletion Capture of frequently updated records Handling of records containing PII (See OMB M 10-23)

RM Challenges in Social Media

Determine their specific RM strategies to meet the regulations

Records officers, web management staff, and IT staff, need to collaborate

Consider the following areas: Policy Records Scheduling Preservation

31

Policy

Areas to consider include: Identifying what constitutes a record, including

user generated content Defining ownership of content and

responsibility Developing recordkeeping requirements Incorporating recordkeeping practices and

requirements into terms of service (TOS) Communicating records policies Monitoring the ongoing use and value Monitoring changes to third-party TOS

Records Scheduling

Agencies must schedule social media records or apply existing disposition authorities as appropriate Consider whether the use and functionality of the

platform affects value of the record, before applying an existing schedule

Develop new schedules if the tool provides enhanced processes, functionality, added metadata, or other features

Existing authorities apply if there is a previously approved media neutral schedule or records are administrative housekeeping

See Appendix A for records scheduling flow chart

Preservation

Areas to consider include: Saving all content with associated metadata as the

complete record Using web crawling and software to store content or take

snapshots of record content Using web capture tools to create local versions of sites

and migrate content to other formats Using platform specific application programming

interfaces (API) to pull record content as identified in the schedule

Using RSS Feeds, aggregators, or manual methods to capture content

Leveraging supporting underlying specifications, services, data formats, and capabilities to provide generic functions useful for fixing, capturing, and managing record content

Agency Responsibilites Towards Contractors

Managing records – in house or third partyService providers could stop providing their

service or delete information from an agency's account

Ability to identify and retrieve Federal records on web 2.0/social media platforms

Where possible, include a RM clause when negotiating a Terms of Service agreement

Consider RM responsibilities when selecting and using platforms

Sample “Terms of Service” Clause

The Agency acknowledges that use of contractor’s site and services may require management of Federal records. Agency and user-generated content may meet the definition of Federal records as determined by the agency. If the contractor holds Federal records, the agency and the contractor must manage Federal records in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), and regulations of the National Archives and Records Administration (NARA) at 36 CFR Chapter XII Subchapter B). Managing the records includes, but is not limited to, secure storage, retrievability, and proper disposition of all federal records including transfer of permanently valuable records to NARA in a format and manner acceptable to NARA at the time of transfer. The agency is responsible for ensuring that the contractor is compliant with applicable records management laws and regulations through the life and termination of the contract.

What other NARA resources are available?

Web StudyToolkit for Managing Electronic RecordsBulletin on Multi-Agency EnvironmentsWeb Transfer GuidanceNRMP Wiki/Ledger

This Bulletin + Cloud Computing?

Web 2.0/social media platforms may operate using cloud computing environments

Both bulletins should be consulted when developing records management strategies for these environments

NARA Use of Social Media

http://blogs.archives.gov/aotus/

http://blogs.archives.gov/online-public-access/

http://blogs.archives.gov/records-express/

http://twitter.com/NARA_RecMgmt

Transitions?

Look for a new Archives.gov homepage to launch very soonA Charter for Change: Archivist’s Task force on agency

transformation, final report: released October 2010 One NARA: work as one NARA and not just as component parts. Out in Front: Embrace the primacy of electronic information in all

facets of our work and position NARA to lead accordingly. An Agency of Leaders: Foster a culture of leadership, not just as a

position but as the way we all conduct our work. A Great Place to Work: Transform NARA into a great place to work

that trusts and empowers all of our people, the agency’s most vital resource.

A Customer-Focused Organization: Create structures and processes to allow our staff to more effectively meet the needs of our customers.

An Open NARA: Open our organizational boundaries to learn from others.

Thank You!

Contact Information Arian D. Ravanbakhsh Electronic Records Policy Analyst email: arian.ravanbakhsh@nara.gov Follow on Twitter: @adravan