In 2017, the National Archives and Records Administration (NARA) and the Office of Management and Budget (OMB) released a directive which mandates that all government agencies must manage their electronic records, including email and mobile text messages by the end of 2019. It’s the beginning of the year, and most agencies still rely on legacy systems and manual processes for record management, making the risk of non-compliance in the government sector extremely high once the 2019 NARA mandate comes into effect.
To help agencies manage electronic records, NARA released the universal electronic records management (ERM) requirements, derived from the existing NARA regulations, policies, and guidance.
In 2017, the National Archives and Records Administration (NARA) and the Office of Management and Budget (OMB) released a directive which mandates that all government agencies must manage their electronic records, including email and mobile text messages by the end of 2019.
The mandate includes the ability to identify, store, retrieve and retain electronic records so that agencies can locate and deliver them in a timely manner, knowing they are trustworthy and complete.
To help agencies manage electronic records, NARA released the universal electronic records management (ERM) requirements, derived from “existing NARA regulations, policy, and guidance.” The requirements are divided in six sections based on the lifecycle of electronic records management:
Capturing electronic records means placing objects under records management control for disposition and access purposes.
2. Maintenance and Use
The process of managing records through their most active stage. This includes ensuring that records will remain usable if they are migrated and transformed as systems change.
When electronic records have met their retention period and no longer have business or regulatory value to the organization, they can be destroyed in accordance with their records retention schedule.
Records identified as having historical value are considered permanent records. Such records are kept by the agency for a period of time specified by the records retention schedule, after which they are legally transferred to NARA for permanent storage.
Identifiers that describe the context, content, and structure of the records. Examples include the author, document type, date, record category, file size, etc.
Generating reports to allow further analysis and demonstrate effective controls and compliance. Such reports may include search results, records eligible for disposition, audit logs etc.
There are additional requirements which must be followed throughout the ERM lifecycle:
- Agencies must manage all electronic records including all recorded information, regardless of form or characteristics, made or received by a federal agency as evidence of the organization, policies, decisions, procedures, operations and other activities.
- Agencies should monitor and review access rights and permission rules for electronic records regularly.
- Agencies must have controls to prevent unauthorized access, alteration or destruction of records.
- Agencies should regularly monitor and evaluate their records control systems.
- Agencies retain responsibility for managing their electronic records, regardless of whether they reside in a public, private or community cloud, contracting environment or under the agency’s physical control.
- The records system must have the ability to prevent unauthorized access, modification or deletion of records, and must ensure that audit trails are in place to track the use of records.
- Agencies must be responsible for monitoring changes to third-party terms of service that may affect the management of records.
These requirements are either program requirements related to the design and implementation of an agency’s ERM policies and procedures, or system requirements that can serve as technical guidance to vendors in creating archiving and ERM tools and as specifications for agencies to consider when procuring them.