ARMA NORTHERN VIRGINIA CHAPTER MAY 18, 2011 Records Management, Transparency and Open Gov: An Update from NARA

Overview Open Government and NARA NARA Bulletin on Cloud Computing NARA Bulletin on Web 2.0/Social Media NARA’s Use of Social Media Disclaimer: The opinions expressed in this presentation are mine and do not represent any official position of the National Archives and Records Administration

NARA and Open Government

“Backbone of Open Government” Federal agencies need to create and manage economically and effectively the records necessary to meet their business needs. They need to maintain records long enough, and in a useable format, to protect citizen rights and assure government accountability. And they need to ensure that records of archival value are preserved and made available for generations to come.

Records Control Repository Provides access to scanned versions of records schedules that have been developed by Federal agencies and approved by the Archivist From 1973 – present New schedules added as approved

NARA Bulletin Guidance on Managing Records in Cloud Computing Environments Released: September 8, mgmt/bulletins/2010/ html

Cloud Computing: Definition NIST defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST Definition of Cloud Computing, Version 15, )(NIST Definition of Cloud Computing, Version 15, )

NIST’s Essential Characteristics On-demand self-service  Increase storage, etc. automatically Broad network access  Capabilities are available over the network Resource pooling  The provider’s computing resources are pooled to serve multiple consumers  There is a sense of location independence; customer generally has no control or knowledge over the exact location of resources Rapid elasticity  Quickly scale out or scale in computing power Measured Service  automatically control and optimize resource through a metering capability

Cloud Computing – Service Models Cloud Software as a Service (SaaS)  Provider’s applications running on a cloud infrastructure  Consumer does not manage or control the underlying cloud infrastructure  Web mail systems in the cloud Cloud Platform as a Service (PaaS)  Consumer-created or acquired applications created using programming languages and tools supported by the provider  Consumer does not manage or control the underlying cloud infrastructure Cloud Infrastructure as a Service (IaaS)  Consumer receives computing resources that the consumer is able to deploy and run arbitrary software, which can include operating systems and applications  Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls)

Cloud Computing – Deployment Models Private cloud  Cloud is operated solely for an organization by the organization or a third party Community cloud  Cloud is shared by several organizations and supports a specific community that have mutual concerns Public cloud  Cloud is made available to the general public or a large industry group and is owned by an organization selling cloud services Hybrid cloud  Cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

Cloud Computing Use By Agencies Team interviewed four agencies using clouds All received business benefits to solve various problems Some created private cloud others used commercial offerings All had some issues with records management  One keeps everything, but is working to figure it out  Two are still working on agreements that place responsibility on participating agencies, but not the providing agency

So Is There A Problem? Potentially If the benefits of the drivers outweigh perceptions of records management responsibilities If cloud solutions are procured without consideration of records management requirements If particular cloud deployments present insurmountable obstacles to exercising records management

Some RM Challenges Cloud applications may lack the capability to implement records disposition schedules  Maintaining records in a way that maintains their functionality and integrity throughout the records’ full lifecycle  Maintaining links between the records and their metadata  Transfer of archival records to NARA according to NARA-approved retention schedules

Some RM Challenges Depending on the application, vendors may not be able to ensure the complete deletion of records Various cloud architectures lack formal technical standards governing how data are stored and manipulated in cloud environments

Some RM Challenges A lack of portability standards may result in difficulty removing records for recordkeeping requirements or complicate the transition to another environment Agencies and cloud service providers need to resolve issues if a cloud service ceases or changes dramatically

Meeting RM Challenges Provisos 1. Differences between service models affect how and by whom (agency/contractor) records management activities can be performed 2. Service or Deployment Models used could affect where records are stored or created  PaaS and IaaS might contain no Federal records depending on how they are used 3. In SaaS model, records may often be held in contracted space

Meeting RM Challenges Include RM staff in cloud computing solution Define which copy of records will be declared as the agency’s record copy (value of records in the cloud may be greater than the value of the other set because of indexing or other reasons) Include instructions for determining if records in a cloud environment are covered under an existing records retention schedule

Meeting RM Challenges Include instructions on how all records will be captured, managed, retained, made available to authorized users, and retention periods applied Include instructions on conducting a records analysis, including records scheduling Include instructions to periodically test transfers of records to other environments, including agency servers, to ensure the records remain portable

Meeting RM Challenges Include instructions on how data will be migrated, so records are readable throughout their entire life cycles Resolve portability and accessibility issues through good records management policies and other data governance practices

Contracting Agency is always responsible for its Federal records even if they are in contracted space Agencies must ensure contractors are aware of the agencies’ RM responsibilities Agencies must work with contractors to manage records If a contractor quits the business, agencies must get the records back

Contracting We created model language that informs all parties of RM responsibilities  Working to add similar language to GSA’s apps.gov store Agencies can modify as needed, other clauses can be included in contracts Agencies may be partners in a private or community  Include RM in MOUs or other agreements

NARA Bulletin Guidance on Managing Records in Web 2.0/Social Media Platforms Released: October 20, mgmt/bulletins/2011/ html

What is the purpose of the Bulletin? Guidance on managing records produced when using web 2.0/social media platforms Expands on NARA's existing web guidance  Implications of Recent Web Technologies for NARA Web Guidance  NARA Guidance on Managing Web Records Not intended to provide agencies with model schedules or step-by-step guidance

What is Web 2.0 and Social Media? Integrates web technology, social interaction, and content creation Individuals or collaborations of individuals, create, organize, edit, comment on, combine, and share content Agencies are using social media and web 2.0 platforms to connect people to government and to share information

Social Media Categories Web Publishing Social Networking File Sharing/Storage

How are Federal records defined? Provides definition of Federal Records based on Federal Records Act (44 U.S.C. 3301)44 U.S.C Refers to 36 C.F.R for guidance on how agencies should apply the statutory definition of Federal records36 C.F.R

27 Are Federal records created when agencies use web 2.0/social media platforms? Agencies must determine records status (FRA and regulations) Principles for analyzing, scheduling, and managing records are independent of the medium

Are Federal records created when agencies use web 2.0/social media platforms? If any answers are YES, then content is likely a record:  Is the information unique and not available anywhere else?  Does it contain evidence of an agency’s policies, business, mission, etc.?  Is this tool being used in relation to the agency’s work?  Is use of the tool authorized by the agency?  Is there a business need for the information?

Noteworthy RM challenges associated with the use of web 2.0/social media Public expectations that all content is both permanently valuable and accessible Content located in multiple places Recordkeeping in a collaborative environment Ownership and control of data that resides with a third party Interactive content management Identification of record series Implementation of schedules, including transfer and full deletion Capture of frequently updated records Handling of records containing PII (See OMB M 10-23)OMB M 10-23

RM Challenges in Social Media Determine their specific RM strategies to meet the regulations Records officers, web management staff, and IT staff, need to collaborate Consider the following areas:  Policy  Records Scheduling  Preservation

31 Policy Areas to consider include:  Identifying what constitutes a record, including user generated content  Defining ownership of content and responsibility  Developing recordkeeping requirements  Incorporating recordkeeping practices and requirements into terms of service (TOS)  Communicating records policies  Monitoring the ongoing use and value  Monitoring changes to third-party TOS

Records Scheduling Agencies must schedule social media records or apply existing disposition authorities as appropriate  Consider whether the use and functionality of the platform affects value of the record, before applying an existing schedule  Develop new schedules if the tool provides enhanced processes, functionality, added metadata, or other features Existing authorities apply if there is a previously approved media neutral schedule or records are administrative housekeeping See Appendix A for records scheduling flow chart

Preservation Areas to consider include:  Saving all content with associated metadata as the complete record  Using web crawling and software to store content or take snapshots of record content  Using web capture tools to create local versions of sites and migrate content to other formats  Using platform specific application programming interfaces (API) to pull record content as identified in the schedule  Using RSS Feeds, aggregators, or manual methods to capture content  Leveraging supporting underlying specifications, services, data formats, and capabilities to provide generic functions useful for fixing, capturing, and managing record content

Agency Responsibilites Towards Contractors Managing records – in house or third party Service providers could stop providing their service or delete information from an agency's account Ability to identify and retrieve Federal records on web 2.0/social media platforms Where possible, include a RM clause when negotiating a Terms of Service agreement Consider RM responsibilities when selecting and using platforms

Sample “Terms of Service” Clause The Agency acknowledges that use of contractor’s site and services may require management of Federal records. Agency and user- generated content may meet the definition of Federal records as determined by the agency. If the contractor holds Federal records, the agency and the contractor must manage Federal records in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), and regulations of the National Archives and Records Administration (NARA) at 36 CFR Chapter XII Subchapter B). Managing the records includes, but is not limited to, secure storage, retrievability, and proper disposition of all federal records including transfer of permanently valuable records to NARA in a format and manner acceptable to NARA at the time of transfer. The agency is responsible for ensuring that the contractor is compliant with applicable records management laws and regulations through the life and termination of the contract.

What other NARA resources are available? Web Study Toolkit for Managing Electronic Records Bulletin on Multi-Agency Environments Web Transfer Guidance NRMP Wiki/Ledger

This Bulletin + Cloud Computing? Web 2.0/social media platforms may operate using cloud computing environments Both bulletins should be consulted when developing records management strategies for these environments

NARA Use of Social Media

Transitions? New, Award-Winning Archives.gov homepage has launched A Charter for Change: Archivist’s Task force on agency transformation, final report: released October 2010  One NARA: work as one NARA and not just as component parts.  Out in Front: Embrace the primacy of electronic information in all facets of our work and position NARA to lead accordingly.  An Agency of Leaders: Foster a culture of leadership, not just as a position but as the way we all conduct our work.  A Great Place to Work: Transform NARA into a great place to work that trusts and empowers all of our people, the agency’s most vital resource.  A Customer-Focused Organization: Create structures and processes to allow our staff to more effectively meet the needs of our customers.  An Open NARA: Open our organizational boundaries to learn from others.

Thank You! Contact Information  Arian D. Ravanbakhsh  Electronic Records Policy Analyst   Follow on