Episode 32: A Discussion on Federal Directive M-19-21

Transcript

Bill Tolson:

Welcome to Archive360's Information Management 360 Podcast. This week's episode is titled a discussion on federal directive M-19-21 with Michael Ratigan. My name is Bill Tolson and I'm the Vice President of Compliance and eDiscovery at Archive360. Joining me today is Michael Ratigan, President at Data Evolution, an IT solutions provider based in Maryland.

Bill Tolson:

Michael, thanks again for taking the time to join me for our podcast today to discuss this really interesting federal directive which focuses on getting federal agencies to fully transition from hard copy records to electronic records for increased efficiency, accuracy, and improved storage. I know you've been working with federal agencies for quite a while now to help them reach compliance with this important directive. So let's jump right into it and you can share your unique and probably very deep experiences and insights on how federal agencies can meet this new directive.

Michael Ratigan:

Yeah, thanks for having me today. It's a very hot topic in the federal government. Many people on the outside kind of looking at federal agencies don't necessarily know this, but even senior administrators within all federal agencies now, as well as chief information officers, chiefs compliance officers, data officers, experience officers, everybody now understands the impact of this. In essence, what's been happening is across the federal government, there's been paper forever. I think Booz Allen or one of the big system integrators and consulting firms that have a story like with the advent of email, paper in the federal government has increased 30%.

Bill Tolson:

Wow.

Michael Ratigan:

And those emails may become records. So anything tied to a director or somebody in a senior agency official, those are all permanent records. So the more that paper has accumulated, NARA has in a sense, National Archives and Records Administration, has created massive federal record centers across the country. Well, a few years ago they decided enough is enough, all the federal government created initiatives for cloud-first, designed everything in the cloud, which of course has led to a lot of the areas that you're very familiar with, cloud-based security, and compliance, and governance. So as these directives have rolled out, the Office of Personnel Management, and NARA, and GSA got together with The White House and said, "We have to figure out a way to get federal agencies to move from a paper-based environment to a cloud-based environment." Thus was introduced M-19-21.

Bill Tolson:

Yeah, it's a really interesting directive and it ties in with a couple of others that we'll at least mention today. But you mentioned what M-19-21 really is. Well, what are the key provisions and what are those main topics or main points that you've been working with agencies around that they obviously should be aware of and so forth? But for all the listeners, what are the key provisions of M-19-21?

Michael Ratigan:

Yeah, it's a great question. There's three kind of key provisions that most of the agencies that I have worked with over the last 25 years have cited, obviously just since June of a couple years ago when this first came out. One of which is to establish an electronic record keeping or records management system by December 31st of this year. As you can well imagine, most of those agencies have not met that compliance directive. A second piece of that is to no longer operate what are called agency-operated storage centers. So anybody who's been in any federal agency have noticed file cabinets full of paper. And if anybody's been to a medical facility, has seen just massive records or medical records sitting up on a wall. So if they are past a certain size limit, NARA and OPM want agencies to no longer be the custodian of that paper.

Michael Ratigan:

So they need to move that paper into a federal record center or a NARA-certified archive by December 31st of this year. And they've indicated that they'll no longer accept paper after that time. And part of that reason is they're not going to be building any more of these federal record centers. They want agencies to go digital. And then the third part of that is digitizing that content. So they want them to create an electronic way to manage this content. So installing a records management system to manage the records, create a day forward way to create kind of a cloud-first and electronic version only, and eliminate these agency-operated record centers.

Michael Ratigan:

So they're three pretty big initiatives. And one of the challenges of that is that most of these federal record officers, that's not their background. Just like you've noticed in compliance, a chief compliance officer may know certain things about compliance, but they're not oftentimes disciplined or experienced in how the entire agency needs to become compliant, but they know how certain divisions or certain programs could become compliant. And agency record officers within federal agencies face the same challenge.

Bill Tolson:

Okay. So following up on several of the points you made there, but I think you said that by the end of this year, NARA as an organization or an agency will also stop accepting paper or hard copy documents?

Michael Ratigan:

That is correct.

Bill Tolson:

Wow. So there is no ifs, ands, or buts when it comes to all the agencies saying, "Well, I'll just keep sending them and they'll probably accept them." It sounds like it's pretty hard-and-fast rule. Number one, like you said, they have to shut down their own storage facilities, but then I would guess that any new stuff, like you said, everybody converting to electronic records management and so forth, any new permanent records going in and there have to be in electronic format, which obviously is going to be a big deal. And you mentioned this as well, and I know this is a huge, huge thing that you've also worked on, is the idea that all of those agency warehouses with all those paper records say a lot of that stuff has to be digitized so it can be index and made searchable, so some of it can go into NARA, right?

Michael Ratigan:

Yeah, that's exactly right. And one of the things that's happening is Lawrence Brewer, who's the head of NARA, I've heard him speak numerous, numerous times over the last year, year and a half. And he is mentioned a couple daunting figures. One of those figures is he estimates there's over 50 billion, with a B, documents that need to be digitized as part of this process. We all know that that can't be done in three months or four months. So everybody's fairly confident that OPM is going to have to extend that deadline. And when asked why it hasn't been extended thus far, the answer has been, well, due to COVID delays, people not being in the office, what they didn't want to do is extend that deadline multiple times. So if they do go to extend the deadline, they want to make sure that they can meet a new deadline.

Michael Ratigan:

So my thought is that it's going to move to, instead of December 31st of this year, it's going to move out at least 18 months, if not two years to mid or to the end of the year 2023. That hasn't been confirmed. It's just kind of rumor and speculation that has gained a lot of momentum and with a lot of different people I've spoken to over the last four or five months, they know that they have to make that change. But again, NARA is not an enforcement agency, so they can't assess any penalties like OPM could or The White House, so it's a bit of an arbitrary deadline, but it's what they have done is put their foot down and say, "You need to do this." And it's forcing agencies to reexamine budgets and make this a priority when in the past it hasn't been.

Bill Tolson:

Well, and something that came to my mind when we first talked a while ago is if all of these hard-copy records, and probably a decent portion of them are going to be considered permanent and need to be obviously digitized and going to NARA, the question that quickly arose in my mind is if they're digitized, where is that digitized file going? Are they all going into a records management kind of application or are they maybe active records going into a records management but inactive, or those kinds of records maybe go into an archive somewhere that again, needs to be indexed and made searchable so that an agency can respond to a FOIA request or whatever so they can go out and actually find the data they need to? But that's what really jumped out at me first is you mentioned all of these billions upon billions of records being digitized. What are they destined to be put into for ongoing management?

Michael Ratigan:

Oftentimes the permanent records, if President Clinton signs a document and that becomes a permanent record, then that physical record is supposed to go to The National Archives in perpetuity. So those permanent records can go to NARA temporary records, could get digitized, and then destroyed. They have long-term temporary records, they have convenient records. A lot of it depends on what's termed the general records schedule, and they'll make that determination. So the record officer will say, "This is considered this type of record, so we need to digitize this and then we want to send it to NARA so it's accessible." This particular record we want to digitize, then we can destroy it. I think there's going to be a lot of consolidation in this industry between the digitization companies, and the records management companies, and joint ventures, and a lot of just broad consortiums because one company can't do this.

Michael Ratigan:

And by kind of forming these teams, keep in mind records management companies by themselves are not large. They're $20 to $50 million companies from just a gross revenue perspective. They're not like a Salesforce or a Splunk or these other massive companies, so that compliance and that convergence of a lot of these industries needs to come together. And a lot of it's also because on the agency side, the person managing this operation is not an expert in the process. They understand a portion of it like records, they don't understand digitization, they don't understand the electronic version. And within the agencies itself, just like any siloed enterprise, there are political fiefdoms.

Michael Ratigan:

So there may be three or four systems deployed across that agency with competing priorities. So now the chief information officer, the chief data officer, the chief privacy officer, the experience officer, all those people down the line have to finally get together and make a determination of, are we going to finally do an enterprise system, combine these, consolidate all these databases? Because the real value in this is the data. So if you're doing a search across an agency for, I want to know of anything we have done with women in the City of Detroit within this timeframe, the socionomic background, etc. If you have all the metadata from all those records across all those agencies and databases consolidated and you can use artificial intelligence and machine learning, boy oh boy, do you have a plethora of information which kind of leads into that whole OMB Circular A-11 we spoke about.

Michael Ratigan:

OMB has now come back to these agencies and said, "In addition to the M-19-21 and these other mandates, we want you to think very clearly about your budgets for this upcoming year. And we want you to make sure that the customer experience is a huge priority in developing those budgets. So hey, we're glad you're going to develop these backend databases and do all this system, but if the external facing customer can't get customer service, it doesn't matter." And right now, for example, if all these records are digitized, the way that we're talking about when there's a FOIA request, that FOIA request is supposed to be turned around in 30 days, but oftentimes it's four to five and six months at a cost of tens of millions of dollars to the government. And that should be, pull up this request, send it for remediation and release it. But it's still in paper form and oftentimes they have to find it first, then they have to digitize it, then they have to remediate it, and then they have to send it out. And that's done by a skeleton crew.

Bill Tolson:

Yeah. And like you say, they're not necessarily experts. I think one of the key terms you said that I've been focused on for many years now around data archiving and management, stuff like that, is the idea of consolidation. If you can consolidate as many of the records, documents, files as possible so that you have fewer repositories to search when looking for information, when responding to a FOIA request, those kinds of things. Or when determining if a given document is considered permanent for NARA, it needs to eventually be switched or moved over there, the movement of documents into NARA is not a daily thing. We've worked with agencies that say, "Well gee, we consolidate for 10 years and then we'll move a big tranche over and then we'll wait another five years or 10 years, move another big tranche of those that actually are considered permanent.

Bill Tolson:

But like you say, as we're moving toward getting away from hard copy completely, even ongoing day-to-day content within agencies are going to have to be switched to electronic. And then again, what does that mean to, like you say, all the vendors that are going to be offering solutions for this kind of stuff? I mean, I think obviously, we're looking at a huge increase in digital records that need to be managed, need to be viewable, need to have retention disposition put on them based on whether it's permanent or not, and those kinds of things. So I think obviously if agencies... Well, that brings up a question, and you just talked about extensions and stuff, but what was the original deadline for M-19-21?

Michael Ratigan:

December 31st of this year.

Bill Tolson:

Wow. So yeah, obviously in three months that's not going to happen. A question we were just talking about the huge amount of data that's going to be digitized and so forth. And my company, Archive360, we work with many, many federal agencies around archiving and information management. But do you see or have you run across clients that are looking at, "Well gee, we got to do all this in the cloud now. It's not going to be on prem, it's not going to be agency data centers per se. All of this stuff has to go into the cloud." Because of various presidential directives over the last couple of years, including President Biden's from last year, EO 1408 that says all agencies have to move into the cloud. So I would suspect that they're obviously looking at that if they haven't already and probably asking you questions about cloud and those kind of things.

Michael Ratigan:

Yeah, it's true. And there's a variety of things. If you would ask me this question five years ago, then I would say it would be a long time in coming because at that point many of the records management systems were on premise only and looking at the cloud. But as Microsoft and Amazon have spun up their clouds and created Authority to Operate or ATOs within those, kind of the envelopes. And then authorized specific instances within those clouds for agencies to host their own content, many of these providers, Gimmal Software or Collabware and FAI Systems, for example, OpenText and some of the other ones, have all either created their own clouds. But what I've noticed over the last couple of years is the security within them. Gimmal for example is FedRAMP moderate. A FAI system normally deploys within the customer ATO. Collabware is a new one that's out now that is about to receive its JAB, and that's the Joint Access Board, which is basically FedRAMP High or an ATO giving them the ability to operate at a FedRAMP high level on a government-wide ATO for security.

Michael Ratigan:

So in the same way 14028 talks about zero trust and kind of creating that authentication to say these agencies have to follow this multifactor authentication for security, some of the RM companies are meeting that in midstream to say, "We're going to follow the same protocol." So now it's just a matter of how do we get that content, whether paper or electronic, into that system, and now it's going to maintain that high level of security all the way through from end to end.

Bill Tolson:

Well, and like you said with Executive Order 14028, which number one basically tells all federal agencies, "You must move to the cloud." Number two, it says, "You must employ a multifactor authentication, you must encrypt data, sensitive data per se, and you must be built on a zero-trust kind of architecture." And 14028 goes even further and basically says that for those agencies with applications that don't meet that, those new cybersecurity requirements, and that the vendor cannot meet the deadlines, then potentially those legacy applications must be retired and that data migrated somewhere else because they don't want the cybersecurity issue of applications that are not up to code per se. And you mentioned several companies. We also work with almost all of the agencies for cloud archiving and information management and we have some unique security capabilities as well, but we can get into that later.

Bill Tolson:

But it really is, I think like you say, it's going to be a daunting task. I know like most companies, the most private companies in the outside world, everybody puts everything off until the last minute. And that's the other thing with executive order 1408, is that was supposed to be complete by May of this year and obviously we're beyond that. It was going to be very tight anyway because some really complex security technologies were written into it that first the government needed to define and do all kinds of the neat stuff. So obviously, I think the compliance with 14028 is falling behind schedule as well. But the question, you mentioned this just a couple of minutes ago around the pandemic and COVID. It sounds like the pandemic did delay agency progress to meet this M-19-21 deadline, correct?

Michael Ratigan:

And it did. And one of the challenges about records is that for physical records that exist when COVID hit, nobody was prepared for it. Many agencies just were scrambling to create telework environments and access to this content. So how do you manage a physical set of records when you're not physically in the office? So when it came down to remotely trying to estimate, let's say the CIO's office came down to you as the record officer and said, "Okay, well, how do we budget for the digitization? We can guesstimate the amount of people that are going to be authorized to do this by user, so we can estimate that." And the record officer replies, "I don't know," because he or she is not physically in the office and they call them record liaisons. Those are the people that would manage a small office, say across the nation.

Michael Ratigan:

They're not in the office. They know generally how many records they have, but they lack the ability to make a determination of the types of records that had to be digitized, destroyed, sent to the Federal Record Center. And even if they knew, they couldn't do anything, they couldn't scan them, they couldn't do a lot of this. So a lot of these things just kept kicking that proverbial can down the road until kind of COVID abated. Even some organizations were just going back to kind of physically go back into the office two or three days a week just starting in September. I think the IRS last year told me they weren't going until December of this year. And many of these agencies are starting to work remotely. So there in lie is a challenge when now you're creating an environment to say, "We don't even need to be in the office anymore, but in the office we still have all these records."

Michael Ratigan:

So that coupled with COVID delayed this as it did with a lot of deployments, I think, with a lot of these mandates that you've referred to and M-19-21. If people aren't in the office to physically have meetings and determine what their action plan's going to be, then they just push these down the road. And plus, with Ukraine and other kind of global issues affecting our government, some of those monies have been diverted to serve the international mission of supporting Ukraine or other programs around the world as well.

Bill Tolson:

Wow. Yeah, and again, like we've already mentioned connect that or tie that in with the new security requirements basically at the same time or near the same time. And all of a sudden federal agencies have an awful lot to do probably, and they're obviously not prepared to do it, they might not have the expertise, so obviously they're calling on a subject matter expert like yourself to help them out. I did see something that I think you and I had talked about not too long ago, but you mentioned FERMI and FADGI. And I had not run across those standards before. Can you explain what those are and what that has to do with this M-19-21?

Michael Ratigan:

Sure. And ironically, this is an area where I think the federal government has kind of lagged behind. So the FERMI is the Federal Electronic Records Modernization Initiative. And what it was supposed to do within kind of NARA and GSA is to establish what the digitization and metadata standard were going to be for these documents that require digitization. That final standard has not been released. Therein lies part of the problem. So part of that standard is a FADGI standard. So there's a gentleman named Don Williams who worked at the Library of Congress and kind of formed a series of standards from one star to four star. And each of those levels was kind of a level of accuracy and a level of clarity for the documents. So in the same way that the PDF that everybody is familiar with, they can create a document, create a PDF.

Michael Ratigan:

If you create a PDF-A, that's an archive version, that is the open standard that the National Archives kind of owns, if you will. And that way that standard will be supported in perpetuity. So FADGI 1, 2, 3, and 4 star were designed to do the same thing. So for these permanent records and temporary records that are going to be digitized, they've determined that FADGI three star is that determination. I've been told that NARA is going to be releasing that final... Again, they put out a draft standard, it goes on industry for comment, it goes back and forth. And we're told that that's going to be coming out. So if that had come out two years ago or three years ago with a lot of the funding and these M-19-21 initiatives, I think we'd be well on our way to meeting those deadlines because of the COVID delay, and funding delays in general, and the PPP program, and all those things that surrounded the pandemic. All that is delayed.

Michael Ratigan:

But FERMI is the modernization initiative that establishes all the metadata and all the standards around it. FADGI kind of helps to determine what that digitization standard's going to be, so when it is physically digitized in a scanner, what does it have to meet? And right now there's only a few scanning digitization companies. I believe Kodak and IBML are the only two that are physically meeting it now. And what they have to do is audit. So if I'm scanning a document, I have to calibrate that scanner to make sure that I am meeting the NARA requirement and you have to record it and it is auditable, so you can't just say you're meeting the standard with any scanner. The IBML self-calibrates, so if it doesn't meet it, it'll actually calibrate itself to make sure it doesn't. The Kodak scanner just requires manual intervention, but allows you to tweak the settings a bit to do that. Then you have to record it and then send it off for audit if requested.

Michael Ratigan:

So it's NARA taking a stand on this to say, "If we're going to make this a standard, we better make sure that we feel comfortable and that everybody scanning to this standard meets the requirements and then can validate through an audit that they're meeting these requirements." So I think that's a very good thing.

Bill Tolson:

Well, and that kind of brings me back to one of the questions I mentioned with all of these documents being scanned, and digitized, and indexed so they can be made searchable and so forth, are all of these documents going to be inserted into records management applications or is it going to be up to the end agency to decide where all that material is going to be put electronically so that they can be searched on and all that kind of stuff?

Michael Ratigan:

I think it's a moving target. Part of this is creating a new way to ingest documents. So for example, if an agency, say Department of Labor, for example, who now can take forms online, which may be printed out, signed, and then sent via the mail to Labor to file a claim, whatever that may be, the general records schedule is different for every agency, so they will determine that. But it may make sense, which is what I always recommend is that if you're digitizing the legacy content because you need to get rid of it to follow these directives, in a parallel way, you need to create the modernized version of that. So let's take those forms, DocuSign, for example. I can take those forms and those templates and I can overlay a template on that. So you can go into DocuSign, fill out that claim form, and then when you submit it, DocuSign saves the data separately from the form with the saved data, you could send that to any backend system and then all the workflow can kind of kick in to solve the problem.

Michael Ratigan:

So now we haven't created any paper and all the data's already been lifted from the form to go into whatever backend system. If that physical form is considered a record, then it can be routed either eventually to a records management system. If not, its case can be monitored and it can be closed, adjudicated, however it's adjudicated. And then based on the determination of the record schedule, they can either decide to purge that, store it, or store it in a records management system. But once it's digital, it's a far easier decision to make versus the box of content.

Bill Tolson:

Well, and when you say store it, and again, we've worked with many, many federal agencies and many of them will look at the difference between active or semi-active records and then inactive records or documents that still need to be kept for whatever reason based on the retention schedules. And it doesn't make sense, we've been told, and it's public common sense that you don't want to put petabytes worth of just electronic stuff into a records management system because you don't need that kind of instantaneous type of access. I mean, you want for inactive records, again, for FOIA or for planning, whatever it happens to be, you want to be able to find this stuff. Even for the eDiscovery, you want to be able to find this stuff that is responsive to the request, but it doesn't necessarily all have to be sitting in an active records management system, I would think. Right?

Michael Ratigan:

No, I agree. And that's where Archive360 really provides value, is that again, would it have been there 10 years ago? Maybe not, but because of all the security directives and now all this content has to go. And if 70% of that content is considered a record, then again, Archive360 has those records capabilities as well. But if they need to be in a DoD 5015.2, which is the Department of Defense kind of area, and it needs to be in one of these other systems, great. But you're absolutely right. If there's 10 petabytes of content, then once it's all digitized based on the general record schedule, 60% of that or 70% may fall into records category. 30% may fall into, I still need to archive this, but I better have the security wrapper on top of this because I don't want to be the one that appears on 60 Minutes with a data breach.

Michael Ratigan:

And I think the combination of the two, again, five or six years ago, all these companies would operate independently. But as I mentioned earlier, that's why this consolidation's happening where I think these companies can work in tandem to provide similar services. Although some may compete, I think oftentimes they'll find they can be working together more than working apart.

Bill Tolson:

Well, and provide a more total solution. Like you say, very, very few solutions in the world do everything that somebody needs. You're usually using several to get whatever you want done. And again, with our experience with the federal agencies, we're in the know as the kind of things they're doing and they need to do with this massive amount of data. And again, when does the permanent records get moved over to NARA? Well, it depends, I would assume, on the individual agency. NARA's basically going to tell them when, but I think that's not always meant the same way.

Bill Tolson:

Well, one thing you did say, and I just want to qualify it, you said that they digitize and then get rid of the records. Now, by that you mean digitize the hard copy records so that they're in electronic format and then dispose of the hard copy records, right?

Michael Ratigan:

But in some cases, the permanent records, even after being digitized, will still be stored physically because you still want to have access to those critical documents. But they may be permanently stored at NARA or the Federal Record Center, but some of the temporary files that would be digitized. So in other words, if a contract turns out tomorrow, let's not digitize it. We don't have to. If it's going to term out in 15 years, let's digitize that temporary record and put it on a retention schedule, so when it gets to the end of the 15 years, then it can be termed out and it can be destroyed.

Bill Tolson:

Sure. And so you're not digitizing a bunch of records and then deleting them all. That would make sense. And even in the private sector, and I've done presentations on this, as you're moving large amounts of records, whether it be electronic records in an old archive or wherever they happen to be, even from tape or from a hard copy, being digitized, bringing those documents in, digitizing them electronically, and then indexing them, makes it easier to actually make a decision on whether those records should be kept. Because then you can do searches based on keywords or qualifications to say, "Well, gee, all of these records, these 100 terabytes where the records are all way past their expiration date or should be past their expiration date, and there's no reason for us to hold anymore, so let's get rid of it." You probably wouldn't have seen that unless they were digitized, right?

Michael Ratigan:

Correct. And there's so many kind of nuances kind of to this is, and I think it's a confluence of all these things that are coming in now. I think M-19 is just the latest initiative to push some of these things forward. Even with Laurence Brewer when he spoke recently and they talked about the Zero Click. I mean, the idea is that you want to get to a point when that record is created, it just flows all the way through the process and it becomes an electronic record and people don't have to scan it or index or do all that. The idea is that if it's born digital, it stays digital and it moves all the way through its process into that electronic records management system, and now it's available for any type of discovery.

Michael Ratigan:

The other thing that agencies have also been affected over the years, and I dealt with some of the agencies within NIH that were affected by this, is if records have termed out and they have not been deleted, now those federal agencies are opened up for a discovery session and they may go back 50, or 60, or 70 years and find records that make them culpable for something that if they have been following their own rules, should have been deleted.

Michael Ratigan:

And the other thing that's happening within these records management applications, traditionally records management in the past was I'm just going to sign a disposition, I'm going to... These guidelines, I'm going to send it to NARA electronically. I'm going to do all that, I may manage the physical record as with software. But what's happening now is these records management companies are becoming more like content management companies. They're adding workflow capability, right? And Archive360 is no different. It's not just a wrapper to have these rules. There's all type of discovery in AI that is happening in the background, whether it's in the Azure Cloud or the AWS Cloud, and you can get access to microservices and all these other things to discover content, but those agencies can be negatively impacted if they keep all this content in perpetuity if they don't have to.

Michael Ratigan:

If it's a permanent record, there is no choice. By getting this under the right schedule, so I know what type of record it is and what the metadata is around it, then it gives all agencies the ability to monitor those records. So if I go zero click and I create an electronic file and it moves all the way through paper to cloud, at the end of that process, then I can make a determination, say, "These are permanent, they stay for whatever, these are temporary, they've termed out." And I create the least amount of exposure to my agency, which can save tens of millions of dollars to taxpayers when that federal government agency is sued over something that should have been deleted.

Bill Tolson:

So zero click basically means converting something to digital. Is that right?

Michael Ratigan:

It's creating the process where it goes from what used to be a paper record all the way through to a digital record. And you don't have to do anything to do it, it follows on the process end to end.

Bill Tolson:

Okay. And you mentioned discovery and that's a universal worry as well in the private sector. I've been in the discovery side for a long time, and the more records, the more data you keep, the more eDiscovery is going to cost you because in eDiscovery, whether it be private or within a federal agency, with eDiscovery everything is potentially discoverable. It has to be relevant to the case, but it just means you have to search a much larger universe of records to make sure that you're not overlooking responsive records. So getting rid of data you no longer need.

Bill Tolson:

In a federal agency, obviously, like you said, the permanent records have to be kept permanent, but all the other stuff, if they have realistic disposition policies on, then you're getting rid of that potential liability and cost, both for eDiscovery as well as FOIA. With FOIA as well. FOIA is just basically eDiscovery in the government sector, so instead of having to search 5 petabytes worth of data, maybe you're searching one and a half or something. That is huge cost difference when it comes to even using computers and find potentially responsive stuff to a given request.

Bill Tolson:

So I think that it's nice to know, and I've never asked the question of the various agencies, but I know they all work off retention disposition. But unlike the private sector, I would imagine that hopefully agencies are not just keeping data for keeping data's sake, you want to get rid of it for all kinds of reasons, cost reasons, storage reasons, all of those kinds of things.

Michael Ratigan:

And I think on top of that too, you have the other part of zero click is transparency because you now have this unique term in the government and the world called social media. And social media is Facebook and it's Twitter, and all these other social media platforms that federal agencies are using. So all that content has to flow into whatever this backend system is. So the other kind of part that zero click is, another word for that also is transparency around what is a record, what is not a record, what is discoverable? And it doesn't go into this vacuum and say, "We'll get back to you in three years." They want to create this standard. And again, social media is a unique burden.

Michael Ratigan:

Email archiving with Capstone is still underway. And yeah, DoD and then I'm a director here, and then I moved from director of Agency X over to an associate director Agency Y. Well, now my email retention is different based on the agency. So there's a lot of things that go along with that too. But I think as, and this is where Archive360, I think, provides a lot of value, is that you have a tremendous amount of data that just flows from social media only within these agencies. And it may be in the short term we don't know what to do with it, or we haven't figured out, or NARA hasn't decided on the right type of record schedule for some of this content, so what should you do with it? In an Azure environment, you need to archive it.

Michael Ratigan:

And then at some point, when they develop the general record schedule to include these specifics, then you can ingest that into these records management systems and then they can add some AI to that, and then they can decipher the type of content it is and put it into the right bucket.

Bill Tolson:

Or delete it if it's not required.

Michael Ratigan:

Correct. Or delete it.

Bill Tolson:

And get into that defensible disposition mode.

Michael Ratigan:

Exactly.

Bill Tolson:

Wow, this is so complex. I noticed in reading the directive M-19-21, one of the key revisions of the directive is that federal agencies must maintain a records management program that complies with the Federal Records Act for government agencies. Basically, what does the Federal Records Act, what's it consist of? What are the main points for example, a records management solution?

Michael Ratigan:

A lot of that goes back to NARA. And every agency is different, so when they determine, say for the Department of Transportation, then an agency record officer is appointed and then that person writes up and determines what they think should be the record schedule. So NARA will create a general record schedule for all types of records, and then within that, under that records act, the agency record officer creates a separate version for, in this case, say the Department of Transportation. Then they have to send that to NARA for approval. That process alone can go on for years. And again, that is a constantly changing target as we talk about different directives that come out, retention periods change. So they need to comply, what is a record? What is a permanent record, temporary record? And then that needs to be put in place across that entire agency.

Michael Ratigan:

Once that's put in place, then everybody below them has to be trained in order to do that, from the record custodian to a record liaison, to a records officer or records manager. And then the agency records officer all the way up to something called a SAORM, which is a Senior Agency Official for Records Management, preferably somebody who's a GS-15 who sits in that leadership position who can help direct policy. And I think even with these new circulars, they're creating GS-15s to manage these things as well, I think with the new OMB directive they are. So all those things have to comply under federal records. What is a record? How do you determine it? NARA makes all those determinations. But it's a difficult target within a lot of these agencies because records officers for the longest time haven't been treated very well.

Michael Ratigan:

So if the C-suite is having a discussion, the records officer is not in the room, they're down the hall in a closet. They go, "Hey Bill, come up here." And then you come up and they go, "Hey, we have a question. Well, what do we budget for this?" "Well, I've been talking for five years and nobody's listened to me." "Well, can you come sit in the back of the room now, because now you're important enough that we need to do this." So the relevancy of these people is becoming important. And it all goes back to the Federal Records Act. It's been in place for many, many years, but like 508 compliance, it hasn't received its notoriety because part of it is because of funding. Records divisions within agencies 10 years ago were probably four to five times what they are now. They've condensed that and they've reduced those budgets just as a lot of federal agencies have been reduced.

Michael Ratigan:

Then when NARA came out with this new directive, now they had to turn around and say, "Wait a second, now we have to comply with all this." So now we need to put more resources. So at the agency level, at the management level, that entire footprint is smaller. So as part of this consolidation, all these agencies are trying to consolidate from, say, Noah had 600 offices across the United States, they want to consolidate that down. Well, you can't do that unless you do something with records. So everything flows up to the Federal Records Act to make sure that agencies are all following the same guidance from the top down, but make the specific records schedules within their agency commensurate to what's important for the types of records that they manage.

Bill Tolson:

So NARA is working with the agencies around the retention disposition scheduled and so forth, but does NARA determine what records applications can be used?

Michael Ratigan:

GSA kind of created this called the MAS Schedule. And within that, they have records management companies that self-certify that they can meet these needs. What NARA does is provide guidance to agency record officers on what are the things you should be looking for in these systems? They don't certify the systems. You can say you're 5015.2 compliant, you can apply for that, but it mainly goes down to these agencies and they're coming up with general guidelines, and then industry going to meet those guidelines from a capability standpoint. And they have to couple that with a security and roll out ease of use, change management, and then compete with each other to do that.

Bill Tolson:

Okay. So does the application give the ability to capture, does it give the ability to index, to make it searchable? Is there obviously retention disposition capabilities within the system? How granular is the retention disposition? Obviously these days you want it to be more on a person by person or department by department, then we'll see everybody in the XYZ agency would just keep everything for seven years. That's really not, I don't believe, acceptable anymore. So having that granular capability, but then you also add the addition of data security requirements nowadays with the other directors that we've talked about, that is part of the decision now with agencies looking at vendors. Do you meet EO 14028? Have you used zero-trust architectures, do you encrypt, and is the access role based, or there's a lot of complicating factors there.

Bill Tolson:

But you get into, I think by reading all of these directives, and obviously you know a lot more than I do, there's the records management function, the security function, and then the agencies are going to want to know, number one, what's the cost? But number two, how easy is it for both citizens as well as the agency personnel to use? And can you audit and do all those kind things? And even nowadays we're in the point where with the cybersecurity, can we encrypt, more granularly encrypt sensitive information? Can the system automatically recognize PII or personal attributes and automatically encrypt those fields so that based on who's accessing those documents with the agency, some of them will see the content, some of them won't. I mean, we are getting some really interesting capabilities now.

Michael Ratigan:

No, I think it's exciting. And you can imagine the people managing a lot of this, I mean that Federal Records Act came out in 1950. I mean, that's a long time ago, right?

Bill Tolson:

Yeah.

Michael Ratigan:

To show these agencies how to maintain all their documents, and I think the correct term was file records for safe storage and efficient retrieval, and dispose of records according to agency schedules. Well, in 1950, we all know what that meant, put it in a box, send it to NARA, and then have the ability to get it back when needed. But now those same people that have been trained their entire life to do that are now being told, "We got to put all this into an electronic cloud-based compliant and secure system." And you are responsible for training the masses on how to securely and safely access that content. So it's a daunting task.

Michael Ratigan:

So an industry like Archive360 is very important in the delivery of that because, and that's where I think there's going to be a lot of partnerships that grow out of this in the next 12 to 24 months because in order to reach the speed of government, the way government is moving, one system, I think one company can't do that. And I think it requires digitization companies to partner with the records management companies and the cloud platforms like Archive360, and then even other system integration companies that maybe work specifically within Homeland Security or [inaudible 00:45:36].

Bill Tolson:

Well, and you get into additional capabilities that many organizations are looking for. And that is data analytics. What can I do with the data to give me more value in understanding trends and so forth? And records management, straight records management applications don't necessarily have that capability. Newer systems that were basically natively designed for the cloud, for example, Azure, that takes advantage of the entire technology stack within that cloud, including AI, machine learning, and role-based access controls, and being able to utilize and index and search audio and video. All of those kinds of things are now being built into that cloud technology platform that, and not even mentioning the whole idea of all of the security that needs to be around those things. So doing that on-prem now is really losing kind of target now because you'd be updating stuff all the time, you'd be spending huge sums of money just in case you use certain capabilities.

Bill Tolson:

So obviously I'm a cloud advocate, but it makes financial sense as well. And I know the government agencies have acknowledged this as well and they're doing what they can as fast as they can to take advantage of it, but there are some really interesting, a lot of really interesting capabilities that are becoming more obvious with the adoption of cloud, and that's why with the executive order I mentioned, one of the main things was agencies must adopt the cloud. Period. 100% eventually. And I think this plays directly into it.

Bill Tolson:

Michael, I had one question and I probably seem not very smart with this, but especially with M-19-21, I've seen the term Record Management Self-Assessment or RMSA. What does that really mean?

Michael Ratigan:

Yeah, that is what I'll call the ultimate loophole for federal agencies. It is NARA sending a questionnaire to the agencies and asking the agency record officers or that senior agency official for records management to fill out and assess where they are in this journey from pre-Capstone and M-19-21 from that all paper and non-automated records management to a fully automated records management. And that report, which is available for anybody to see on the NARA website, I've talked to agencies that on that website say they're 70% there. But when I talk to the agencies, they're not 70% there because the way NARA asked the questions, they said, "Are you somewhat close to meeting the deadline? Are you kind of close to meeting the deadline?" So it's ambiguous.

Michael Ratigan:

And I think also is, I think those agencies are writing at a time when they go, "Well, where are we now? Where do we think we're going to be?" So I think they're trying to be proactive and where they should be in some of these cases. I was talking to an agency recently that had like a 90% rating in the system, but they still hadn't selected a records management platform. And the answer was the guidelines were a bit loose. So we have a records information management plan, which is the backbone, we have a records digitization plan of how to do this to migrate paper. And that particular agency had scanned all their records, so they had them electronically, but they hadn't applied general record schedules and they had it moved into a platform and they wanted help in assessing the type of system that they wanted to buy and then eventually trying to buy it by the end of this year.

Michael Ratigan:

So I think the other piece of this, which is important, is I think what the federal government and senior administrators are going to want is a plan. So with companies like Archive360 and the other that kind of come together and become the trusted advisors for these agencies, and these record officers, and program officers, and experience officers, program managers, privacy officers, chief data officers, all these people are looking for trusted advisors to say, "We know we're not going to meet this deadline, but even if the deadline moved 18 months, we still can't meet it. But if we can submit a plan to show where we are today, where we're going to be six months or a year from now, then that's all we can do as an agency is do the best we can with what we have."

Michael Ratigan:

And that's where I think industry working together can provide a lot of value to these agencies and helping them accomplish all the different compliance, M-19-21, the 14028, all these different mandates, industry working together can help federal agencies get there.

Bill Tolson:

So I've been in meetings with several agencies and they all, I think all have mentioned that we really rely on the outside experience and capabilities from our vendor partners to help us make the right decisions and get to this point where we're meeting both the directive timeframe but also meeting the reason for the directive. Meaning number one, we got to get everything electronic, but number two, we have to raise our security capabilities across all of this data, because a lot of data that federal agencies hold is considered sensitive and that stuff needs to be protected to a huge degree. This is probably the crux of what people are maybe listening today on is what are the common or general problems you're seeing with agencies meeting the M-19-21 directive? What are the common issues, challenges that they're seeing across the board?

Michael Ratigan:

I think in general, the first challenge has been lack of attention that has been paid to this and it's now being... They're going to a program manager or the CIO is going to the record officer saying, "What's the plan?" And the plan is there is no plan because there hasn't been any funding and we've introduced plans and nothing's happened. So funding, I think, has been first and foremost, I think the stature of the records program within federal agency has been overlooked. I think the records officers, the ones that I've worked with, are some of the hardest working people I've ever met in the federal government and highly frustrated because when they had been asked, they provided guidance and plans and they've been shunted a lot like 508 compliance was years ago. And the thing was, why do we want to do that because it only affects a small amount of the population that may access these deadlines?

Michael Ratigan:

And as we all know nowadays, social media has made all these things more prominent. So I think the lack of funding has been one issue, I think the lack of respect of what that regency record program does has also been a big stumbling block. Because as you might imagine, why would a program manager for an agency care about whether their information is a record or not? Because that doesn't pay the bills and it doesn't solve the problem. So I think those are two things that have been key for that. But as these deadlines come up, and then now the other thing that is fueling this fire that now they're having the ability to solve the problem with this is access to data.

Michael Ratigan:

So if I can use this mandate and some of these other circulars to digitize all this content and provide some structure around what is traditionally structured or unstructured content, meaning I have a handwritten letter that's unstructured content, but I have a form which is typed, which is structured content. If I can now pull all this information and get that to my chief information office, or my chief data office, or my chief privacy officer, I now am providing fuel for them to solve much bigger problems across the agency. And the negative side has been, I think the lack of respect of the records management office, and funding in general, and what is viewed as it's just not that important. To now, we need data and we can't become a better agency, we can't streamline our operations, we can't fix problems unless we have data.

Michael Ratigan:

That example I used earlier, if I'm trying to figure out a way to best serve the people of Detroit, wouldn't it be good to know what services have I provided to this socioeconomic group in this time period, within this city, and say, "Man, these programs have worked and these haven't." So I can use, if I have X amount of dollars and I can budget these dollars to this group, I'm going to have the highest impact and the highest return. Those are the negatives and then some of the positives that are coming out as well.

Bill Tolson:

Yeah, some of the discussions I've had or we've had with agencies as well, that going through that digitization process with that huge amount of data ongoing obviously, but one of the advantages that we've talked about with them is that once you get that stuff digitized, and you get rid of the hard copy records, but then it's all electronic and you have that software capability to search it and to recognize stuff, basically they've told us that having that electronic information so that we can run analytics against it, for example, and recognize where the PII is and where we maybe need to add additional maybe file-level or field-level security for those documents that have that kind of sensitive information in it, even in structured database programs, what is that data and is it sensitive in nature and do we need to apply additional security for it? Because of the various other directors we already talked about and the issues that the federal government has on a day-to-day basis with cyber attacks anyway, being able to recognize that stuff.

Bill Tolson:

And number one, manage it on an ongoing basis and by region disposition, but even more so protecting it based on its sensitivity or value. I think the agencies are also thinking that that would be a huge benefit as well because they're very aware of that stuff. Cyber attacks, they're looking for sensitive data. Sure, they'll encrypt your data and stop you from using it, but nowadays it's someone steal the data first and I'm going to use it, I'm going to sell it, I'm going to put it on the internet. And agencies have become very cognizant of that as well.

Michael Ratigan:

No, I agree. And I think one thing that agencies can do kind of looking ahead is do pilots. So when you find that trusted advisor within industry in order to mitigate your risk, especially when timeframes become more and more crunched, take a subset of that data and say, "How can you help me prove this out within the agency?" So what is my current state? Where do I need to be and in what timeframe? And if a lot of those solutions kind of exist, then maybe we scan some content or maybe we ingest some content and we put it through some of these engines that exist. They don't have to be, they can be configured but not customized, so it's an easy lift. And then show that. So let's take the content from a paper form. In the case of Archive 360, let's put it into the Azure platform and then let's encrypt it and then let them see how it works. And they can go, "Wow, go ahead and try to get it, try to do that."

Michael Ratigan:

But now that you have the access, we put in these types of documents. Again, no PAI or PHI or anything classified, everything in the clear, and show how the AI tools all work to discover the content, then they can see an end-to-end solution, it's a paper to cloud and that's what I find that the light bulb goes on and they go, "Oh my gosh." And they go, "Now, we've solved problem one, which is paper. And we've solved problem two because now we have an electronic which we can ingest directly and we can apply AI and machine learning and a variety of other tools to auto-categorize your content now from a customer service perspective, the A-11 one we spoke about earlier, now from a customer experience if somebody says, "Hey, Bill, what happened with this particular program?" Now, because you're authorized, you can pull up that content and either provide whatever information you're allowed to reply to them, that the way they request that can be done on a form, which could all be done through something like DocuSign or similar technology, lifted and go back...

Michael Ratigan:

So everything goes back into workflow, so back to the, not only the zero trust, because it's authenticated all the way around, but there's no paper. It's routed to the right people, and at the appropriate time, it just becomes a record and the whole process is transparent. It mitigates risk on the agency side because maybe they pay for a pilot, they pay a couple hundred thousand dollars to do business analysis, current future state, and then do a pilot and prove it out. And if it does, it's a lot easier for us as industry to go back and say, "Based on that pilot, here is your spend that you can budget. Here's the spend for digitization, here's the spend for ingestion of all the electronic content, here's the spend for the backend archive storage as a platform or other system, and you need to budget $25 million over the next five years to do that." Oftentimes, on the budgeting side, that's the number they're looking for, but they don't want risk. So give them the platform and mitigate the risk by doing those pilot programs.

Bill Tolson:

Yeah, yeah. And I think what you were just saying, you also during that process, you can look at as part of the ROI for any system, what's the risk that you're going to lower? Because you can apply a value to that as well. I mean, I know a lot of CFOs and stuff don't necessarily look that way. I think more in the federal government they do, but if we get control of our data, we know what we have, and we're managing effectively, and we're securing it effectively, then we're reducing risk as well. And these days, that's a very big deal. The other thing, I absolutely appreciated the term you use, paper to cloud. I really like that. That kind of says it all right there for the federal agencies and how we can help, how you can help, how Archive360 can help in that major project for the federal government to move from hard copy or paper to cloud, it's going to be an ongoing, obviously ongoing project and a huge one, but I think that really says it all right there.

Bill Tolson:

Michael, I think that wraps up this edition of The Archive 360 Podcast. I really want to thank you for a really interesting discussion today on this really timely subject of federal directive M-19-21. Really a lot of really interesting complexities involved with it, and I think the listeners are going to get a lot out of it. If anyone has questions on this topic, would like to talk to a subject matter expert, please send an email mentioning this podcast with Michael Ratigan to info, I-N-F-O, @archive360.com. Or directly to me at bill.tolson@archive360.com and we'll get right back to you as soon as possible.

Bill Tolson:

You can also email Michael with questions or comments, or want to have a discussion with him at M, as in Mary, Ratigan, R-A-T-I-G-A-N, @dataevolutionecm, all one word, dot com. Also, check back on the Archive360 resources page for new podcasts with leading industry experts like Michael on these interesting and diverse subjects, including subjects like data security, data privacy, information management, archiving, records management, and obviously regulatory compliance. So again, Michael, very much appreciate you taking the time today. I learned a lot and hopefully we'll do some more in the future.

Michael Ratigan:

Well, thank you very much for having me. I enjoyed the conversation and look forward to any comments people have and love to engage and support and answer any questions you may have in the future.

Bill Tolson:

Thanks, Michael.