Why FOIA Professionals Should Care About DoD 5015 Compliance
The UC Berkeley School of Information Management and Systems addressed the growing need for more efficient Records Management in 2003, reporting:
“The world’s total yearly production of print, film, optical, and magnetic content would require roughly 1.5 billion gigabytes of storage. This is the equivalent of 250 megabytes per person for each man, woman, and child on earth… Over 96% of business information is in digital format, 1% is on paper and that 70% is never printed.”
In 2013, 15 years later, Seeking Alpha published a blog post in which they claim that since 2015, 90% of the world’s data has been generated:
“That year , the digital universe, i.e., the reservoir of data created and copied, totaled less than 10 zettabytes – that would be 10, followed by 21 zeros. By 2020, it is expected to grow more than four times to 44 zettabytes. Just five years after that, it could reach 180 zettabytes”.
I don’t know about you, but I found this information startling.
And as the numbers show, year after year, effective records management becomes even more critical.
Government agencies are one of the largest contributors to the growth of records in the US. In addition, most of the data that government agencies create are governed by at least one data-handling legislation. This kind of complexity brings agencies to a point of having to rely on records management software.
Furthermore, things get even more complex because some of the government records should be released in the public as per the Freedom of Information Act. Then the records management system should enable the FOIA agencies to quickly, easily and legally release certain documents that can be released, while being able to do a needed redaction of that document before it is released to the requestor.
So, if you are the one in charge of choosing a records management solution for your FOIA agency, DoD 5015 compliant software is a good starting point.
Let’s shed some light on what DoD 5015 really is and why FOIA agencies need a DoD 5015 compliant software.
What Is DoD 5015 Standard?
DoD 5015 or the Design Criteria Standard for Electronic Records Management Software Solutions is a Records Management standard that resulted from the need for better management of records. The Department of Defense discovered that its record-keeping standards were lacking during the Gulf War.
As a result, DoD created a set of standards for records management which as it has evolved, has become the benchmark for private and public entities. DoD 5015 compliant software emphasizes data security, protection from data loss and data destruction.
This standard was developed in 1993 by the Department of Defense and their goal was to re-engineer internal Records Management processes. Soon after, in 1995, they published a report in which they outlined the requirements and data elements for Electronic Records Management Applications (RMA).
In 1997, the Defense Information Systems Agency (DISA), developed the report into a testable and measurable design criteria standard known as DoD 5015.2.
The DoD standard specifies hundreds of detailed requirements that Records Management Systems must meet and assists agencies in complying with NARA initiatives.
Let’s take a look at some of the most important requirements:
- Management of emails and attachments in electronic formats
- Records destruction in a manner that prevents recovery
- Management of records stored in electronic formats
- Tools to aid the search and retrieval of records
- Linking of records to supporting materials
- Organization disposition instructions
- Security classification markings
- Organization records series
- Organizational file plans
- Retention calculation
- Access controls
In 2007, the 3rd version of the standard was published with an addition of the following requirements:
- Interface and behavioral requirements for integration with electronic Records Management Systems.
- Additional metadata for e-mail, pdf, digital photographs, images, and web records.
- Capability to create alerts and notifications regarding changes in metadata fields.
- Capability to restrict metadata access based on the contents of fields.
- Tools to support RMA-to-RMA interoperability.
- FOIA/Privacy Act workflow requirements.
- More automatic linking requirements.
- Greater data security and integrity.
- Additional transfer requirements.
- Data discovery requirements.
- Vital records review cycles.
A part of the 3rd version of DoD 5015 focuses on requirements that specifically support net-centric information sharing principles. The aim behind these requirements was to make records:
- Visible – By developing and registering standardized metadata.
- Accessible – Through Web services with useable, standardized interfaces.
- Understandable – Through the availability and use of rich metadata describing the records and their context.
Why Care About DoD 5015 Compliant Software?
Records management is no longer only a technical issue. Chief officers need to spend time thinking about this because there are significant liabilities if information leakage were to happen.
Chief officers need to be proactive in how their organizations handle corporate data because the bottom line is their corporate reputation is on the line.
Perhaps the most painful non-compliance case was Hillary Clinton and how her staff handled their data. Their non-compliance probably cost Hillary her presidential race just a few years ago.
DoD 5015 compliant software helps vendors to make sure they use the best processes and technologies for handling sensitive data. Non-compliant software, that fails to keep up with DoD recommendations, will simply be pushed off the market by competitors that do make sure their solutions are compliant.
As CMSwire says: “By being certified, Records Management Solutions can assist corporations to achieve compliance and reduce risk by enabling them to control how and for how long enterprise content is retained. It also ensures destruction of that content when this time has elapsed.”
Knowing that a system has been tested against the DoD’s strict standards and achieved full compliance with DoD 5015, gives your organization the assurance that the solution you chose supports Records Management in a standardized way.
This means that the Records Management Solution, through organized record structures and plans, manages the lifecycle of all of your records. From initial capture to long-term archiving, paying special attention to:
- Workflows and Business Process Management,
- Federated and advanced search,
- Security and access controls,
- Records retention,
- Version control,
- FOIA, etc.
DoD 5015 compliant software will be certified to properly do the following:
- Break down information silos in a standardized way which makes the team more productive, while ensuring that information is accessed in a prudent and compliant way.
- Set mandatory metadata standards for all records, including different formats such as email, photos, and office documents.
- Find the best methodology for the destruction of electronic records at the end of their lifecycle.
- Provide a standard approach for the transfer of records from one agency to another, and for transfer from an agency to NARA.
- Define metadata requirements for classified records.
- Define requirements for FOIA and Privacy Act solutions.
Because of this, DoD 5015 has become a de facto Records Management standard in North America. And as the Government continues to implement these new changes and requirements, the level of consistency across the government alleviates the chaos.
How DoD 5015 Standard Affects FOIA Request Processing
Version 3 of this standard requires the Records Management vendor community to migrate towards providing “standards-compliant services to larger service-oriented architectures.” This is for achieving broader information sharing.
Version 3 DoD 5015 pays special attention to requirements supporting management of classified records, as well as requirements that support FOIA.
Records Management Applications (RMA) that support the Freedom of Information Act (FOIA) have specific requirements to achieve open and improved information sharing under DoD 5015 standard:
- Organization Access Rules. RMAs must provide functionality that supports authorized personnel in preparing and posting access rules for the public to gain access to FOIA Information.
- Access Rule Metadata. RMAs must provide the capability for an authorized individual to create an access rules record.
- FOIA Access Requests. RMAs must provide functionality that supports authorized personnel in recording, tracking and managing FOIA request.
- FOIA Request Time Limits. RMAs must provide the capability for an authorized individual to set time limits that shall apply to acknowledge requests for access and for providing access.
- Tracking FOIA Requests. RMAs must provide authorized individuals the capability to track FOIA Requests.
- Workflow Suspense Dates. RMAs must provide the capability for an authorized individual to assign the FOIA request to a workflow or to create and assign alert logic to user-defined interim suspense dates and extensions to suspense dates.
- Disclosures. RMAs must provide authorized individuals the capability to record disclosure requests and track, manage, and account for disclosures.
- Managing Disclosure Request Metadata. RMAs must provide the capability for an authorized individual to create a record of an FOIA disclosure request.
- Disclosure Exemptions. RMAs must provide an authorized individual with the capability to create and manage exemption records
- Linking Exemptions to Records. RMAs must provide an authorized individual with the capability to link an exemption record to a record or a group of records.
- Appeal Time Limits. RMAs must provide the capability for an authorized individual to set time limits that shall apply to process appeals.
- FOIA Reports. RMAs must provide authorized individuals the capability to create, file, and manage FOIA Reports.
- IA controls for availability, integrity, confidentiality, authentication, non-repudiation. The software must be National Telecommunications and Information Systems Security Policy-compliant.
As you can see, having a DoD 5015 compliant software is of great importance for FOIA agencies. Dealing with large amounts of data every day, Records Management and data safety is an unavoidable part of FOIA processing.
Chapter 3 of Version 3, DoD 5015 pays special attention to FOIA processing. With all the requirements listed above and much more (which you can see here), DoD 5015 takes good care of Records Management in FOIA processing.
Benefits of Adhering to the DoD 5015 Standard in FOIA Requests Management
Now, let’s take a look at some of the benefits DoD standard will bring to your FOIA agency in addition to the benefits we listed above:
- DoD 5015 Compliant Software will protect every FOIA request and all records related to that request. Including correspondences, case-related records like notes, multimedia files, etc.
- DoD 5015 Compliant Software will standardize the metadata for all request-related records.
- DoD 5015 Compliant Software will make sure to standardize the approach for the transfer of records from one agency to another, and for the transfer from an agency to NARA.
The DoD certification process is one of the toughest standards worldwide. And when choosing an RMA, you want to make sure it takes care of the entire lifecycle of your content. You want to make sure it provides standardized metadata, security, and access controls, version control, workflow aligned to organization processes/procedures/controls, retention, archival, federated and advanced search.
Alfresco Records Management
Alfresco is one of only 14 RMAs to have their Records Management product certified by the Department of Defense. And it was the first one to achieve this distinction. Also, it’s open-source, making it the go-to standard for cost-effective records management solutions.
Tara Combs, Alfresco’s Information Governance Specialist explains:
“We’re excited to announce this certification, which demonstrates our commitment to security and compliance. The features required for certification must include very sophisticated access control to content and records that ensure that only those who need access to content and records have access…Meeting the DoD 5015.02 CH3 standard means that customers in the U.S. government can now manage all their content – classified and unclassified – in a single, unified digital business platform that offers content, process and governance developed by a single vendor on a modern OpenStack.”
Alfresco is an open-source software company focused on advancing the flow of digital businesses. It provides an improved, effortless way for FOIA agencies to manage records of any type at the highest level of DoD 5015.02 security certification, including:
- Electronic documents,
- Videos, etc.
The key component of Alfresco’s infrastructure is providing a basis for records retention, legal holds, disposition and intelligent storage management of both digital and physical records.
With it’s refined and straightforward automated controls and interface, Alfresco allows authorized users to set permissions, disposition, and retention policies across a single scalable repository.
Alfresco also provides a flexible and scalable BPM engine that enables users to create and engage in workflows based on organizational processes.
As such, Alfresco helps more than 1,300 industry-leaders to digitalize processes, manage content, and govern information successfully.
Some of the biggest names Alfresco helps are:
- US Department of Navy,
- The Joint Chiefs of Staff,
- Bank of NY Mellon,
- Capital One,
- Cisco, etc.
With today’s DoD certification, Alfresco can alleviate the need for government agencies to integrate and maintain separate records management solutions on the backend and provide a more effective holistic solution that is scalable and easy-to-use.
“This certification allows Alfresco to compete for business across the entire federal government, regardless of security requirements,” said Tony Franzonello, Alfresco’s regional vice president, Federal Sales.
“It removes a hurdle that could prevent some customers from swapping out their entire legacy ECM solutions for Alfresco. It also demonstrates a commitment from Alfresco to be a top-tier provider of content, process and governance services.”
“These security features allow us to meet standards in other verticals such as Financial and Insurance as well as global standards such as ISO 15489 and 16175,” said Combs.
Alfresco Content Services 6.0
On July 11th, Christian Finzel, the Senior Advisor of Market Intelligence at Alfresco, announced the release of Alfresco Content Services 6.0.
As Finzel explains, the major focus of the new Alfresco Content Services 6.0 is on significant architecture improvements such as:
- New containerized deployment option, based on Docker and Kubernetes.
- Anonymous usage metrics via Heartbeat. Alfresco Content Services send anonymous usage metrics to Alfresco through the Heartbeat service. Alfresco uses this anonymous information to meet users needs of the organization and help them understand the usage of Alfresco products.
- Significant library upgrades in both the repository and Share.
- Containerized deployment. This includes Alfresco Repository, Alfresco Search Services, and Alfresco Share.
- Upgraded integrations. Alfresco Content Services 6.0 introduces some changes that require new releases of all modules. To upgrade to Alfresco Content Services 6.0, users need to update any of the module artifacts to which they are entitled.
- Expanded REST APIs. An updated version of the REST API Explorer is provided to navigate the new REST APIs.
- Code organization. Enterprise customers are able to build the artifacts from scratch provided they have an access to the Alfresco Nexus repository (enterprise-releases).
Finzel adds: “As customers embrace DevOps, infrastructure as code, the cloud, and Alfresco, the capabilities introduced in Alfresco Content Services 6.0 deliver a step change in time-to-value.”
Let’s take a look at some of the benefits of the new Alfresco Content Services 6.0:
- Reduces operational cost – Customers are now able to scale the infrastructure up and down quickly depending on the current workload.
- Uses trusted Open Source industry technologies – Based on Docker & Kubernetes, customers can deliver fast and standardized deployments across environments.
- Accelerates development and deployment – Containers reduce environment inconsistencies and support DevOps to accelerate development and deployment from the test environment through a staging system to production.
All of this makes Alfresco the only proven ECM, open-source platform to be DoD 5015.2 certified, uniquely positioned as a cost-effective and full-featured alternative to proprietary solutions.
Alfresco, with all of its features, can be used even by customers outside of the U.S. Government. They can easily take advantage of the granular security features developed for certification and, as such, be sure that their systems are built on a platform that is the gold standard for records security.
Let’s Wrap Things Up
When choosing a Records Management Solution, FOIA and government agencies, in general, must pay special attention to security and data protection. And, when it comes to a Records Management certification, one particular standard stands out: the DoD 5015 standard.
Every government agency should start with DoD 5015 standard and look for a DoD 5015 compliant software. This standard is widely adopted as a de facto standard for all Federal agencies as endorsed by the National Archives and Records Administration (NARA).
The reason for the endorsement is because DoD 5015 compliant software makes sure to provide Information Governance throughout the lifecycle of all content providing:
- Workflow aligned to organization processes/procedures/controls,
- Federated and advanced search,
- Security and access controls,
- Standardized metadata,
- Version control,
This is why not all RMAs can be 5015 compliant. They must be tested against the requirements specified by the standard.
The testing must be conducted by the Joint Interoperability Test Command, part of the Defense Information Systems Agency, that tests information technology and national security systems.
The reason for the DoD 5015 compliant software is to protect your content from data loss and data destruction. The standard is designed to help users implement best-practices records declaration, classification, and records administration while improving productivity.
Armedia provides DoD compliant solutions relying on Alfresco, the only open-source data management platform that is DoD 5015 compliant.
Alfresco as the best open-source platform to be DoD 5015.2 certified, will make sure to meet your organization’ operational, legislative, and legal needs. This combination of easy-to-use yet powerful Records Management Solution helps government agencies to save time and resources while protecting and organizing all their records.
This is the reason why our team at Armedia decided to rely on Alfresco to ensure a DoD 5015 compliant software. This way, we make sure our software responds to all of your operational, legislative, and legal needs while making sure your security is in the first place.
If you want to learn more about Armedia FOIA Software Solution, you can check out our other FOIA blog articles.
If you have any questions about DoD 5015 compliant software or about Armedia FOIA Software Solution, feel free to ask or leave your thoughts in the comments section below.