BPA Benchmarking Report
|2.4||Federal Bureau of Investigation: Electronic Recordkeeping Certification Manual. http://www.archives.gov/records-mgmt/toolkit/pdf/erkc-manual.pdf|
Federal Bureau of Investigation (FBI). The mission of the FBI is to uphold the law through the investigation of violations of federal criminal law; to protect the United States from foreign intelligence and terrorist activities; and to provide leadership and law enforcement assistance to federal, state, local and international agencies. Records management policies and procedures that ensure the proper creation, maintenance, use and disposition of records are critical to achieving the FBI's mission. In the transition from paper to electronic recordkeeping, the FBI recognized that it needed a methodology to ensure that electronic records are managed in compliance with all applicable recordkeeping laws, regulations, and policies.
The FBI Records Officer has the authority to determine what FBI information constitutes a record under Federal Law and the authority to approve, or withhold approval of, any electronic information system in use or in development. No electronic information system is authorized for use in the conduct of FBI business without the approval of the FBI Records Officer. The records officer's highest priority is to ensure that appropriate records management requirements are incorporated into IT system specifications and validation tests when new information systems are developed. When possible, the FBI will also review existing systems for compliance with records management requirements and will address any deficiencies identified.
FBI Electronic Recordkeeping Certification (ERKC) Manual. The FBI created the Electronic Recordkeeping Certification process to ensure that the information systems the FBI develops and maintains comply with statutory and agency electronic recordkeeping requirements. The ERKC process incorporates electronic recordkeeping requirements into the agency's system development life cycle so that all system development activities appropriately consider electronic recordkeeping issues from project conception through post-implementation reviews. The ERKC Manual describes the process used to evaluate system compliance with records management criteria, and is based on best practices such as those contained in DOD 5015.2-STD. The process is designed to guide system sponsors and developers in assessing and incorporating records management criteria into system requirements specifications, and then ensuring fulfillment through a review of documented system test results. The ERKC process consists of identifying systems that contain records, helping system owners and developers understand ERK criteria, ensuring that system requirements specifications satisfy ERK criteria, and validating ERK functionality through review of system test results.
Records management task supported
The FBI ERKC process supports the systems development life cycle by incorporating electronic recordkeeping requirements in the system planning and development process. Specifically, the FBI's ERKC Manual and the validation processes meet these goals by providing specific instructions for including requirements in four major phases of system design: project definition, in which one of four potential strategies for managing electronic records is identified, verification that the system design incorporates recordkeeping criteria, validation that the system as built does meet the requirements and can be given a certification of Approval to Operate, and finally, post certification review to ensure that systems continue to meet recordkeeping requirements throughout their active lives.
The recordkeeping requirements for IT systems are evaluated for compliance during the ERKC process through formal reviews at five review boards which serve as control gates in the systems development life cycle and ERKC processes.
The FBI's ERKC process is designed for use by information systems sponsors, IT system owners, IT system developers, records management professionals, and other information management professionals. The FBI records officer is responsible for certifying information systems and for coordinating the certification process with business units and system developers.
Benefits and Strengths
The ERKC process ensures that electronic recordkeeping functionality is incorporated into all new and updated information systems in a formal, structured way. The Electronic Recordkeeping Certification Manual is a detailed and extensive guide to the certification process itself and the criteria for certification, contained in Appendix C along with sample tests and expected test results for each criterion. Representatives from the Records Automation Section sit on all five information technology boards within the Bureau: Enterprise Architecture Board; Information Technology Review Board; Investment Management Project Review Board; Information Technology Policy Review Board; and the Information Technology Advisory Board, to assure that all ERKC requirements are met and that all systems are certified prior to final deployment. These review boards function as control gates to assure that all IT system and functional requirements (not just electronic recordkeeping requirements) are incorporated into the new system. The FBI's certification process gives the Records Officer the authority to withhold approval to operate from a system that does not meet necessary recordkeeping requirements. This is a strikingly strong formulation of independent records management authority over systems development.
The FBI's ERKC process, although effective, requires many hours of records management staff time to implement fully. Staff members report that it can take around 120 hours of staff time to do a full analysis. The FBI hopes to add more staff members to the Records Automation Section in order to devote more time to the ERKC process. Because the records management staff now need to track the progress and status of many systems in all stages of development, they found that they also needed new tracking and management tools to support the ERKC process. In the future, staff members would also like to be able to provide accurate estimates of the costs of long-term electronic records storage so that cost could be built into the initial capital request.
The ERKC process, because of its focus on system functionality, would not itself identify all process-specific recordkeeping requirements that could be identified and defined in a business process analysis project. It provides assurance that the system can manage records appropriately, but does not attempt to address whether or not the right records are captured.
Environment for which it is suited
The FBI's ERKC process works best in large, sophisticated operations where IT systems development and records management operations are well integrated into the IT infrastructure and agency business processes. Another significant requirement is the need for a sustained commitment by the CIO and senior agency management to support the ERKC program and provide appropriate resources to assure its long-term success. It would work best in agencies with good communications between the IT and RM programs, and with program managers and staff in agency business units. To use the ERKC process, agencies need to develop an appropriate standards-based IT infrastructure to support enterprise-wide initiatives such as ERKC. The FBI certification process requires a highly skilled and professionally trained records management staff with a high-level commitment over the long haul to successfully develop and implement the process, and to integrate it into the agency's system development procedures and the IT and records management infrastructures. Because a full-blown ERKC analysis can take so much staff time, it may be necessary to prioritize which systems get intensive analysis by using risk management and other factors if the necessary resources (possibly in the form of contractor support) are not available for certifying all systems.
Significance to NARA
In the transition from paper-based to electronic recordkeeping, there is a shift in emphasis from direct management of a record as a physical object towards the design of the infrastructure in which records are created, captured, and managed by integrating a variety of processes and procedures that involve the individual end user, agency management, and technology (the critical trio of people, processes, and technology). For records management and IT staff, this shift in emphasis is likely to require a new range of records management skills to manage records in new kinds of systems in new contexts, for as long as they are needed. For organizations, this involves the development of multi-skilled and multi-purpose project and operational teams that bring together a range of different skills and expertise. In an electronic recordkeeping environment, new skills and responsibilities are also required of end-users as the creators and users of records. They will have greater responsibility for correctly identifying and dealing with records in their earliest stages of creation, which will require a significant cultural change in attitudes and behavior towards creating and managing records. Finally, agency management must assure that appropriate policies, procedures, and training are in place to support electronic recordkeeping. The ERKC is one of a number of steps the FBI is taking now to address how it will manage people, processes, and technology in its move to all-electronic recordkeeping.
The fact that the Electronic Recordkeeping Certification Manual is detailed, comprehensive, and explicit would make the FBI's process a relatively easy one for another agency with the right records management and IT relationship in place to understand and use as a model. The fact that the criteria laid out in the manual and the basic structure of the process are fairly universal (rather than highly customized for the FBI) would also make this process relatively easy for another agency to adapt for its own environment.
Because all agencies are confronting the challenges of using information systems as recordkeeping systems and many agencies could probably learn from the FBI's work, NARA gave the FBI's new ERKC process a Best Practices Award at NARA's 2005 Records Administration Conference (RACO).