BPA Benchmarking Report
|2.5||Central Intelligence Agency: Electronic Recordkeeping System (ERKS) Requirements and Certification Process
Electronic Requirements document available at http://www.foia.cia.gov/info_management.asp
Central Intelligence Agency (CIA). The CIA's primary mission is human intelligence collection and all-source intelligence analysis to ensure the national security of the United States and the preservation of American life and ideals. To accomplish its mission, the CIA engages in research, development, and deployment of advanced technology for intelligence purposes. As a separate agency, CIA serves as an independent source of analysis on topics of concern and works closely with other intelligence organizations to generate the best intelligence possible.
The CIA is organized into four major directorates plus the Center for the Study of Intelligence. The Directorate of Support provides the mission critical elements of the Agency's support foundation: people, security, information, property, and financial operations. The ERKS program office, which manages the ERKS requirements and certification process, in located in this directorate.
CIA Electronic Recordkeeping System (ERKS) Requirements and Certification Process. The purpose of the ERKS requirements document and the certification process is to allow the Central Intelligence Agency to effectively manage and exploit its records and other information assets through the creation of electronic systems which can adequately capture, manage, and manage disposition of electronic records in accordance with applicable laws and regulations. The ERKS requirements document identifies the functional information management requirements for new and legacy information systems. As stated in the purpose statement of the requirements document, "These requirements support a uniform approach to: the protection of information integrity; the collection and display of required metadata; the preservation of agency data over time; the maintenance of record material electronically; and the regular and lawful disposal of information that is no longer needed."
The ERKS process was first developed in 2000 but was substantially revised in 2004 as part of the development of an agency-wide effort to standardize the system development process. In 2004, the CIA integrated all stakeholders into control gates for review of each stage of the systems development process. Because the 2000 version of ERKS was already available, the CIO naturally included the Information Management Officer as a stakeholder and incorporated the ERKS requirements with the other sets of requirements provided by other stakeholders. The ERKS requirements certification process is a structured process applied to all new and upgraded applications and systems that go through the overall system development process. It ensures that these systems all incorporate the necessary ERKS requirements, which are based on a streamlined set of DOD 5015.2-STD requirements, into the overall requirements documents for the systems. As part of the ERKS process, system owners work with Information Management Officers to develop Information Management Plans that document the system and its records and outline the processes necessary to maintain, destroy, and migrate the records appropriately.
The Information Management Officers in the business units obtain published documentation for proposed IT systems such as the Concept of Operations Plan, business and system requirements documents, ERKS Certification proposals, and develop the Information Management Plan. The ERKS staff meets with business unit Information Management Officers, business unit representatives, project technical staff, and developers to assist in the development of the Information Management Plan. Information Management Officers meet informally with program staff to understand the project scope and define requirements, and then develop draft ERKS requirements. Information Management Officers meet once again to review the draft requirements document before the documents are submitted to formal review boards such as the System Requirements Review, Design Concept Review, Preliminary Design Review, Critical Design Review, Test Readiness Review, and Deployment Readiness Review. The review boards bring all of the system requirements together for formal review, approval, and traceability throughout the planning and system-build process. The Information Management Officers use the requirements traceability matrix for documenting and validating ERKS Certification. They also conduct a follow up test of all electronic recordkeeping requirements in the system.
Records management task supported
The CIA ERKS requirements process supports the systems development life cycle for electronic recordkeeping by identifying the CIA's baseline set of recordkeeping requirements for information systems and building them into the system development life cycle. The goal of the ERKS certification process and the resulting Information Management Plan is to identify requirements and processes necessary to ensure that agency information systems are designed and maintained in such a way as to create, retain, and dispose of records in accordance with the business and legal needs of the organization.
The CIA's ERKS certification process is designed for use by information systems developers, business unit staff, records management staff, and other information and records management professionals. It also relies upon a knowledgeable, well-trained and widely-dispersed records management staff of Information Management Officers that are deployed throughout the agency business units and well integrated into the CIA's IT systems development business processes. The Information Management Officers are able to assist in the ERKS requirements and certification process and in developing the Information Management Plan.
Benefits and Strengths
The CIA's ERKS process is effectively ensuring that recordkeeping system requirements are routinely identified and incorporated in new and upgraded systems through a very thorough integration of records management as a stakeholder in the standard systems development process. Although the ERKS process requires significant records management staff time, including ERKS in the overall systems development life cycle has not had a negative impact on project schedules.
The CIA's very short and unintimidating handbook and the streamlined list of requirements have made it relatively easy to convince system developers to use the ERKS process. The network of Information Management Officers in the business units provides a way of supplementing the short handbook with human expertise in the process.
The Information Management Plans are a formal, structured method of documenting processes outside the system that are required to protect records for as long as they must be retained.
The ERKS requirements process is not designed to identify all process-specific electronic recordkeeping requirements that would be identified and defined in a business process analysis project.
The ERKS requirements are a streamlined subset of the more extensive set of recordkeeping requirements found in DOD 5015.2-STD for records management applications so they do not include all the detailed requirements found there, although the CIA process does provide for a way to incorporate requirements that may exceed the baseline depending on the business process and how the IT system will be used.
The way the standardized systems development process is set up in the CIA, system development project managers rather than program staff members work directly with the ERKS process and become familiar with electronic recordkeeping concepts. CIA records managers feel that they may be missing an opportunity to educate business unit staff about their ongoing responsibilities for the electronic records in the system. Now that the ERKS process to include recordkeeping requirements in new systems is working smoothly, though, the ERKS program staff members hope to be able to devote more time to post-development educational activities in the future.
Environment for which it is suited
The CIA's ERKS process works best in a large, sophisticated operation where IT systems development and records management operations are well integrated into the IT infrastructure and agency business processes, and there is a long-term commitment by senior agency management to support the program and provide appropriate resources to assure its success. It would work best in agencies with good communications between the IT and records management program areas, and with program managers and staff in business units. To support the process, an agency needs to develop an appropriate standards-based IT infrastructure to support enterprise-wide initiatives such as the ERKS requirements and certification process. The CIA's certification processes require a highly skilled and professionally trained staff to implement the process and supplement the short handbook with their expertise. A process like this also requires a high-level commitment over time to integrate the process into agency's enterprise architecture, system development lifecycle procedures, and the IT/records management infrastructure.
Significance to NARA
The CIA's ERKS Requirements and certification process are an effective way of ensuring that recordkeeping requirements are built into every new or updated IT system that contains Federal records. As with the FBI, the CIA process utilizes requirements found in DOD 5015.2-STD, which NARA has endorsed for use by all Federal agencies. The CIA found that Version 1 of their ERKS process, which included all of the DOD 5015.2-STD ERK requirements and was presented in a handbook of approximately 130 pages, was very complicated and burdensome for IT system developers to use. The CIA found that the level of complexity served as a barrier to necessary cooperation and full implementation. The current, more streamlined, version of the process has been easier to use and more readily accepted throughout the agency.