ML24045A043

From kanterella
Jump to navigation Jump to search
2023 Federal Electronic Records and Email Management Report
ML24045A043
Person / Time
Issue date: 02/14/2024
From: Gilbert H
NRC/OCIO
To:
US National Archives & Records Admin (NARA)
Gilbert H
References
Download: ML24045A043 (23)
v  d  e


Text

2023 Federal Electronic Records and Email Management Report

YOU HAVE NOT YET SUBMITTED YOUR AGENCY'S RESPONSE!

Please DOWNLOAD a PDF of your agency's response by clicking the blue "Download PDF" hyperlink located directly under these instructions. This may take a few minutes to load depending on your system. If you still do not see the downloaded report, please check the Downloads folder on your computer.

To SUBMIT your agencys response, please hit the "Next" button at the bottom of the page. After you have done so, you will see a message thanking you for your response.

If you need to make any changes at this point, you must email rmselfassessment@nara.gov since the "Back" button is no longer available.

Below is a summary of your Download PDF responses

Federal Electronic Records and Email Management Maturity Model Report for 2023

Please do not skip this section. This is your only chance to enter your contact information and the agency for which you are responding.

Please enter your contact information below.

First Name: Helena

Last Name: Gilbert

Job

Title:

Agency Records Officer

Email Address: helena.gilbert@nrc.gov

Phone Number: 571-344-4934 Please select the agency and, if applicable, component agency or office for which you are reporting by clicking on the drop down arrows below.

Department/Independent Nuclear Regulatory Commission Agency Component/Subordinate Agency

This maturity model is one of the tools used to track the current state of federal agencies electronic records and email management programs.

For the purposes of the Annual Federal Agency Records Management Reporting, we have divided this template into two parts to allow agencies to separate their management of permanent electronic records and email management. While email can be a form of an electronic record, and the maintenance of systems is similar to systems containing other electronic records, policies, disposition, and even access may be different.

The reporting period begins on January 8, 2024, and reports are due back to NARA no later than March 8, 2024.

NARA plans to post agency responses on archives.gov. Please ensure that your agencys report is a publicly releasable version. This action is in the interest of transparency in government and to promote collaboration and communication among agencies. NARA intends to list any non-responding agencies in a summary report and on the website.

NARA reserves the right to follow up with agencies to obtain additional information and/or documentation that supports their answers to the questions.

When answering, agencies should be reflecting on the state of their electronic records and email management at the time the report is submitted.

Please read carefully and choose the description that best describes your agencys current ability to manage electronic records and email for each question.

PLEASE NOTE: If you need to exit the survey before completing each Part, you MUST click on the NEXT button at the bottom of the page before exiting to ensure your answers to that point are saved.

PART I: Federal Electronic Records Management Reporting

This maturity model is intended to assist agencies in self-evaluating their electronic records programs, particularly as it pertains to the management of permanent electronic records. Certain elements may also be applicable to the management of temporary electronic records. The model was developed based on the operational steps outlined in NARA's Criteria for Successfully Managing Permanent Electronic Records released in July 2018.

There are five key aspects that measure the current state of electronic records management programs.

1. Management Support and Resourcing
2. Policies
3. Systems
4. Access
5. Disposition

To properly use this model, agencies should read each description and select the one that best fits their organization's current condition for each domain. In order to be useful, this tool should be used honestly, consistently, and often to measure improvements as they are implemented.

1. Management Support and Resourcing

==

Description:==

Management support and a strong positioning of an agencys records management program in the organizational structure is key to program success. This domain measures the level of management support, including the recognition of records and information as valuable assets, the alignment of the records program to business/mission functions to support strategic goals and objectives, the development of performance management, and adequate resources to include funding.

In accordance with OMB Circular A-130, agencies are required to consider records management for all resource planning and management activities. Senior Agency Officials for Records Management (SAORMs) must ensure sufficient resources are available and prioritized for managing electronic records, including policy, people, processes, and tools. This includes a sufficient number of dedicated, qualified, and trained records management staff to meet agency needs for program implementation.

Adequate resources should be allocated to provide education and training for the general agency workforce, including contractors that handle or manage federal records. Agencies must designate records officers, records custodians, and other agency liaisons. These personnel, or records management staff, must have specialized training to perform the duties described in OPM occupational series 0308, Records and Information Management. Sufficient funding and resources should also be allocated for records management-related products, services, equipment, and/or technology.

What Success Looks Like: Agency leadership recognizes records as strategic assets to the mission and decision-making of the agency and provides the appropriate resources necessary to manage these assets effectively and efficiently.

1.1 Which of the following best describes engagement of the Senior Agency Official for Records Management (SAORM) and/or other senior managers?

Note: In component agencies of Departments, the SAORM may be at the Department level only but components can answer with their impressions of the SAORM engagement at their level.

An SAORM has not been designated. Agency senior managers are unaware or not An SAORM has not been designated. Agency senior managers are unaware or not engaged in the prioritization and allocation of any resources to electronically manage electronic records (temporary and permanent).

An SAORM has not been designated but the role is filled by someone as Acting. Agency senior managers are aware and engaged in the electronic records management program; however, there are insufficient budgetary resources, and no additional steps have been made to adequately manage permanent electronic records.

The designated SAORM is in the process of working with agency records management and IT staff to develop an electronic records management program and identify necessary budgetary resources, but has not involved other agency senior managers.

The designated SAORM is engaged in the electronic records management program and is taking positive steps to provide the necessary budgetary resources to adequately manage permanent electronic records, and informs other agency senior managers as appropriate.

SAORMs are proactively engaged in the electronic records management program, are providing the necessary budgetary resources to adequately manage permanent electronic records, and are consistently keeping other agency senior managers informed of their related responsibilities.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the SAORM is proactively engaged in the totality of the records management program through meetings with the Agency Records Officer (ARO) on a regular basis.

Meeting topics include managing Capstone and non-Capstone email, policies on managing non-record material, releasing records to the public and the overall status of the records management program. A challenge to providing necessary budgetary resources exist due to competition for limited resources (e.g., contract funding, FTE) based on decreasing agency budgets.

1.2 Which of the following best describes your agencys Agency Records Officer role, responsibilities and knowledge?

Agency does not have a designated Agency Records Officer, and there is no indication that a future designated Agency Records Officer would have or would obtain NARAs Agency Records Officer Credential (AROC).

An Agency Records Officer has not been designated but the agency intends to do so and is considering requiring that person to have or to obtain NARA's Agency Records Officer Credential (AROC).

Agency has designated an Agency Records Officer and is considering requiring them to have or to obtain NARAs Agency Records Officer Credential (AROC).

Agency has designated an Agency Records Officer. Agency encourages, but does not yet require, the Agency Records Officer to have or to obtain NARAs Agency Records Officer Credential (AROC). The Agency Records Officer is in the process of obtaining this credential.

Agency has designated an Agency Records Officer and requires the holder of this position to have or to obtain NARAs Agency Records Officer Credential (AROC), as required by the agency and NARA policy.

Please explain why this level was chosen and what challenges exist.

Please explain why this level was chosen and what challenges exist.

This level was selected because the NRCs ARO through October 2023 was a Certified Records Manager (CRM) since 1995 and is a Certified Federal Specialist; her replacement as of October 2023 has been a Certified Records Analyst (CRA) since 2019 and became a NARA-certified ARO in 2023 by testing out of the requirements to take the Agency Records Officer Certification classes. The ARO is challenged due to competition for limited resources (e.g., contract funding, FTE) based on decreasing agency budgets.

1.3 Which of the following best describes your agencys network of records management officers, records custodians, and other agency liaisons or staff with assigned records management responsibilities?

Agency does not specifically assign records management roles or responsibilities to staff.

Agency has a network of staff with records management responsibilities, but does not provide those assigned records management training or guidance on what is required.

Agency has a network of staff with records management responsibilities, and they receive general training on what this assignment means and what is required.

Agency has a network of staff with records management responsibilities who are trained on what this assignment means and basic records management.

Agency has a network of staff with records management responsibilities trained on what this assignment means, what records management responsibilities and requirements are, skills needed to perform the responsibilities and how to use those skills.

Please explain why this level was chosen and what challenges exist.

This level was chosen because all NRC offices have a Records Coordinator with records management responsibilities assigned as a supplementary duty. The agency also maintains trained records management staff who work directly with and in support of the ARO. A challenge related to budget cuts in prior fiscal years is decreased Federal staff and contractor support for the records management mission.

1.4 Which of the following best describes records management program monitoring?

There is no attempt to monitor records management activity.

Informal monitoring of the records management program is done on an ad hoc basis. No formal program is under development.

General monitoring of records management program compliance is done on an ad hoc basis. Formal program performance measures are under development.

Agency utilizes formal program performance measures, as well as NARA's annual Records Management Self-Assessment, to monitor records management program compliance with limited remediation of program activities found in need of improvement.

Agency utilizes formal program performance measures, as well as NARAs annual Records Management Self-Assessment, to monitor records management program compliance and remediate program activities found in need of improvement.

compliance and remediate program activities found in need of improvement.

Please explain why this level was chosen and what challenges exist.

This entry was chosen because the agency has established formal performance metrics regarding records management that are reported and considered in records management and senior leadership annual reviews. In addition, the records management program undergoes ad hoc Office of Inspector General audits, engages in the annual NARA self-assessment process, and conducts annual Information Inventories with all Offices, to the extent possible. These activities support program compliance and remediation of program activities to improve the program.

1.5 Which of the following best describes records management training for all agency staff and contractors so that they are aware of their records responsibilities for creating and maintaining records in accordance with agency policies and procedures, and NARA policies and regulations?

Records management training does not exist and is not under development.

Records management training is under development.

High-level general records management training is available but not required.

Records management training with some role-based training is available. General records management training is required at least once a year.

Records management training, including role-based training, is part of the agency's mandatory training for all staff and contractors, including senior executives and appointed officials.

Please explain why this level was chosen and what challenges exist.

This level was selected because the NRC shifted from triennial mandatory training to annual training in FY2020. All NARA training requirements are fully addressed in terms of content of this formal training and the training itself, is updated as needed.

2. Policies

==

Description:==

A successful records management program has a governance framework, articulated policy, and clear standards. For electronic records management this is particularly important due to fragility, security vulnerabilities, and other unique characteristics of electronic records. This domain measures the establishment, dissemination through training and other means, implementation, and use of policies specific to electronic records management topics.

Agency-wide policies and training must inform all personnel who create, receive, access, or use federal records of their records management responsibilities. Policies should be developed with all relevant stakeholders and must address the requirements of the Federal Records Act (FRA), 36 CFR Chapter XII Subchapter B, and other relevant guidance issued by NARA and OMB, such as OMB Circular A-130.

Specifically for permanent electronic records, agencies must ensure policies are in place to effectively Specifically for permanent electronic records, agencies must ensure policies are in place to effectively manage them from creation to transfer. Policies must fully explain how the agency expects staff to manage permanent electronic records, and have agency-wide training programs that fully educate all staff on their responsibilities for managing all electronic records in accordance with these policies.

What Success Looks Like: Your agencys policies fully explain how to manage permanent electronic records, and procedures and training programs guide staff in fulfilling their responsibilities for managing all electronic records.

Policies should include:

The identification of records management roles and responsibilities.

Scheduling, managing and transferring permanent electronic records to NARA.

The use of tools for digital signatures.

Notification and reporting procedures for unauthorized access, use, alteration, alienation, or deletion of electronic records.

The inclusion of records management into agency information resources management strategic plans.

The inclusion of records management into the agency's Capital Planning and Investment Control process.

The inclusion of records management into the agency's Systems Development Life Cycle process.

NARAs records management language to safeguard government-owned permanent electronic records created, maintained, and stored on agency systems or cloud and social media platforms owned by third-party vendors.

2.1 Which of the following best describes if your agency creates records management policies that oversee management of electronic records and permanent electronic records in particular as described in the bullets above?

Policies do not exist for electronic records.

Policies exist for electronic records but do not include permanent electronic records, nor are they in any stage of development that would address the bullet points above.

Policies exist covering electronic records in general, but those specifically covering permanent electronic records addressing some of the bullet points above are under development.

Policies covering electronic records with specific information about the management of permanent electronic records addressing most of the bullet points above have been drafted but not yet approved or implemented.

Policies covering electronic records with specific information about the management of permanent electronic records addressing all of the bullet points above have been approved and implemented.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the vast majority of electronic records management policies have been approved and implemented through the agencys Management Directive 3.53, NRC Records and approved and implemented through the agencys Management Directive 3.53, NRC Records and Documents Management Program; numerous Yellow Announcements (policy) that supplement the Management Directive; the Information and Records Management Guideline System; and the Agencywide Documents Access and Management System (ADAMS) IBM Electronic Records (IER) module. Records management is included in the agency Systems Development Lifecycle (SDLC) and Capital Planning and Investment Control (CPIC) processes. Challenges to the creation, revision, and updating of records management policies include ongoing competition for limited resources within the office (e.g., contract funding, FTE) based on decreasing agency budgets.

2.2 Which of the following best describes if relevant stakeholders have been engaged in the development of electronic records management policies?

Relevant stakeholders have not been identified.

Relevant stakeholders have been identified but are not actively engaged.

Relevant stakeholders provide input but are not actively involved in creating policies or approving these policies.

Relevant stakeholders provide input and review these policies before going to agency senior leadership for approvals.

Relevant stakeholders, including agency senior leadership, are consistently and actively involved in creating and approving all records management policies.

Please explain why this level was chosen and what challenges exist.

This level was selected because the agencys Office of the Chief Information Officer implemented a comprehensive review process for the establishment of agency policies; the Records Management staff work in full compliance with that process.

2.3 Which of the following best describes procedures and training in order to fully implement policies essential for full integration and inclusion of records management into agency culture and the prevention of records loss and/or alienation?

Training and awareness regarding the management of electronic records do not exist, and there are no policies related to loss of records.

As policies are being discussed, general training and awareness of records management roles and responsibilities exist but do not fully address electronic records or the prevention of records loss.

With policies under development, the roles and responsibilities are identified, and there is an awareness of the threat of loss of electronic records.

Policies, procedures and training with specific information about the management of permanent electronic records and the threat of loss have been drafted but not yet approved by relevant stakeholders or implemented.

Procedures and training with specific information about the policies related to the full integration and inclusion of records management and the prevention of records loss and/or alienation have been approved, disseminated and implemented.

Please explain why this level was chosen and what challenges exist.

This level was chosen because engagement with agency stakeholders is well established. Periodic Information Inventory processes, ongoing Privacy Impact Assessments (PIAs) and Privacy Threshold Analyses (PTAs) of new electronic systems, and in-depth analyses of systems are in place. Limited staff and rapidly changing technology projects make it difficult to fully integrate with Information Technology (IT).

3. Systems

==

Description:==

This domain measures how well agencies have implemented systems that meet federal recordkeeping requirements.

Agencies must have control over permanent electronic records to ensure adequate capture, management, preservation, and transfer to NARA in acceptable electronic formats along with the appropriate metadata. Such control may be automated in dedicated records management systems or implemented manually in shared drives, data repositories, or other types of storage. Additionally, IT systems must support the implementation of records management regulations and local policies and provide access to permanent electronic records throughout their lifecycle, which can span decades.

What Success Looks Like: Your agencys IT systems developers consider records management requirements throughout the systems development process. As a result, your agencys systems and business processes support the automated management of trustworthy permanent electronic records over time in accordance with all applicable requirements.

Systems for permanent records must:

Comply with approved records schedules; Allow permanent electronic records to be located, retrieved, accessed, presented, interpreted, and updated wherever they reside throughout their full lifecycle; Automate security and management of permanent electronic records over time in accordance with NARA requirements; and Generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing permanent electronic records, including the ability to:

Audit/track use of the records, including all events and actions related to the record by person entities and non-person entities; Audit/track actions changing the level of record access; Audit/track changes in the location of permanent records; and Generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing permanent electronic records.

3.1 Which of the following best describes how well electronic information systems are able to create, capture, manage, preserve, and transfer permanent electronic records to the National Archives?

electronic records to the National Archives?

Electronic information systems may create and capture records, but there is no management or determination about temporary or permanent electronic records status in accordance with approved records schedules.

Electronic information systems are able to create and capture records in electronic format, and there is some management or determination about temporary and permanent electronic records status but no alignment with approved records schedules.

Electronic information systems are able to create, capture, and maintain records.

Permanent electronic records are identified, and alignment with approved records schedules is under development.

Electronic information systems meet NARA's requirements to create, capture, manage and preserve electronic records aligned with approved records schedules, and agency is testing the capability to transfer permanent electronic records to the National Archives.

Electronic information systems meet NARA's requirements to create, capture, manage, and preserve electronic records aligned with approved records schedules. Agency has successfully transferred permanent records in electronic format to the National Archives according to the transfer guidance.

Please explain why this level was chosen and what challenges exist.

This level was selected because the NRC maintains an agency-wide repository for electronic records, ADAMS. The ADAMS IBM Electronic Records (IER) module transfer process includes auditing and tracking and is the final gateway for tracking all electronic data and information being transferred from ADAMS to the National Archives. The vast majority of other agency systems meet this level of maturation, but several systems have yet to have their ability tested to fully complete records lifecycle management in the transfer of permanent records in electronic format to the National Archives. The agency successfully transfers permanent records in electronic format to the National Archives from the Radiation Exposure Information and Reports System (REIRS) on a bi-annual basis.

3.2 Which of the following best describes if your agency has an inventory of electronic information systems including identification of permanent electronic records required for effective electronic records management?

There is no inventory of electronic information systems.

There is an inventory of electronic information systems but no identification of which contain records.

There is an inventory of electronic information systems that identifies which contains records but does not include location or retention instructions.

There is an inventory of electronic information systems along with the location and includes limited ability to implement disposition.

There is a complete inventory of systems used for management of permanent and temporary electronic records including the ability to implement, whether manually or automatically, all dispositions.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the agency operates a Custom Analysis of Records Schedules (CARS)

This level was chosen because the agency operates a Custom Analysis of Records Schedules (CARS) database, which maintains inventory information and records schedules of electronic information systems, including identification of which hold permanent electronic records. This inventory is appropriately updated in a timely manner to reflect new and updated systems and is used in conjunction with other IT inventories, including the PIA and PTA inventories.

3.3 Which of the following best describes systems owners awareness of their responsibilities for permanent records that allows for managing permanent records in accordance with the requirements listed above?

Systems owners are not aware of their responsibilities for managing permanent electronic records.

Systems owners are fully aware of their responsibilities for managing permanent electronic records that reside in their systems but are not developing processes (manual or automated) to comply with the requirements for managing permanent electronic records.

Systems owners are fully aware of their responsibilities for managing permanent records that reside in their systems and are considering processes to comply with requirements to manage permanent electronic records via manual methods.

Systems owners are fully aware of their responsibilities for managing permanent records that reside in their systems, and they are in the development phase of ensuring systems comply with requirements for managing permanent electronic records via automated methods.

Systems owners are fully aware of their responsibilities for managing permanent records that reside in their systems. Systems have been implemented to comply with the requirements for managing permanent electronic records via automated methods.

Please explain why this level was chosen and what challenges exist.

This level was selected for the following reasons: 1. The agency conducts Information Inventories regularly to ensure capture of electronic system information and to educate system owners of their responsibilities. 2. The agency includes electronic records management requirements in the Privacy Impact Assessment (PIA) and Privacy Threshold Analyses (PTA) inventories of systems proposed for implementation within the enterprise; records management personnel review and work with system owners on these assessments to ensure compliance with electronic records management requirements, or to establish mitigation strategies. 3. An inventory of electronic systems is managed by the Enterprise Architecture team and is used in conjunction with the CARS database, as well as PIA and PTA assessments to track the phases of system development. 4. Targeted educational activities continue to educate system owners of records management requirements. Challenges to ensuring Records and Information Management compliance within systems result from competition for resources and rapidly changing IT environments.

3.4 Which of the following best describes how well your system audits/tracks use of the records, including all events and actions related to the record by person and non-person entities?

Systems do not audit or track use of records.

Systems could generate reports to audit/track use of records, but the agency is not considering tracking use of records.

considering tracking use of records.

Systems could generate reports to audit/track use of records, and the agency is considering whether or not to track use of records.

Systems can generate reports. The agency does some auditing/tracking of the use of records.

Systems generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing permanent electronic records including the ability to audit/track use of the records, including all events and actions related to the record by person entities and non-person entities, changing the level of record access, and changes in the location of permanent records.

Please explain why this level was chosen and what challenges exist.

This level of maturity was selected because of the agencys ability to meet all noted requirements within ADAMS, the agencys primary repository for permanent and temporary electronic records. Privacy Impact Assessments (PIAs) and Privacy Threshold Analyses (PTAs) for other systems are administered annually and address specific electronic records management questions targeted for auditing/tracking/events/actions within those systems. In addition, systems are regularly reviewed by records management and information security staff for compliance. A challenge that remains is ongoing competition for resources based on decreasing budget dollars.

4. Access

==

Description:==

Electronic records support an agency's ability to carry out its business functions. Access to permanent electronic records means they remain usable, retrievable, and protected throughout their lifecycle. This domain measures the access and usability of records to conduct agency business in accordance with the appropriate transfer and disposition schedule. It measures system protection of permanent electronic records against unauthorized access, use, alteration, alienation, deletion, or concealment. It ensures records are searchable, retrievable, and usable for as long as they are maintained in agency custody.

What Success Looks Like: Your agency's permanent electronic records are protected against unauthorized access, use, alteration, alienation, deletion, or concealment. They are searchable, retrievable, and usable for as long as they are maintained in agency custody.

4.1 Which of the following best describes if records (including those of current and separated employees) are searchable, retrievable, and usable throughout their lifecycle?

Records (including those created by current and separated employees) are not searchable, retrievable, and usable.

Some records created by current employees are searchable, retrievable, and usable but not for those created by separated employees.

Some records created by current employees and those created by separated employees are searchable, retrievable, and usable throughout their lifecycle.

Most records created by current and separated employees are searchable, retrievable, Most records created by current and separated employees are searchable, retrievable, and usable throughout their lifecycle.

All records (including those of current and separated employees) are searchable, retrievable, and usable throughout their lifecycle.

Please explain why this level was chosen and what challenges exist.

This level was selected because the agencys primary repository of permanent and temporary electronic records, ADAMS, supports searchability, retrievability, and usability of agency permanent electronic records throughout their lifecycle. In addition, records that reside in the agencys other electronic systems are searchable, retrievable, and usable throughout their lifecycle.

4.2 Which of the following best describes the identification and categorization or classification of electronic records that are essential to enable accessibility and maintenance throughout the lifecycle?

Records are not identified, categorized or classified to enable accessibility and maintenance throughout the lifecycle.

Some records are identified but not categorized or classified to enable accessibility and maintenance throughout the lifecycle.

Some records are identified with limited categorization or classification to enable accessibility and maintenance throughout the lifecycle.

Most records are identified and categorized or classified to enable accessibility and maintenance throughout the lifecycle.

All records are identified and categorized or classified to enable accessibility and maintenance throughout the lifecycle.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the NRC maintains agency-wide Information Inventories, which include a categorization (taxonomy) of NRC information assets and records. A categorization schema has been established for all records series and is tied to retention policies. The schema has been implemented in ADAMS. The agency purchased and is in the process of implementing a file analysis solution that supports categorization of other electronic documents/records, such as those that reside in SharePoint.

4.3 Which of the following best describes if your agencys IT staff measures system protection of permanent electronic records against unauthorized access, use, alteration, alienation, deletion, or concealment?

IT staff does not take any measures to prevent unauthorized access, use, alteration, alienation, deletion, or concealment of any records.

IT staff have normal security measures, but these do not identify protections for permanent electronic records against unauthorized access, use, alteration, alienation, deletion, or concealment.

IT staff have normal security measures, and additional measures are being considered for permanent electronic records to prevent unauthorized access, use, alteration, for permanent electronic records to prevent unauthorized access, use, alteration, alienation, deletion, or concealment.

IT staff, in addition to normal security measures, are developing measures and have some already in place to protect permanent electronic records that prevent unauthorized access, use, alteration, alienation, deletion, or concealment.

IT staff, in addition to normal security measures, have measures in place to protect permanent electronic records that prevent unauthorized access, use, alteration, alienation, deletion, or concealment.

Please explain why this level was chosen and what challenges exist.

This level was selected because cybersecurity policies regarding the protection of all NRC information, including permanent electronic records, are well established through Management Directives and supplemental policy documents such Yellow Announcements (policy) and Staff Requirements Memorandums. The NRC continues to maintain an effective cybersecurity program based on IG reporting metrics, receiving an overall rating of managing risk (level 4) during the agencys annual FY23 OIG FISMA audit. NRC has one of the top-rated Cybersecurity programs across the government. The program continues to focus on measurable gains in cybersecurity risk management and employs the concept of continuous improvement to build upon successes in reducing risk for agency systems and data.

4.4 Which of the following best describes if your agency has migration plans that include the movement of permanent electronic records into new systems and other measures related to long-term preservation in accordance with the recordkeeping requirements?

Migration plans do not exist, and records are not considered when replacing systems.

Migration plans exist but do not take into consideration temporary or permanent records status, long-term preservation or other recordkeeping requirements.

Migration plans are based on current use and move inactive records offline or to tapes, but do not identify permanent records, long-term preservation needs or other recordkeeping requirements.

Migration plans include the identification of permanent records and long-term preservation needs, and may move permanent electronic records into new systems or maintain them in legacy systems.

Migration plans include the movement of permanent electronic records into new systems, including those in legacy systems, and include other measures related to long-term preservation in accordance with recordkeeping requirements.

Please explain why this level was chosen and what challenges exist.

This choice was selected because staff initiate PIAs and PTAs, which include electronic records management requirements, whenever there is a change to a system or migration to another system.

Records management staff must review and sign off on these plans for the system to be approved and to ensure they include records management compliance or mitigation strategies. Measures are taken to meet records preservation needs.

5. Disposition

==

Description:==

This area is critical for successfully managing permanent electronic records. Agencies must follow the mandatory instructions contained in either agency-specific records schedules or the appropriate General Records Schedule to transfer permanent electronic records to NARA's legal custody.

What Success Looks Like: Agencies are operating with NARA-approved records schedules. Agencies are successfully completing transfers of permanent electronic records to the National Archives in acceptable formats with the appropriate metadata.

5.1 Which of the following best describes if your agency has a process to classify records and apply NARA-approved retention schedules in order to properly dispose of electronic records, including the transfer of permanent electronic records to the National Archives?

There is no process for identification or scheduling of electronic records.

There is no coordination with agency offices to identify, classify and schedule records, but a few electronic records are associated with a NARA-approved records schedule.

Some coordination exists to identify, classify and schedule electronic records across the agency with some electronic records associated with a NARA-approved records schedule.

There are informal processes for coordination to identify, classify, and schedule electronic records across the agency that include input from appropriate offices. Most electronic records are associated with a NARA-approved records schedule.

Formal processes exist to identify, classify and schedule electronic records across the agency that includes program, legal, and IT offices, that include reviewing and updating existing schedules as well as new electronic systems. All existing electronic records are covered by NARA-approved records schedules.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the agency conducts regular Information Inventories with heavy engagement in one-on-one consultations with office-level staff. Challenges include that through this process, records management staff sometimes learn of new systems not formerly identified. In addition, changes to the mission often require updates to electronic records schedules. And lastly, fewer Federal records management staff due to declining agency budgets and employee attrition has increased the workload per person to complete the Information Inventory consultation process.

5.2 Which of the following best describes if systems development, maintenance, and operations include processes for electronic records management?

Records management staff are not included in the agencys processes for new, existing, or retiring electronic information systems, so there is no assurance that electronic records management processes exist.

Records management staff are inconsistently made aware of new electronic information Records management staff are inconsistently made aware of new electronic information systems and are not included in the agencys processes for new, existing, or retiring electronic information systems, so electronic records management is ad hoc.

Records management staff are occasionally informed when new electronic information systems are being planned or implemented and participate informally or on an ad hoc basis in the agencys processes for new, existing, or retiring electronic information systems, so electronic records management is inconsistent.

Records management staff are kept informed of new, existing, or retiring electronic information systems, but have a limited role in the agencys Systems Development Life Cycle process for electronic information systems, so electronic records management is just beginning to be consistent across the agency.

Records management staff participate in the Systems Development Life Cycle and Capital Planning and Investment Control processes to ensure electronic records are appropriately identified and recordkeeping applied formalizing electronic records management across the agency.

Please explain why this level was chosen and what challenges exist.

This entry was selected because Records Management staff participate in a number of structured processes related to Systems Development Life Cycle and Capital Planning and Investment Control.

First, as a voting member of the OCIO Intake Process, Records Management staff review, and approve/disapprove hardware, software, and customized IT services. Secondly, Records Management staff are engaged with others in analyzing systems in the IT Investment Portfolio during Enterprise Architecture activities, and through the IT Roadmap process which addresses many areas including:

  • IT modernization to support the adoption of new technologies and methodologies;
  • Business needs alignment with current or emerging business needs;
  • Compliance to meet Federal requirements;
  • Fiscal stewardship to reduce costs of service delivery;
  • IT refresh activities related to upgrades/updates of existing hardware/software;
  • Expansion/reduction of services reflecting changes in demand;
  • Service evaluation to identify opportunities for improvement;
  • Integration of systems to support data sharing;
  • IT consolidation; and
  • Acquisition management to enable new services or to ensure continuity of service. Third, through the Privacy Impact Assessment (PIA) and Privacy Threshold Analyses (PTA) processes, Records Management staff are heavily involved in discussions and analyses of systems throughout the agency. Fourth, Records and Information Management (RIM) compliance is also identified and tracked within CIO Evaluations of major and standard systems, under the Capital Planning and Investment Control program. CIO Evaluations, which are performed every quarter, are assessed by staff and senior officials, and regularly presented to the CIO. Lastly, based on increasing awareness of records management mandates per M-23-07, offices are self-identifying and requesting support from the Electronic Records Manager and Records Management staff to ensure compliance with NARA Electronic Records Management requirements.

5.3 Which of the following best describes if permanent records meet the transfer guidance criteria and contain the appropriate metadata for transfer to the National Archives?

Note: See NARA Bulletin 2014-04: Revised Format Guidance for the Transfer of Permanent Electronic Records and NARA Bulletin 2015-04: Metadata Guidance for the Transfer of Permanent Electronic Records.

Permanent electronic records do not meet the transfer guidance criteria and/or metadata requirements for transfer to the National Archives.

Permanent electronic records do not meet the transfer guidance criteria and/or metadata requirements for transfer to the National Archives, but the agency is exploring what needs to be done.

Permanent electronic records do not meet the transfer guidance criteria and/or metadata requirements to transfer them to the National Archives, and improvements have been identified but not implemented.

Permanent electronic records in some cases meet the transfer guidance criteria and/or metadata requirements to transfer them to the National Archives. The ability and other plans for transferring all permanent records are under development or are being tested.

Permanent electronic records meet the transfer guidance criteria and contain the appropriate metadata. The agency has tested the ability to transfer and/or has successfully transferred permanent electronic records to the National Archives in acceptable formats with appropriate metadata.

Please explain why this level was chosen and what challenges exist.

This level was selected because the NRCs official and primary repository for agency permanent electronic records, ADAMS, has the appropriate metadata and criteria for the transfer of agency data.

The agency has demonstrated the ability to transfer permanent electronic records stored in ADAMS to NARA. Data transfer from the REIRS to NARA also has been accomplished. While the agency has other systems that have not been tested for the transfer of permanent electronic records, the NRC has nonetheless formalized a process for transferring permanent records with appropriate metadata to NARA.

Click Next to save your current answers and move to Part II: Email Management.

PART II: Federal Email Management Reporting

The following maturity model is designed to measure how well your agencys email management meets the Criteria for Managing Email Records in Compliance with the Managing Government Records Directive (M-12-18). The success criteria describes the requirements needed to properly manage all temporary and permanent email in an electronic format.

There are four key aspects in this model:

Policies Systems Access Disposition

To properly use this model, agencies should read each description and select the one that best fits their organizations current condition for each domain. In order to be useful, this tool should be used honestly, consistently, and often to measure improvements as they are implemented.

Policies Policies

Description and What Success Looks Like: Agency-wide policies and training must inform account holders of their responsibilities for managing email records. Policies should be developed with all relevant stakeholders and should address the requirements of the Federal Records Act, 36 CFR Chapter XII Subchapter B, and NARA guidance.

1. Which of these levels best describes the state of your email policies?

No email policies exist; relevant stakeholders have not been identified; senior-level email is not managed in any way; and there are no policies related to the loss of email records.

Email policies are being drafted, and there is a general awareness of both the roles and responsibilities for managing email records and of the risk of loss of email records.

Email policies address general use of email only; relevant stakeholders have been identified; roles and responsibilities for email management have been defined; and there is an awareness of the risk of loss of email records.

Email policies have been developed and disseminated; stakeholders, including the Chief Information Officer, Records Managers, and General Counsel, are involved in making policy and other decisions regarding email; there are policies governing holds on email records or accounts; policies include use of personal or non-official email accounts; and there are policies and procedures protecting against the loss of email records.

Email policies are in place and implemented throughout the agency; all staff (including senior staff) have been trained on their roles and responsibilities for managing email including use of personal or non-official email accounts; records management staff and/or Inspector General perform periodic audits of email policies to ensure proper use and implementation; and annual mandatory records and information management (RIM) and information security training include roles and responsibilities regarding email.

Please explain why this level was chosen and what challenges exist.

This level was chosen because the NRC has long-standing email policies which are updated as needed. Staff are required to take annual records management training, which includes email records requirements. The ARO and records management staff periodically speak at office meetings to discuss these policies, and the CIO has worked to ensure senior leadership awareness and understanding through various forums.

Systems

Description and What Success Looks Like: Agencies must have systems in place that can produce, manage, and preserve email records in an acceptable electronic format until disposition can be executed. Additionally, systems must support the implementation of agency policies and provide access to email records throughout their lifecycle.

2.1 Which of these levels best describes the state of your email systems?

Email is managed in disparate systems; email is managed by the end user; and no retention is applied.

retention is applied.

Systems retain temporary email records up to 180 days only, and print and file is the main method of preservation for email.

Some centralized administration of email systems exists; there is limited identification of permanent email; and email is manually managed by the end user based on retention schedules.

Administration of email systems is specifically assigned; temporary and permanent email categories are identified; systems are under development to handle the implementation of agency policies and lifecycle management; and electronic retention is the main method for the preservation of email.

Email systems manage and preserve email in electronic format; limited end user input is needed to apply proper retention and disposition policies; permanent email is identified and managed; email systems maintain the content, context, and structure of the records; and email records are associated with their creator.

Please explain why this level was chosen and what challenges exist.

This level was selected based on the NRCs implementation of Microsoft Office 365, which has been configured to provide, with the NARA-approved retention schedules, email management and preservation behind the scenes with no user input. In 2021, the agency transitioned to a hybrid opt-in and opt-out approach to manage Capstone Officials email. The Commissioners who use an opt-in approach to manage their email, self-select permanent email records. Following their manual self-selection using a drag and drop functionality within the email system, their permanent email records are maintained in individual secure folders until their departure when all their records are transitioned into ADAMS where the IBM Enterprise Records (IER) module automatically manages disposition. All other Capstone officials transitioned to an Opt-Out approach in April 2021, which limits end-user input needed to manage permanent records as their email is now automatically captured requiring no end-user intervention.

2.2 Which of the following best describes how well your email system audits/tracks email records use, including all events and actions related to the email record by person and non-person entities?

Systems do not audit or track use of email records.

Systems could generate reports to audit/track use of email records, but the agency is not considering tracking use of email records.

Systems could generate reports to audit/track use of email records, and the agency is considering whether or not to track use of email records.

Systems can generate reports. The agency does some auditing/tracking of the use of email records.

Systems generate reports, both routine and customized, to demonstrate effective controls and compliance with the requirements for managing email records including the ability to audit/track use of email records, including all events and actions related to the email record by person entities and non-person entities, changing the level of email record access, and changes in the location of email records.

Please explain why this level was chosen and what challenges exist.

This level was selected based on the implementation of Microsoft Office 365 and its Security and Compliance Center. Using these capabilities, standard reports are available and used to support control and compliance for managing email records according to the NARA-approved retention schedule. The agency continues to implement capabilities of M365 and its Security and Compliance Center.

Access

Description and What Success Looks Like: Email records must remain usable and retrievable throughout their lifecycle. Access supports an agency's ability to carry out its business functions. Access should address internal agency needs and accommodate responses to requests for information.

3. Which of these levels best describes the usability and retrievability of your email throughout its lifecycle?

There is no attempt to determine whether or not email can be accessed beyond immediate business needs; there is no management of email of departed employees; producing email for requests is difficult, costly, and not always feasible; agency has multiple email systems that do not relate to each other and are not searchable across multiple accounts or systems; there are little or no safeguards in place for unauthorized access, unintentional modification or destruction; no defined processes exist for maintaining records making access and retrieval difficult; processes are performed in an ad hoc manner; and there is no formal definition or classification of email records.

Email records are retrievable through system backups or other means; there is minimal management of email of departed employees; producing email for requests is achievable but time consuming and costly; there is limited training or other awareness of the security of email; and processes for maintaining email records are starting to be standardized agency-wide.

Email records are included in a draft retention schedule pending approval; email of departing employees is maintained until someone can review; formal processes exist in order for records to be accessed and retrieved in a timely manner; standardized RIM lifecycle processes have been developed across the agency making access and retrieval of email records more reliable; and standardized processes for access and retrieval are beginning to be promulgated across the agency.

Email is retrievable during the normal course of business; the email system has procedures for providing reference and responses for email requests; security and privacy protocols are included in the system; processes for the identification and classification of email records are standardized across the agency making access and retrieval reliable; and records are usually accessed and retrieved in a timely manner.

Email is fully retrievable for requests; email review, preservation, and disposition are embedded into the processes for departing employees; records management controls are built into the email system to prevent unauthorized access, modification or destruction; processes for the identification and classification of email records are documented and integrated with agency business and mission at the strategic level.

Please explain why this level was chosen and what challenges exist.

This level of maturation was selected as a result of meeting all requirements for retrievability, preservation, and disposition.

Disposition

Description and What Success Looks Like: The agency must have a NARA-approved schedule in place to be able to carry out the disposition of permanent and temporary email records - using either agency-specific schedules or General Records Schedule (GRS) 6.1: Email Managed under a Capstone Approach.

4. Which of these levels best describes the state of your disposition of email?

There is no retention schedule specifically covering email; disposition of email is not being done; and permanent email records have not been identified.

Agency is beginning to work with NARA to create a retention schedule specifically covering email; disposition of email is handled haphazardly by the end user; and there is some identification of permanent and temporary email records.

Retention schedule covering email is in draft form but not yet approved, and disposition of email is handled with limited training for the end user.

Retention schedule covering email has been approved by NARA; end users are trained to oversee the disposition of email records; and permanent records are identified and maintained until transfer to the National Archives.

Retention schedule covering email has been approved by NARA; retention schedules are built into email management systems; permanent records are identified and captured by email management systems; and permanent records can be or have been successfully transferred to the National Archives.

Please explain why this level was chosen and what challenges exist.

This level of maturation was selected as agency email is managed by a NARA-approved retention schedule that is built into the email management system, and all email records are identified and captured by that email management system. However, transfer of email records to the National Archives has not been tested and demonstrated as of this date as none are currently eligible for transfer.

Part I Total Points 72

Part I Maturity Model Score 3.79

Part II Total Points 20

Part II Maturity Model Score 4 SCORING PART I:

There are 19 questions.

Maximum points for each question is 4.

Maximum points is 76.

Maturity level is between 0 and 4 (total points divided by 19).

Domain 1: (5 questions - maximum points 20)

Domain 2: (3 questions - maximum points 12)

Domain 3: (4 questions - maximum points 16)

Domain 4: (4 questions - maximum points 16)

Domain 5: (3 questions - maximum points 12)

PART I: RISK LEVELS:

Score of 0 to 1.9 = high risk of improperly managing electronic records, whereby there is a great deal of work necessary to improve the program and safely manage these records.

Score of 2 to 2.9 = moderate risk of improperly managing electronic records, whereby there are various mechanisms in place, but more work needs to be done to ensure safe management of these records.

Score of 3 to 4 = low risk of improperly managing electronic records, whereby the various mechanisms are in place to safely manage these records. However, it must be noted that this does not mean there is zero risk. Therefore, monitoring and enhancements should always be kept in mind.

SCORING PART II:

There are 5 questions.

Maximum points for each question is 4.

Maximum points is 20.

Maturity level is between 0 and 4 (total points divided by 5).

Domain 1: (1 question - maximum points 4)

Domain 2: (2 questions - maximum points 8)

Domain 3: (1 question - maximum points 4)

Domain 4: (1 question - maximum points 4)

PART II: RISK LEVELS:

Score of 0 to 1.9 = high risk of not managing email effectively.

Score of 2 to 2.9 = moderate risk of not managing email effectively.

Score of 3 to 4 = low risk of not managing email effectively. However, it must be noted that this does not mean there is zero risk. Therefore, monitoring and enhancements should always be kept in mind.

REVIEW

Click on the "Back" button below to REVIEW your agencys response before submitting. This is your only chance to change your answers. Once you are satisfied with your response, click on the "Next" button at the bottom of this screen. Caution: Once you select "Next," the "Back" button will no longer function.

function.

Please note: If you have already reached the screen where the "Back" button is no longer available and you still need to make changes, you must email rmselfassessment@nara.gov.

Next

National Archives and Records Administration

Powered by QualtricsA

Retrieved from "https://kanterella.com/w/index.php?title=ML24045A043&oldid=3681226"