Though not traditionally in the spotlight, the procedures, practices, and management of sensitive government records have always set the benchmark for IG. Information Governance (IG) and Records Management (RM) are a challenging sell; nobody wants to do it and pay for it. At best, it’s seen as a necessary evil that must be done because that’s the law. Even so, RM & IG have been in the spotlight for the past couple of years, most famously due to the ex-President waltzing off with multiple boxes of classified records, though this was just one of many RM issues throughout his tenure. Therefore although it is a coincidence DOD Manual 8180.01 (Information Technology Planning for Electronic Records Management) was released this past week, the timing could not be better. And as far as such documents go, it’s a fascinating read for any Information Management professional and a must-read for any IG or RM practitioner or vendor regardless of whether they work with the DOD or any other Government Department. At 88 pages, I will not attempt to summarize or review the whole document. But I want to point out a few high-level observations that affect our industry.
First and foremost, 8180.01 starkly contrasts the notorious DOD 5015. Infamous as 5015 was, in our estimation, a plague on the RM community. First published in 2007, it laid out in tortuous detail the technical requirements that an RM software system needed to provide to be worthy of use, technology vendors then spent years rearchitecting, modifying, and building systems to meet its exacting requirements in the hope of being certified as compliant and picking up massive implementation projects around the world. The critical thing to note here is that 5015 was, in theory, a standard for the Department of Defense; it was considered the benchmark for RM worldwide in both the private and public sectors. The problem is that it focused on the technology rather than the problem of poorly managed records. 8180.01, in contrast, provides practical and largely nontechnical guidance, as it should be, as the days of a centralized RM/IG system are numbered.
This leads to observation number two, in which 8180.01 lays bare the reality that sensitive information is everywhere in many forms. It shifts the focus from ‘documents’ to data/information. It recognizes that there is no one system or location to manage them, instead, 8180.01 guides how to deal with the reality, to quote, “This plan includes the existence and use of shared archives, records repositories, and data warehouses and provides information about standard or accepted formats.” That is (excuse the expression) a paradigm shift for IG.
Thirdly, it’s important to note that though 8180.01 is more a set of procedures and practices than a set of technology requirements, the technology elements are pretty solid, and some details will be hard (though essential) to implement. For example, “Security requires that information be encrypted at rest and during transmission, which is usually handled by the storage and network capabilities.” Though, on the one hand, encryption, both in transit and at rest, sound logical, it is tough to pull off as encrypted files, by definition, cannot be analyzed.
Finally, and most importantly, 8180.01 clearly states that RM/IG is not the sole concern of IG professionals. IG is a joint effort, IT plays an important role, and traditional professional silos must be bridged or broken down altogether. IG professionals should welcome this and champion 8180.01, but realistically some will not, and that is to be expected. But in our analysis, all the skills that IG professionals have, be it an understanding of retention periods, regulations, file plans, etc., can be applied much more widely and effectively when they are used jointly across the organization and IT and Security very much a part of the conversation and the work. That significantly boosts the IG community but, more importantly, sets us on the path to more effectively manage and secure critical data and information throughout its lifecycle, wherever it may reside.