Everything you wanted to know about DoD 5015.2: the standard is not a panacea or a guarantee, but it is a tangible contribution in a field hungry for guidance.At the Core This article: * Defines DoD 5015.2 and its requirements * Explains the standard's certification process * Analyzes strengths and weaknesses of the standard The U.S. Department of Defense's (DoD) Design Criteria Noun 1. design criteria - criteria that designers should meet in designing some system or device; "the job specifications summarized the design criteria" criterion, standard - the ideal in terms of which something can be judged; "they live by the standards of their Standard for Electronic Records Management Software Applications, better known as DoD 5015.2, debuted in 1997. Since then, it has become a de-facto standard that government agencies, including the National Archives National Archives, official depository for records of the U.S. federal government, established in 1934 by an act of Congress. Although displeasure concerning the method of keeping national records was voiced in Congress as early as 1810, the United States continued and Records Administration (NARA Nara (nä`rä), city (1990 pop. 349,349), capital of Nara prefecture, S Honshu, Japan. An ancient cultural and religious center, it was founded in 706 by imperial decree and was modeled after Chang'an (see Xi'an), the capital of T'ang China. ), readily endorse. Private sector businesses routinely use standard certification--or lack thereof--as a way to shortlist short·list also short-list n. A list of preferable items or candidates that have been selected for final consideration, as in making an award or filling a position. Noun 1. records management software for potential purchases. DoD 5015.2 is also the starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for such benchmarks as the United Kingdom's Public Record Office (PRO) standard and the European Union's Model Requirements (MoReq). Outside the DoD, however, the standard is not necessarily well understood. Ask attendees at any electronic records seminar whether they are aware of the standard and nearly all raise their hands. Ask whether they want software that is certified See certification. to the standard and, again, the majority assent An intentional approval of known facts that are offered by another for acceptance; agreement; consent. Express assent is manifest confirmation of a position for approval. . Ask how many have actually read the standard, however, and the percentage drops significantly. Given the short-staffed nature of most records programs and the subsequent time crunch it produces, such a response is understandable. But is it realistic to assume that software configured to a federal department's specification applies just as well to commercial enterprises? More importantly, is it correct to assume that whatever software vendors develop to obtain certification automatically becomes part of their products? Does the dictum [Latin, A remark.] A statement, comment, or opinion. An abbreviated version of obiter dictum, "a remark by the way," which is a collateral opinion stated by a judge in the decision of a case concerning legal matters that do not directly involve the facts or affect the "Must be DoD 5015.2-certified" in a request for proposal shortcut (1) In Windows, a shortcut is an icon that points to a program or data file. Shortcuts can be placed on the desktop or stored in other folders, and double clicking a shortcut is the same as double clicking the original file. the need for analyzing an organization's needs in more depth? Not all business customers require certification; not all software vendors seek it. Why? The Standard Evolves The standard's origins provide a partial answer and illustrate the key role that archival principles played in its evolution. In 1993, a DoD records management task force that included representatives from NARA, the U.S. Army, the U.S. Air Force, and the Army, Research Laboratory began the work of re-engineering records management processes. In doing so, the task force considered research and theoretical constructs from the University of British Columbia Locations Vancouver The Vancouver campus is located at Point Grey, a twenty-minute drive from downtown Vancouver. It is near several beaches and has views of the North Shore mountains. The 7. and the University of Pittsburgh that focused on assuring the reliability and authenticity of electronic records. (See sidebar (1) A Windows Vista desktop panel that holds mini applications (gadgets) such as a calendar, calculator, stock ticker and Vonage phone dialer. It is the Windows counterpart to the Dashboard in the Mac. See Windows Vista and gadget. on page 36.) Two years later, the task force published its findings in the report "Functional Baseline Requirements and Data Elements for Records Management Application Software." The report circulated to several federal and DoD agencies, as well as to software vendors, soliciting comment on the 47 requirements identified. With the task force's charter fulfilled, the DoD turned to the Defense Information Systems Agency (DISA 1. (body) DISA - Defense Information Systems Agency. 2. (standard) DISA - Data Interchange Standards Association. ), the unit responsible for acquiring and managing shared office information systems, to continue the work. DISA relied on its testing and evaluation component, the Joint Interoperability Test Command The Joint Interoperability Test Command (JITC) is a United States military organization that tests technology that pertains to multiple branches of the armed services and government. There is a facility in Fort Huachuca, Arizona and in Indian Head, Maryland. (JITC JITC Joint Interoperability Test Command (formerly Joint Interoperability Test Center) JITC Joint Interoperability Test Center (obsolete; now Joint Interoperability Test Command) ), to clarify the report's requirements and establish a certification testing program. "In 1996, Steve Matsuura, my boss at JITC, and I began to draft the standard," recalls Bill Manago, currently product manager for MDY MDY Month Day Year MDY Minimum Detectable Yield Advanced Technologies, who was then in the armed forces. "We took into account NARA and other federal RM directives, incorporated research provided by Australian and Canadian standards, and developed requirements for managing e-mail as records." The result was DoD 5015.2, Design Criteria Standard for Electronic Records Management Software Applications. JITC remains responsible for maintaining the standard and administering the software certification testing program. What the Standard Is Revised in June 2002, the DoD 5015.2 standard defines mandatory functionality for records management application (RMA (RealMedia Architecture) See RealMedia. ) software used within the DoD. Each mandatory functional requirement is included because it relates to U.S. federal regulation and/or NARA policy; these are listed in the standard document's references section. The standard's glossary of terms, as well as its list of acronyms and abbreviations, is useful for anyone not familiar with records management. Newly added to the June 2002 version is Chapter Four with requirements for records management applications supporting classified (i.e., secret) records. Other differences from the 1997 version include expanded requirements for audit, more functionality for user-defined metadata fields, and additional e-mail requirements. Figures 1 and 2 list the requirements of 5015.2's 2002 version. Each mandatory requirement has several subparts, and each subpart specifies particular functionality. Required functionality reflects the way basic electronic recordkeeping practices work in government. This is important because such practices collectively form a model, a construct, for how the records management software must work. All records management software--whether for paper or electronic records, whether for DoD use or not--must be configured to mirror an organization's underlying model of recordkeeping practices in order to work at all. For example, are documents considered records at creation, at approval, or when submitted to an outside agency? Once documents are declared records, should they move from their creation repository to a "protected" repository with limited access? The answers may differ depending on the environment's rules and needs. The DoD standard's underlying model reflects its government and archives roots. The federal government defines a record as any document that evidences an agency's performance of its mission, regardless of physical form or media--a broad definition whose interpretation could encompass nearly all documents. Federal agencies, therefore, must decide what is a record and what is not. For records management software, the model assumes that document creators follow practices that dictate when documents become records. The model also makes creators responsible for classifying records in a folder hierarchy The organization of folders (directories) on a hard disk, which is drive-folder-file. See Win Folder organization. according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a well-understood, uniform filing plan. The DoD standard, in fact, prescribes mandatory file plan components and mandatory record folder components, indicating required data collection by users. In the private sector, practices may be quite different. Corporate lawyers contend that everything is a record. Placing electronic records into a folder hierarchy is one way to attach retention rules to them, but it is not the only way. Information technology staff, for example, contends that designating documents as records should be automatic, based on underlying workflows. The federal government must also preserve the public record for posterity POSTERITY, descents. All the descendants of a person in a direct line. , giving particular weight to concerns about records' authenticity and reliability in an electronic world. The standard requires transferring records with historic value to archival facilities, specifying that records should be copied with their associated metadata and their folders. The standard requires 16 mandatory metadata fields, though not all must be captured for each record type. In her doctoral dissertation and a subsequent interview, Mary Rawlings-Milton of Millican and Associates pointed out that the standard imposes a burden on records kept for a short time: "Do you really need all that metadata for short-term records?" In her experience implementing records software at a government agency, she found that "you are actually balancing what the software will do and what people will do." In the private sector, automatic capture of metadata is emphasized, largely for retrieval purposes rather than archival needs. The standard recognizes certain requirements as site-specific, such as those for storage management, system performance, user training, and so forth. Other useful features identified include report writing, global change, and online help, among others. While admittedly nice to have, these features cannot be made mandatory because there is no federal law or NARA policy that requires them. The Certification Process JITC uses 27 test cases to determine whether a RMA meets the DoD standard's mandatory requirements. One-third of cases require only information or documentation. For the remaining 18, software vendors prepare scripts showing step-by-step procedures and accompanying screen shots for performing the required function. Test scripts The instructions in a test program. It defines the actions and pass/fail criteria. For example, if the action is "to enter a valid account number," the expected result is that the data are accepted. Entering an invalid number should yield a particular error message. See test case. go to the JITC eight weeks in advance of testing. "The test scripts show that the software is finished prior to testing," explains Bruce Miller Bruce Miller is an American attorney born in 1945. He is known for arguing a legal case claiming welfare to be a constitutional right. Early life Miller was born in 1945 in California, where he spent his formative years. , president of Tarian Software. "It is a way to prove in advance that the software can pass." There is no testing for nonmandatory or useful features. JITC personnel travel from Fort Huachuca Fort Huachuca is an United States Army installation. It is located in Cochise County, in the Southeastern part of the state of Arizona, approximately 15 miles north of the border with Mexico. , Arizona, to the vendor's site. Testing for new, uncertified un·cer·ti·fied adj. Not officially verified, guaranteed, or registered; not certified: an uncertified teacher. Adj. 1. products may require two weeks, while certifying new versions of previously certified products may take four or five days. Most vendors devote two full-time resources to the test to provide technical expertise for its duration. JITC test personnel, who are TRW-supplied contract employees with records and software experience, work through each test case hands-on, using the software and the vendor's scripts to perform the required functions. Tests are pass/fail, and RMAs must pass all tests covering mandatory requirements. Work-arounds developed to satisfy requirements are permitted, and it is common for software vendors to add functionality specifically to pass the test. Product certification Product certification or product qualification is the process of certifying that a certain product has passed performance and/or quality assurance tests or qualification requirements stipulated in regulations such as a building code and nationally accredited test standards, status is added to JITC's Web site within days following successful test completion. A summary report appears within two to three weeks, followed by a detailed report, "for official use," two or three months later. Only government entities have access to full-length reports because vendors expressed concern about competitor access to proprietary information. Detailed reports contain information regarding work-arounds and include commentary on the number of screens or mouse-clicks required to perform various tasks. Vendors receive all reports prior to publication to check for accuracy. Certification lasts for two years. It is granted on a particular software version, so any new version also must undergo testing. In product pairings (e.g., RMA software integrated with a document management product), the certification applies only to the pairing--not to the individual products. Document management vendors who claim their product is DoD 5105.2 certified actually mean that it is certified as paired with a specific RMA product. "Watch out for the phrase `DoD compliant'," advises Steve Matsuura, senior electronic engineer who oversees the test process at JITC. "Some vendors who are not certified will use this term. Vendors can only say they are certified if their product has passed the testing process and is listed on the JITC Web site." RMA software vendors pay JITC $20,000 to $22,000 for an initial certification test and about $10,000 to $15,000 for a re-certification or a product pairing. Vendors also pay JITC personnel's travel expenses. Add the cost of vendor software engineers involved in coding ($50 to $600 per day), to the time required for advance test preparation and the resources devoted to the testing process itself, and the cost to vendors is significant. If a product fails, it moves to the test schedule's end, a queue with a year's wait, because all products want to certify cer·ti·fy v. cer·ti·fied, cer·ti·fy·ing, cer·ti·fies v.tr. 1. a. To confirm formally as true, accurate, or genuine. b. against the June 2002 standard. Different Perspectives Despite the expense, certification has value for vendors. "DoD certification has rapidly become a mandatory requirement for most sales," says Tower Software President Frank McGovern. "We have found that many of our commercial clients, particularly those in regulated industries, insist on DoD certification. Certification mitigates risk: nobody wins if the software pilot fails." Tarian's Miller concurs, "For the government market, no certification means no sales. In private industry, certification is a convenient moniker--a shorthand shorthand, any brief, rapid system of writing that may be used in transcribing, or recording, the spoken word. Such systems, many having characters based on the letters of the alphabet, were used in ancient times; the shorthand of Tiro, Cicero's amanuensis, was used way of stating qualifications." The Library of Virginia's Bob Nawrocki agrees. He must select software that will enable the library to archive electronic records from Virginia Governor Mark Warner Mark Robert Warner (born December 15, 1954) is an American businessman and politician from the U.S. Commonwealth of Virginia and a member of the Democratic Party. Warner is the immediate former governor of Virginia and the honorary chairman of the Forward Together PAC. and his cabinet. Nawrocki placed DoD 5015.2-certified software at the top of his list for consideration. "It is comforting to have an objective baseline that all ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. software products are measured against," he says. "It assures that products that pass the test criteria have a certain minimum functionality." Few of the standard's underlying assumptions on recordkeeping may hold true for the private sector, however. Moving records from one repository into another--for example from a document management system's repository to a records management software's repository--is not desirable in some environments; classification within uniform hierarchies is perceived as undue user burden, particularly in cases where documents, slide presentations, Web sites, and the like are part of ongoing collaboration. An electronic records analyst at a large consumer products firm stated that the DoD 5015.2 standard did not figure in his firm's choice of an RM software product two years ago. "Government and business operate very differently," he said. "The standard's focus is primarily for the military; it has no real effect on us." Sylvia Diaz, director of Records and Literature Management at Bristol-Myers Squibb's Pharmaceutical Research Institute, observes: "DoD 5015.2 dictates a certain level of validation and standardization standardization In industry, the development and application of standards that make it possible to manufacture a large volume of interchangeable parts. Standardization may focus on engineering standards, such as properties of materials, fits and tolerances, and drafting for RMAs that otherwise many not be there. However, the standards imposed are not all relevant to the pharmaceutical industry. Therefore, in the choice of RMA software for us, the standard would not be relevant. RM system developers would be wise to adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. regulations like 21 CFR CFR See: Cost and Freight Part 11 as well." Software vendors who target the private sector tell a similar story. According to one reliable industry source, "The standard hurts creativity by forcing all software to work the same way. It errs on the side of telling vendors how to accomplish a function, not just what software must do." Art Bellis of OmniRIM agrees. "DoD makes RM onerous on·er·ous adj. 1. Troublesome or oppressive; burdensome. See Synonyms at burdensome. 2. Law Entailing obligations that exceed advantages. . Business has internal goals and budgets, and generally can't afford to layer on superfluous su·per·flu·ous adj. Being beyond what is required or sufficient. [Middle English, from Old French superflueux, from Latin superfluus, from superfluere, to overflow : requirements." He estimates that it would take 1.5 years and $350,000 just to code, let alone develop, a product to DoD specifications. "DoD is a good step in the right direction for bringing accountability, but it may be impractical im·prac·ti·cal adj. 1. Unwise to implement or maintain in practice: Refloating the sunken ship proved impractical because of the great expense. 2. for business," he says. Strengths and Weaknesses Ironically, the standard was never intended to become an industry touchstone touchstone Black, silica-containing stone used in assaying to determine the purity of gold and silver. The metal to be assayed is rubbed on the touchstone, and then a sample of metal of known purity is rubbed on the stone right next to it. . JITC's Matsuura notes that the standard's influence in the marketplace actually complicates the certification process. "Certification is a test of basic functionality; it is intended to tell what a product must do, not specify how the product should do it," he says. The JITC is careful not to dictate how systems should be implemented, as this has implications for competition within the software industry. The standard's military origin will continue to influence its future. Although the 1997 standard identified Freedom of Information Act (FOIA (Freedom Of Information Act) A U.S. government rule that states that public information shall be delivered within 10 days of request. ) requirements and privacy considerations as future directions, the need for classified information practices took precedence The order in which an expression is processed. Mathematical precedence is normally: 1. unary + and - signs 2. exponentiation 3. multiplication and division 4. in the 2002 version. Funding for the 5015.2 program comes from Assistant Secretary of Defense Command Control Communications In telecommunication, control communications is the branch of technology devoted to the design, development, and application of communications facilities used specifically for control purposes, such as for controlling (a) industrial processes, (b) movement of resources, (c) and Intelligence (ASDC3I ASDC3I Assistant Secretary of Defense for C3I ), with JITC reporting to this function's chief information officer. Defense-related recordkeeping needs will likely continue to take precedence. Another consideration is that the test process does not measure system performance, for example, how quickly searches execute; nor does it measure scalability, the software's ability to handle tens, hundreds, or thousands of users with equal ease. All tests are on criteria that can be objectively measured, so no judgments are made with regard to the software's ease of use or intuitiveness, other than tallies of total clicks or screens shown in the detailed report. There are no measures for how well any software's modules interact or how elegantly the underlying code is written. Though not as important to records and information managers, such data can be useful to the selecting organization's information technology group. Interoperability The capability of two or more hardware devices or two or more software routines to work harmoniously together. For example, in an Ethernet network, display adapters, hubs, switches and routers from different vendors must conform to the Ethernet standard and interoperate with each other. (i.e., the means for different RMAs to share data) is not part of the standard and is not tested. "Interoperability between RMAs requires technology specification," explains Matsuura. "DoD does not want to specify technology." This may change in the future as the JITC continues its work with NARA on e-government initiatives addressing additional metadata for permanent e-records. Ideally, NARA wants all RMAs to create an upload file in a format that NARA systems could parse automatically as part of electronic records preservation efforts. The DoD 5015.2 standard appeared while electronic recordkeeping techniques were in their infancy. It offers an objective test of basic functionality within prescribed conditions, with particular emphasis on authenticity and reliability of electronic records with archival value. Going forward, the standard will evolve to meet government's changing needs. The JITC also reviews all comments and suggestions as a means for continuous improvement. In the private sector, the standard offers a starting point, a certain assurance of basic functionality. By itself, it is not a substitute for understanding an organization's practices, a panacea Some antidote or remedy that completely solves a problem. Most so-called panaceas in this industry, if they survive at all, wind up sitting alongside and working with the products they were supposed to replace. for technical ills, or a guarantee of successful software implementation. DoD 5015.2 is a tangible contribution in a field generally hungry for guidance. The help it provides is welcome and appreciated. Archival Influences The University of British Columbia's work emphasizes the reliability and authenticity of electronic records, using diplomatics DIPLOMATICS. The art of judging of ancient charters, public documents or diplomas, and discriminating the true from the false. Encyc. Lond. h.t. as a basis. Diplomatics, which dates from the 17th century, establishes rules for determining whether a document is authentic and reliable based on particular characteristics. Adapting these principles to modern electronic recordkeeping, the university developed templates showing what elements are essential for records to be reliable and authentic. That work posits that all records, regardless of media, should be managed in the same way, that the recordkeeping rules must be embedded Inserted into. See embedded system. in the business process, and that the record's creator is responsible for the record's long-term authenticity and reliability. The work covers records' creation, use, and preservation, and implies the existence of a central control point to which responsibility can be transferred when the creator no longer needs the record. The University of Pittsburgh's work asserts that an electronic record must be managed from the time it is created and emphasizes that electronic data may not be separable sep·a·ra·ble adj. Possible to separate: separable sheets of paper. sep into life cycle stages. Pittsburgh's research gathered all known recordkeeping requirements, categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat them by type, then identified a software functionality that would achieve each type of requirement. Pittsburgh also posited that a record's value might be derived from where it is filed, a construct that assumes the existence of a file plan.
Figure 1: DoD 5015.2, June 2002--Mandatory Elements
DoD Element Records Management Application Number
5015.2 Mandatory Functionality of Sub
Section parts
C2.1 C2.1.1 Manage records regardless of storage 0
media
C2.1.2 Accommodate four-digit dates 0
C2.1.3 Add user-defined fields and change 0
field labels
C2.1.4. Support backward compatibility with 0
earlier product versions
C2.1.5. Comply with Americans with Disabilities 0
Act requirements
C2.2.1. Implementing File Plans -- Standard 6
General specifies mandatory file plan
Require- components and mandatory record
ments folder components.
C2.2.2 Scheduling Records 7
C2.2.3. Declaring and Filing Records -- 26
Standards specifies mandatory
metadata requirements.
C2.2.4. Electronic Mail 3
C.2.2.5. Storing Records 4
C2.2.6.1. Screening Records (Life Cycle) 5
C2.2.6.2. Closing Record Folders (Life Cycle) 2
C2.2.6.3. Cutting Off Record Folders (Life Cycle) 2
C2.2.6.4. Freezing/Unfreezing Records (Life 4
Cycle)
C2.2.6.5. Transferring Records (Life Cycle) 5
C2.2.6.6. Destroying Records (Life Cycle) 6
C2.2.6.7. Cycling Vital Records 4
C2.2.6.8. Searching for and Retrieving Records 9
C2.2.7. Access Controls 5
C2.2.8 System Audits 6
C2.2.9 System Management 6
Figure 2: DoD 5015.2, June 2002--Non-Mandatory and Useful Features
DoD Element Records Management Application
5015.2 Number Non-Mandatory Features
Section To Be Defined by Acquiring or Using Activity
C3.1 C3.1.1 Storage Availability
C3.1.2 Documentation
C3.1.3 System Performance
Non- C3.1.4 Hardware Environment
Mandatory C3.1.5 Operating System Environment
Features C3.1.6 Network Environment
C3.1.7 Protocols
C3.1.8 Electronic Mail Interface
C3.1.9 End User Orientation and Training
C3.2 C3.2.1 Making Global Changes
C3.2.2 Bulk Loading Capability -- for pre-existing file
plans, electronic records, record metadata
C3.3.3 Interfaces to Other Software Applications
C3.2.4 Report Writer Capability
C3.2.5 On-Line Help
C3.2.6 Document Imaging Tools
Other C3.2.7 Fax Integration Tools
Useful C3.2.8 Bar Code Systems -- for non-electronic records
Features C3.3.9 Retrieval Assistance (e.g., full text search)
C3.2.10 File Plan Component Selection/Search Capability
C3.2.11 Workflow and or Document Management Features
C3.2.12 Records Management Forms and Other Forms -- for
NARA and government forms
C3.2.13 Printed Labels
C3.2.14 Viewer
C3.2.15 Web Capability
C3.2.16 Government Information Locator Service
C3.2.17 Enhanced Support for Off-line Records
References Mary Rawlings-Milton. "Electronic Records & The Law: Causing the Federal Records Program to Implode To link component pieces to a major assembly. It may also refer to compressing data using a particular technique. Contrast with explode. ?" (Ph.D. diss diss v. Variant of dis. diss Verb Slang, chiefly US to treat (a person) with contempt [from disrespect] Verb 1. ., Virginia Polytechnic Institute and State University Virginia Polytechnic Institute and State University, at Blacksburg; land-grant and state supported; coeducational; chartered and opened 1872 as an agricultural and mechanical college. , 2000). Available at http://schholar.lib.vt.edu/theses/available/etd-04202000-13400008/ unrestricted/erecs.pdf (accessed 14 October 2002). Records Management Application Compliance Test and Evaluation Process and Procedures. September 2002. Available at http://jitc.fhu.disa.mil/recmgt/ (accessed 14 October 2002). Design Criteria Standard for Electronic Records Management Software Applications. Available at http://jitc.fhu.disa.mil/recmgt/ (accessed 14 October 2002). DoD 5015.2-STD RMA Compliance Test Procedures. Version 6.5. September 2002. Available at http://jitc.fhu.disa.mil/recmgt/ (accessed 14 October 2002). Julie Gable gable Triangular section formed by a roof with two slopes, extending from the eaves to the ridge where the two slopes meet. It may be miniaturized over a dormer window or entranceway. , CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. , CDIA See CompTIA. , is the Principal of Gable Consulting, the Associate Executive Editor of The Information Management Journal, and a contributing editor A contributing editor is a magazine job title that varies in responsibilities. Most often, a contributing editor is a freelancer who has proven ability and readership draw. for Transform magazine. She may be contacted at JulieGable@aol.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion