All the way back in 2019, OMB/NARA memorandum M-19-21 set an aggressive objective to ensure that virtually all Federal records would be created, retained, and managed in electronic formats with appropriate metadata by December 31, 2022. However, no one could have predicted the Covid-19 pandemic that would shortly sweep the world and delay agency efforts to comply with M-19-21. As a result, that deadline has been pushed back by M-23-07 until June 30, 2024.
Many government agencies are still actively working to meet these mandates. To help, many of them would like to find a knowledgeable records management partner and vendor that can implement electronic records management (ERM) technology, convert analog records to digital as needed, and create new processes and workflows. But how do you go about finding a credible, reputable service and then validate whether they are likely to actually help?
Start with GSA Schedule 36.
Through GSA Schedule 36, government buyers can access a wide array of products and services that meet ERM requirements set by the U.S. National Archives and Records Administration (NARA) from vendors who have additionally met stringent vetting requirements. After their initial approval, vendors under GSA Schedule 36 are required to continue self-certifying their services. Thus, GSA Schedule 36 minimizes the need for federal agencies to perform their own due diligence on contractors. For more information, read our informational article: “GSA Schedule 36: A Good Place to Get Qualified Records Help.”
Ensure their services and solutions match your needs.
Even with GSA Schedule 36 helping to narrow the search, agencies may still need to choose between competing options. The first issue is to make sure the vendor provides the specific services and solutions your agency needs. For example, do you need help with:
- Creating/updating/managing records schedules and records retention policies?
- Managing physical assets?
- Managing electronic assets?
- Digitizing physical assets?
- Analyzing and classifying records?
- Creating informational governance strategies?
These different service areas require wholly different sets of expertise, skills, and capabilities. Make sure the vendors you’re considering offer exactly what you need.
Ensure their technology offering(s) also include the functionality you need.
Closely related to the previous section – but meriting its own mention – the technology developed or sold by the vendor also needs to meet your specific goals. This can be trickier than it seems for a couple of reasons:
- The agency itself may not be clear on what it needs the technology to be able to do, which makes it challenging to ask the right questions.
- Just because a given technology solution can do something doesn’t mean it does it well.
Look for vendors who are willing to sit down and patiently answer your questions, offer demos that show their technology product in action, and provide references from other customers. For more information about assessing ERM systems themselves, see our article, “How to Evaluate Records Management Systems.”
Verify their scope of experience.
Just as you need to ensure their services and solutions match your needs, make sure their experience matches your situation. As a baseline, it’s key to ensure the vendor has experience working with the government. Even then, however, not all organizations have the same needs. Different agencies may find themselves operating under wildly different missions and mandates, regulatory environments, budgets, etc. Ask the vendor if they have experience servicing the same kind of organization as yours. Ask for examples or testimonials of past success with other clients.
Investigate the security and safeguards they offer.
Unfortunately, in today’s world, cybersecurity cannot be an afterthought. It must be built into any technology and service agreement, so it’s necessary to ensure the vendor offers a sufficient level of security and privacy controls. Due diligence in this area can include (but is not limited to) asking about:
- Internal security controls, like how the vendor’s own employees are screened and vetted.
- Cybersecurity-related guarantees and service level agreements.
- Safeguards related to handling physical assets, ranging from climate controls and fire suppression systems to control over access points.
- Clearances and their ability to handle sensitive, private, privileged, or top-secret records, if necessary.
Review their credentials and certifications.
In general, you want to make sure the technology vendor is prepared to comply with regulations and industry best practices according to:
- NARA 36 CFR 1234 (if they provide storage facilities)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
- Statement on Standards for Attestation Engagements (SSAE-18)
- National Association for Information Destruction (NAID)
Additionally, look for certification under international standards related to records management. These can include:
- CPG JAS-ANZ
- G-CERTi
- AWS Partner
- CMMI Dev/3
Bottom-line: Any records management partner should make your life easier.
Ultimately, the goal of working with third-party experts is to make the shift to electronic records management easier, faster, and less painful. A good partner can not only facilitate the transition but also help users to make more effective use of their records to produce better business outcomes.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.