Learn tips for protecting your Office 365 data by accessing our webinar “Protecting Sensitive Data in Office 365 at the Team and Data Levels” today!
This is the 4th installment in a series addressing the challenges facing the DOD as they move into Microsoft 365. The others are here:
- The DOD’s Cross-Command Telework Platform (CVR) Expires Soon: What’s Next?
- Considerations for Governance in DOD365
- Is Zero Trust Enough to Secure Your Data?
- How to Prepare for Unified Labeling in Microsoft 365 DoD
- Backup & Retention Policies for Microsoft 365: Why the DOD Needs Both
- Smart Data Governance Lessons Worth Learning From the CMMC
- What to Use When for Secure Microsoft 365 Collaboration
How have you been storing your records since the COVID-19 pandemic and its work-from-home mandate? Some may be startled to find out that the way they handle their agency’s content in Office 365 can pose potential issues. In this blog post we’ll be discussing the new era of records management and how it has created confusion pertaining to compliance, storage practices, personal data segmentation, and remote work policies surrounding mission-critical data.
Teleworking has been rapidly increasing in popularity, especially in the wake of the current global pandemic. While some great results have come of this, teleworking has also introduced many challenges for today’s modern workforce and increased complications surrounding the existing records management process.
Exercising the best practices for digital records management while supporting a remote workforce can be challenging. The Telework Enhancement Act of 2010, passed by Congress, established teleworking policies for Federal employees that was implemented to ensure that employees are responsible for managing records generated in the course of their work, regardless of location. This act opened up the possibility of flexible work locations with the understanding that certain provisions must be in place. Below is a breakdown of how to ensure continuity across all devices and platforms.
What is Records Management?
According to the National Archives and Records Administration (NARA), “Federal records management is the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved in the records life cycle — creation, maintenance and use, and disposition. Records management provides for the adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations.”
It’s important to remember that there are both records and non-records. Federal records include all recorded information “regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.”
This could mean your command’s files, whether they are stored in SharePoint Online, OneDrive, or Microsoft Teams discussion threads in the Commercial Virtual Remote (CVR) environment, are records.
How to Maintain Compliance Regulations
Each agency has its own mandatory training requirement, with regulations now expanding to include nontraditional media such as emails, social media, and collaboration platforms. This requires a repeatable process that can automate records management functions to stay compliant with federal regulations and reduce the burden placed on staff.
It’s also crucial to not only implement a file plan, but to approve it. A file plan is a plan that appoints the physical location at which an agency’s files should be stored and maintained, as well as the types of files kept there and the organizational elements that have custodial responsibility.
The Federal Records Act allowed for employees, during times like this pandemic, to use non-official messaging accounts for business matters. However, it requires that they must copy or forward a copy of these electronic messages to an official account within 20 days. The best practice, however, is to not use any personal accounts when dealing with business matters.
The CVR aided in the Department of Defense and the Intelligence Community collaboration by supplying an official means of communication, but what actually happens to those records at contract expiration for the environment? This is an important question that your organization and information officer need to consider.
Identifying Metadata and Appropriate Records Storage
Metadata is factual information related to a record describing the content, context, and structure of the record and is used to support the record’s management. There are five types of metadata:
- Administrative Metadata is used to manage collections of records.
- Descriptive Metadata identifies and describes records.
- Preservation Metadata is the specialized set of information required to preserve and provide access to electronic records.
- Technical Metadata details the aspects of electronic records important to their proper interpretation, rendering, or playback.
- Use Metadata is information that describes how records can be accessed or circulated.
Metadata provides valuable information that makes them searchable, discoverable, and accessible in an efficient manner. Because the digital information is only legible through the use of proper hardware and software, the role metadata plays in IT is radically important. If you are unsure of the classification and proper record storage, consult with your Data Transfer Officer (DTO) for further guidance.
Practicing Electronic Records Storage
Have you recently stored agency documents on your personal device? Stop what you’re doing at once and read this section closely. Any time that you’re handling unclassified content, you must use a secure intranet system or approved Microsoft Teams application as to not compromise any information. If there is any possibility that any content has been compromised, contact your Records Information Officer (RIO) for further instructions.
As we all know, it can be easy to overlook records management (despite it being one of the most important facets of the DoD/IC environment). Always ensure you are complying with current records regulations and guidance from your Records Information Officer while under a teleworking status. For ongoing records guidance, visit NARA for the latest approved compliance regulations.
As your command or organization begins to define its “new normal,” you will find yourself looking at modern collaboration systems post-CVR. Here are a few suggestions for how to handle the records defined above as you do so:
Migrating your Records
The DOD has no enterprise-wide plans to migrate content out of the CVR group; each command is expected to recognize mission-critical data and records and migrate them as needed. If you have not yet performed analysis on your data in the CVR, we recommend the following five steps to get you started:
- Discovery and Assessment: This phase gives you the opportunity to make sure that you capture all mission-critical data and do not lose command records when the CVR is shut down. While the CVR has not been around for a typical analysis of “stale” data, this phase also allows you to ensure any obviously irrelevant information can be left behind in your migration.
- Strategic Planning: During this phase you will identify the best means for migration for your command. If you have little data, it may be easiest to simply copy and paste it over. However, if your command has created hundreds of Teams and has hundreds of gigabytes of data (or more), using a migration tool may be the best solution.
Planning will allow you to find the best tool for the job and help you break the migration into manageable chunks to minimize downtime and increase efficiency of the end-user switch to your new environment. You may also find that you aren’t migrating to another Office 365 environment, in which case you’ll want to evaluate the data structure, information architecture, and permissions prior to your migration.
- Pilot Migration: This is a critical step in the Migration process. With a proper pilot you can get a handle on performance throughput and what types of situational gotchas may hamper your migration. To do so you’ll want to identify a small part of content to test, migrate, verify results, make modifications to your plan, and perform testing of any data, user, or structural mapping you may perform.
- Migrate: It’s as simple as “execute your plan.” If you’re migrating to another Office 365 environment, ensure your partner understands how to identify and mitigate any throttling or other migration roadblocks that can be common in an Office 365 migration.
Also, be sure to understand what’s possible to migrate in a Teams-to-Teams migration, such as how discussion data can be handled in the destination environment–not all migration solutions are equal in this regard!
- Validation and Remediation: During post-migration, command staff must be heavily involved in validating data from a quality perspective but also in the context of applications and processes that will consume or operate on the target data structures.
When migrating from CVR to another Office 365 environment, users may find they have access to many more capabilities because the CVR was very locked down; when migrating to another solution, the lack of discussions may be unexpected. These are considerations the mission workers must be made aware of.
If you want to learn more about best-practice migration recommendations, we recommend this Best Practices: Migration to Office 365 white paper.
Records Management and Data Fidelity
If you did not implement a metadata management plan in the CVR, you must consider how to handle the new records as they’re migrated over. From auto-tagging based on document library, or business tools that can scan data and automatically categorize it based on the business and mission context, simply migrating your data without the contextual understanding of metadata and the file plan will leave your records mangers with an unmanageable amount of data to bring under control.
Understanding how the metadata of your records will migrate over and then what options for records management are available in the new environment, be it Microsoft Information Protection retention labels or 3rd party tools like AvePoint Cloud Records, will be important for ensuring your records are properly handled during this transition from the CVR to your command’s “new normal.”