Specifications, Certifications, and Compliance: There is a Difference

By Priscilla Emery at 2005-12-15 14:36:00 |

[Editor's note: We sometimes receive questions about records management certifications and their relationship to compliance requirements and concrete project specs. So we asked noted consultant Priscilla Emery to answer.]

Certifications are more than specifications

Some people co-equate specifications and certifications, but in fact, certifications go beyond defining a standard or set of specifications. Certification bodies use specifications as a set of criteria for testing and qualifying vendors and other parties as compliant with the set of defined specifications. Certification implies both a rigorous set of specifications together with a rigorous testing procedure and set process for demonstrating a product's worthiness to be certified.

Many buyers prefer to acquire certified products because it means that the software has been tested against a baseline set of specifications to be worthy of further review. It tends to aid in the evaluation process when software has gone through some hoops to get a "nod" by non-partisan and reputable agencies or authorities.

The electronic records management marketplace seems to be setting its priorities to be compliant with a few key certification authorities.

Certifications authorities

The United States Department of Defense (DoD), Design Criteria Standard for Electronic Records Management Software Applications, better known as DoD 5015.2, debuted in 1997. It has become somewhat of the "gold" standard in the electronic records management software certification race. Endorsed by NARA (The United States National Archives & Records Administration), it defines mandatory functionality for records management application (RMA) software used within the DoD.

In June 2002 version Chapter Four was added to the specification with additional requirements for RM applications supporting classified (i.e., secret) records, expanded audit requirements, more specifics about user-defined metadata fields, and guidance on supporting e-mail records.

A 3rd revision of the specification is presently under review. Version 3 adds

• requirements for interoperability between records management systems, export/import capabilities, and export to NARA;
• Privacy Act and FOIA (Freedom of Information Act) considerations; and
• minor changes to chapter 2 and the chapter on security-classified records.

The administration and testing of the DoD certification process is managed by the Joint Interoperability Test Command (JITC) and the waiting list for vendors to certify their software products against these specifications is about one year long. And the certification itself is only good for two years. And the process only certifies the particular version of the product that was tested. And, any separate partnerships or integration of products — such as an integration of a RM software product with Microsoft's SharePoint Server — has to be certified on its own merits.

So for example, TOWER Software's product, TRIM Context, is DoD-certified. TOWER Software integrated the product with Microsoft SharePoint Services 2003 more than a year ago, but the integration has only recently been DoD-certified because that integration took about a year move through the certification schedule. Meanwhile, an integration of Microsoft SharePoint Services 2003 has been certified with MDY's FileSurf v. 7.5 records management software, but not for classified records. Got all that?

In point of fact, the certification status of many versions of each vendor's products is in a constant state of change, and if certification means a lot to you then it is imperative that you continually review the status of the products by checking the JITC's website for updates. You will also observe that there are many companies on the waiting list to be certified.

Should commercial enterprises worry about government certification?

If you are not a government agency and certification is not a clear-cut requirement is it all that important to make sure the software you install is DoD-certified? That depends. The specification carries a hefty set of base requirements that may be overkill for some organizations. It is a good idea to review the specifications yourself to make sure you are not limiting your software choices based on requirements that may not be completely relevant to your organization. At the same time some features that commercial enterprises may desire are not covered in the DoD 5015.2 standard so DoD certification does not necessarily mean that the product covers every function needed for all enterprises.

In addition, just because a product is not certified doesn't mean it isn't DoD-compliant. It may not have made it through the certification waiting list queue yet. And some vendors that don't feel like the government marketplace is their strong focus don't feel compelled to pay the JITC the $20,000 to $22,000 for an initial certification test (it's only $10,000 to $15,000 for a re-certification or a product pairing) along with JITC travel costs to conduct the test.

Certifications outside the USA

The venerable UK Public Records Office (UK Pro) — now known as The National Archives (TNA) — also has a certification process for its baseline functional and metadata specifications for electronic records management systems. Its certification process costs about £8,000 sterling (about $14,600 USD) plus VAT, and like DoD 5015.2, is required for any vendor that wants to be considered as an alternative by UK government agencies. The list of compliant software products is much shorter than that for DoD 5015.2 and very few products are actually certified for both.

In fact, the TNA has set a direction to stop doing certifications. Because there is a potential for European or other international initiatives to develop international standards, TNA plans to cooperate in those efforts to develop a replacement specification and certification that would be managed by other organizations. For example, TNA is currently participating in the European Union (EU) DLM (Document Lifecycle Management) Forum where there is a possibility of setting up an EU de facto standard (MoReq2) and an associated compliance testing effort, that could take the place of the TNA testing and certification program.

Other countries such as Australia (VERS), Germany (DOMEA) and Canada (RDIMS) have also identified minimum records management standards for government applications as well.

These respective standards are going beyond government confines and are being used across many different industries to set a minimum standard for how records are stored within an electronic repository. Even if you are not a user in the government sector, at the very least I recommend that you take a look at these specifications and determine what requirements work best for you and your enterprise.

Compliance vs. Certification

Like certification, compliance is a multifaceted issue. Overall, it is imperative that internal content managers be compliant with defined records retention and disposition policies. To some degree, electronic records management systems can aid in enabling quicker and more productive interaction with records but they can also aid in determining active compliance with an RM program and any auditing activities that may be required as a result.

As a subset of overall compliance come industry-specific or government-mandated regulations that require monitoring and auditability of compliance activities. Government and regulatory compliance are not new issues in the records management space but the consequences of non-compliance have become much graver and more expensive. In addition, the number of regulations has increased dramatically over the last several years making the tracking of these regulations a full time job in some companies creating a new "C" level position — the Chief Compliance Officer. Couple that with the exponential growth of electronic record volume and the need for software to track and enable defined regulations becomes readily apparent.

Just about every vendor will tout its ability to support everything from Sarbanes-Oxley to HIPAA regulations. However, there are no certification specifications or procedures for any of these compliance activities at this point.

So how does a user know if their software is compliant with these regulations? By working with internal compliance officers, legal counsel and internal users to define what compliance really means with regard to specific documents and records. Those specifications may overlap with the basic functional specifications of a generic records management system but there may be special retention needs within the file plan definition phase or in the reporting phase that go beyond the typical RM implementation.

For example, although records management can play a significant role in Sarbanes-Oxley compliance most of this activity is associated with financial reporting and monitoring financial processes making workflow activities and process monitoring more important features to focus on than just records retention. Therefore, you would want to make sure that the RM product can work well with process monitoring software if it doesn't incorporate that function already.

The bottom line is that there is no substitute for doing your homework and understanding your organization's specific requirements. Although government certifications are becoming a qualifier for many implementations they are by no means the sole requirement during the product selection process.