Executive Order M-19-21 is in the news right now because federal agencies have been given an extension (M-23-07) to ensure compliance with this critical directive, but all this didn’t come out of nowhere. To understand why this key deadline was missed, and how it’s a challenge even with more time, it helps to understand the larger context of mandates to enhance (primarily) cloud security, and the technology and policy issues that must be addressed.
In fact, the difficulties around M-19-21 may be the perfect storm of massive data volumes, increasing regulatory pressures, and technology shortcomings. But as with most tech-related obstacles, there are tech-related workarounds.
First, understand that this isn’t the first, or even the last, high-level attempt to shore up technology defenses. The last three presidents all issued Executive Orders (EOs) directing federal agencies to move to the cloud as part of broader technology modernization. The key goal is always to boost cybersecurity and improve the ability to store, consolidate, access and share data.
The first two EOs didn’t get very far, but President Biden’s EO 14028 set specific deadlines. This order prioritized cybersecurity protections and requires agencies to adopt features such as data encryption, multifactor authentication and zero-trust architectures. It also requires agencies to move to a cloud-based infrastructure to store, manage and protect their data, and implement a cloud governance framework.
The EO specifies that all legacy applications, many still on-premise, must meet the new cybersecurity standards or be retired. It outlines the steps agencies should take to cut costs when moving to the cloud, and mandates cloud-based solutions for Software-as-a-Service (SaaS), Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS) options.
Here’s why all this matters. EO 14028 was issued in May 2021, at a time when agencies were already struggling with issues around COVID-19, as well as with a separate NARA digitization directive. And that gets us to the current complications.
M-19-21 was released on June 28, 2019, as a consolidation of the previous directive (officially M-12-18), with additional requirements. The goal was to push a full transition to electronic records, expediting efficiency, accuracy and storage. Perhaps most importantly in this era of transparency, the move is intended to ease compliance with FOIA requests and eDiscovery searches.
This is truly commendable—it shows the government is serious about digital transformation.
Now for the hard part: The original deadline came and went last year, after it turned out that digitizing 50-60 billion documents would be a challenge for even the most innovative organizations with infinite resources. Consequently, the Office of Management and Budget extended the deadline (via M-23-07) to June 30, 2024.
Volume isn’t the only problem. Agencies also have difficulty finding the right data repository or archive in which to store and manage the newly digitized records, since many existing records management systems were not designed to handle such quantities. This is why many agencies have resorted to on-premises file shares. This is less than ideal: Besides undermining the spirit of a cloud migration, records maintained this way are not actively managed, remain siloed, and feature search capabilities that are rudimentary at best.
It gets worse. While M-19-21 directs all hard-copy records to be digitized, it doesn’t specify what to do with them after they’re digitized. EO 14028, meanwhile, requires all agencies to move to the cloud quickly, and adopt the cybersecurity advantages that come with applications for both on-premises and cloud-based software solutions. And through all this, most legacy records management solutions typically can’t meet the latest cybersecurity standards.
Given the complexities involved, there’s no one-size0fits-all solution here. That said, as many enterprising data professionals have long found, a little experimentation and resourcefulness can go a long way.
Consider how most federal agencies subscribe to Microsoft 365, which includes Microsoft SharePoint Online. This stalwart offering, so deeply embedded in operations around the world, actually meets the new data security requirements. Government IT officials can set up a file share within the agency’s SharePoint instance to act as a short- or long-term managed repository that automatically syncs to individual employees’ Windows Explorer. This way, the data is managed by the IT organization and remains searchable for all authorized parties.
There are obstacles here too—for example, massive spikes in volume can quickly bump up against storage limits within MS SharePoint Online. However, new third-party offerings now extend SharePoint storage to the more affordable Azure Cloud, facilitating storage management and enabling comprehensive information management that is vital for FOIA/eDiscovery.
The digitization of all hard-copy documents is a giant first step, but it can be an even greater challenge to store and secure the mountains of digital data being created. Good technology and strategic deployment can overcome those hurdles and generate real benefits.