This article originally appeared in GovDevSecOpsHub and can be found here.
Up until recently, the federal government was among the biggest consumers of paper, using it as a way to safely and securely store information without fear of prying eyes. This system worked for decades, safeguarding personal information, top-secret documents, and other items.
However, long-standing efforts to embrace a more digital mindset and make documents available online for employees went from a back-burner priority to becoming the standard practice. This, coupled with the ongoing digital transformation of work, has resulted in a serious document management problem for the government, among other challenges.
The mountain of digital documents and the veritable sea of constituent data that each federal agency operates with has become difficult to manage and utilize. Especially when the entire organization makes drastic changes to how and where employees work. The rise of work from home initiatives put the processes and technologies that agencies utilize for document management and storage to the test – and often found them lacking.
At the Federal employee level, the work from home model magnified the deficiencies in both the technology and the processes making workers’ job execution inefficient and increasing the risk of exposing data. Federal workers have wasted significant time searching for documents and data. Duplicate documents have created version control issues, making collaboration more cumbersome. At a time when cybercriminals have been actively looking to exploit vulnerabilities resulting from the pandemic and decentralized workforces, the distributed nature of the workforce has put sensitive constituent data at risk.
To learn more about the ways federal agencies store documents and data, and to better understand the impact the COVID pandemic has had on public sector operations, we sat down with NetDocuments’ Federal Government Senior Business Manager, David Delker, and Product Manager, Steve Presley. During our discussion, we explored how distributed workforces and work from home policies left constituent data vulnerable, the critical document and data needs of the federal workforce, and new technologies that could improve agency efficiency and security.
GovDevSecOpsHub (GDSOH): How have government agencies and organizations traditionally stored and managed digital documents? Where were they stored? How and where could they be accessed?
David Delker: Civilian agencies within the federal government that have modernized their IT systems typically rely on available Microsoft solutions to store and manage digital content and electronic records. This can include shared network folders, SharePoint, OneDrive, and Outlook. We refer to these solutions simply as document repositories. We are also starting to see an increase in the adoption of Microsoft Teams.
Accessing the various document repositories can vary by agency, but many organizations enable single sign-on – the process only requires a user to log in once to access multiple applications and services without re-entering login credentials each time.
There are some agencies that may still rely on paper files or non-electronic records, either because the customers they serve submit paper records or internal processes rely on legacy technology. This delays the process of going paperless.
GDSOH: How did the COVID-19 pandemic and the resulting rush to embrace work from home (WFH) impact agencies? What ramifications did this create to how they stored and managed digital files?
David Delker: Commonly, government agencies implemented some form of virtual private network (VPN) solutions that create a secure tunnel from the user’s government-issued computer at home to the agency systems to which they are granted access. They use their government-issued Personal Identity Verification (PIV) card to validate access via multifactor authentication.
“Securing content can be a challenge. It becomes increasingly difficult to manage and apply consistent information governance and security policies across multiple document repositories. Individuals typically do not have the permissions or tools available to apply security to documents – especially to add more restrictive permissions to sensitive documents.” – David Delker
The COVID-19 pandemic accelerated the need to fully implement and support VPN and remote access solutions agency-wide as the entire government workforce shifted to WFH virtually overnight. IT organizations largely carried the burden even as they abruptly shifted to WFH, requiring them to pave a new way to support the entire organization and deliver services remotely.
The shift to WFH did not change the use of Microsoft data repositories though. It did, however, disrupt document workflows around saving, retrieving, and searching for digital content, particularly in the area of save operations where users would exhaustively click “save” to ensure work product was not lost as a result of unexpected network disruptions or disconnections. In addition, multiple copies of the same document may exist on the local c:\drive as well as other data repositories like SharePoint, OneDrive, or Teams.
Lastly, since digital content can exist in multiple data repositories, critical time is also lost searching for documents or information. Available search capabilities are limited to searching the title of the document only as opposed to a full-text search where the entire body of the document, including the title and associated metadata, are matched against keyword search criteria.
GDSOH: What impact did WFH initiatives and teleworking have on information security and document security? Did the government’s digital documents and data become less secure as a result of the pandemic and pandemic response?
David Delker: Securing content can be a challenge. It becomes increasingly difficult to manage and apply consistent information governance and security policies across multiple document repositories. Individuals typically do not have the permissions or tools available to apply security to documents – especially to add more restrictive permissions to sensitive documents.
“Protecting the perimeter, endpoints, and access to data is not sufficient. Ensuring the government’s digital documents themselves are well protected is also critically important.” – Steve Presley
Nevertheless, the government’s digital documents and data are not necessarily less secure due to WFH, but more vulnerable. We saw an increase in investments with security and compliance solutions, which include identity and access management, perimeter security, and end-point protection platforms – either invest in new technology or bolster existing systems.
GDSOH: What should agencies do to make this data more secure? What steps can they take – and what technologies can they embrace – to keep their data and documents private?
Steve Presley: Protecting the perimeter, endpoints, and access to data is not sufficient. Ensuring the government’s digital documents themselves are well protected is also critically important. For example: How is the data stored? Is the data encrypted at rest and in transit? Are controls available to prevent sensitive digital content from being downloaded, printed, or sent via email attachment? This is where a document repository and a document management system (DMS) vary widely.
A content management/DMS platform that is also FedRAMP Authorized ensures government data is consistently protected and the services have been thoroughly vetted by the FedRAMP Program Management Office (PMO). FedRAMP Authorized DMS providers have met rigorous compliance and security standards for properly protecting federal data stored in commercial cloud service providers.
Centralized security policy management, along with a security governance process to identify Ethical Walls, and/or a Zero Trust Security model for highly sensitive matters, ensures that access to confidential or highly confidential matters which are on a need to know only basis is essential to reducing information disclosure issues within the agency.
“The shift to WFH did not change the use of Microsoft data repositories though. It did, however, disrupt document workflows around saving, retrieving, and searching for digital content, particularly in the area of save operations where users would exhaustively click ‘save’ to ensure work product was not lost as a result of unexpected network disruptions or disconnections.” – David Delker
Data Loss Prevention further reduces the disclosure footprint by limiting the actions that users can take once access is permitted. Rules such as restricting printing, restricting the ability to attach documents to email, or sending via Secure Link eliminate the ability of those who do have document access from distributing them externally.
David Delker: Also, it’s worth noting that technologically advanced document and email management systems store content in object stores, where individual files are broken into pieces of data, encrypted, and spread across multiple data stores. Intercepting any “piece” of data is unintelligible or unreadable because each piece is encrypted with a special key. File stores and data repositories on the other hand, simply store the document as a single piece of data.
GDSOH: What other benefits can a government agency receive from embracing document and email management systems? Are the benefits restricted to document and data security or are there other benefits to operational efficiency and productivity?
David Delker: They enable capabilities such as the flexible organization of digital data, the dynamic tagging of content, and full-text search.
Operational efficiency and productivity are commonly measured by the service’s ability to improve mission outcomes and offer an improved user experience. A document management system is not merely a document repository to store and save documents and email. The system must help you govern your content based on the agency’s security and compliance policies and rules; enable agencies to effectively collaborate with internal colleagues as well as external stakeholders; automate and replace manual workflows, and help the organization make informed decisions based on data.
From an IT perspective, the main advantage of utilizing a FedRAMP Authorized cloud document management system is freeing the IT team from managing the day-to-day operations and maintenance – upgrades and patches – required by legacy client-server applications. Other added benefits of utilizing a DMS from a cloud service provider include built-in business continuity, digital data backup, and disaster recovery.
To learn more about the impact of digital transformation and work from home initiatives on the document and data requirements of federal agencies, click HERE to download a complimentary copy of the issue brief, “Managing Documents in the Permanently Hybrid Workspace,” or click HERE to download a complimentary copy of the issue brief, ”Digital Transformation in the Cloud & the Way Ahead.”