C

REW I

By First-Class Mail

VA FOIA/Privacy Act Officer

VA Central Office

citizens for responsibility

and ethics in washington

June 24, 2011

Department ofVeterans Affairs Director, Records Management Service (005R1B)

810 Vermont Avenue, N.W.

Washington, D.C.

20420

Re:

Freedom of Information Act Request

Dear FOIA Officer:

Citizens for Responsibility and Ethics in Washington ("CREW") makes this request for

records, regardless of format,

medium, or physical characteristics, and including electronic

records and

information, audiotapes, videotapes and photographs, pursuant to

the Freedom of

Information Act ("FOIA"),

5 U.S.C.

§§

552, et seq., and the Department ofVeterans Affairs

("VA") regulations, 38

C.F.R. §§

1.550-1.557.

CREW seeks records related to

the VA' s request for information ("RFI") about moving

its email systems to a cloud computing environment through the Department' s "Big 4" project.

See

Elizabeth Montalbano, VA to

Migrate to

Email Cloud, Information Week (Feb.

28, 2011),

http: //www.informationweek.com/news/government/cloud-saas/229219490 (Attached as Exhibit

A).

As described more specifically below, CREW seeks records related to considerations the VA

has

made,

and steps the VA has taken, or plans to take, to address records management issues in

a cloud computing environment.

Specifically, CREW seeks records related to

the following categories:

1.

All records reflecting the V A's records management policies and data governance

practices, and the development of these policies and practices, for the VA's future cloud

computing email system.

2.

All records indicating steps the VA has taken or plans to

take to

address record keeping

requirements in a cloud computing environment including, but not limited to,

any

considerations given to NARA' s Bulletin 2010-05,

Guidance on Managing Records in

Cloud Computing Environments (Sept.

8,

2010) http://www.archives.gov/records-
mgmt/bulletins/20 10/2010-05 .html (Attached as

Exhibit B).

1400 Eye

Street,

N.W.,

Suite

450,

Washington,

D.C. 20005

202.408.5565

phone

202.588.5020 fax

www.citizensforethics.org

FOIA Officer

June 24,

2011

Page 2

3.

All records

indicating the attendees, or prospective attendees,

and their titles of all the VA

meetings held, or scheduled to

be held,

addressing the use and development of cloud

computing systems.

4.

All records

showing the development of instructions defining which copy ofthe VA

records will be declared as

the agency's record copy in a cloud computing environment,

as

set forth in NARA Bulletin 2010-05

question 7,

response 2.

5.

All records related to

the development of instructions of how to

determine whether

federal

records in a cloud environment are covered under an existing records retention

schedule, as

set forth

in NARA Bulletin 2010-05

question 7,

response 3.

6.

All

records related to the development of instructions of how records will be captured,

managed, retained, made available to authorized users,

and retention periods applied for

cloud computing systems as

set forth

in NARA Bulletin 2010-05

question 7,

response 4.

7.

All records related to the development of instructions on conducting a records analysis,

developing and submitting records retention schedules to

NARA for unscheduled records

in a cloud environment, including instructions about scheduling system documentation,

metadata, and related records,

as

set forth

in NARA Bulletin 2010-05

question 7,

response 5.

8.

All records related to

the development of instructions on periodically testing transfers of

federal

records to other environments, including agency servers, to

ensure the records

remain portable, as

set forth in NARA Bulletin 2010-05

question 7, response 6.

9.

All records related to the development of instructions of how data will be migrated to

new formats

and operating systems in a cloud computing environment so

that records are

readable throughout their entire life cycle,

as

set forth in NARA Bulletin 2010-05

question 7,

response 7.

10.

All records related to

records management considerations and request for

information

("RFI")

solicitation number V A11811RI0226 dated Feb.

24, 2011.

Please search for responsive records regardless of format,

medium, or physical

characteristics.

Where possible, please produce records electronically, in PDF or TIF format on a

CD-ROM.

We seek records of any kind,

including electronic records,

audiotapes, videotapes,

and photographs.

Our request includes any letters, emails, facsimiles,

telephone messages, voice

mail messages, and transcripts, notes, or minutes of any meetings, telephone conversations, or

discussions.

Our request also

includes any attachments to these records.

FOIA Officer

June 24,

2011

Page 3

For any email, please produce metadata and/or headers that show the email address of the

sender and any recipient in addition to

their display name, the names and email addresses of any

"bee:" recipients, and any data regarding the time and date the email was sent, received, and/or

opened.

If it is

your position that any portion of the requested records is exempt from disclosure,

CREW requests that you provide it with an index of those documents as required under Vaughn

v.

Rosen, 484 F.2d 820 (D.C.

Cir.

1973), cert.

denied,

415

U.S.

977 (1972).

As you are

aware,

Vaughn

index must describe each document claimed as exempt with sufficient specificity "to

permit a reasoned judgment as to whether the material is actually exempt under FOIA."

Founding Church of

Scientology v.

Bell, 603

F.2d 945,

949

(D.C.

Cir.

1979).

Moreover, the

Vaughn

index must "describe each document or portion thereof withheld, and for each

withholding it must discuss the consequences of supplying the sought-after information."

King v.

US.

Dep 't of

Justice,

830

F.2d 210, 223-24 (D.C.

Cir.

1987) (emphasis added).

Further, "the

withholding agency must supply 'a relatively detailed justification, specifically identifying the

reasons why a particular exemption is relevant and correlating those claims with the particular

part of a withheld document to which they apply."'

!d.

at 224

(citing Mead Data Central v.

U.S.

Dep 't of

the Air Force,

566 F.2d 242, 251

(D.C.

Cir.

1977)).

In the event some portions of the requested records are properly exempt from

disclosure,

please disclose any reasonably segregable non-exempt portions of the requested records.

See

U.S.C.

§ 552(b ).

If it is your position that a document contains non-exempt segments, but that

those non-exempt segments are so

dispersed throughout the document as to make segregation

impossible, please state what portion of the document is

non-exempt, and how the material is

dispersed throughout the document.

Mead Data Central,

566 F.2d at 261.

Claims of

nonsegregability must be made with the same degree of detail as required for claims of

exemptions in a

Vaughn

index.

If a request is

denied in whole, please state specifically that it is

not reasonable to

segregate portions of the record for release.

Finally, CREW welcomes the opportunity to

discuss with you whether and to

what extent

this request can be narrowed or modified to

better enable your office to process it within the

FOIA's deadlines.

Anne Weismann, the CREW attorney handling this matter, can be reached at

(202) 408-5565

or aweismann@citizensforethics.org.

Fee Waiver Request

In accordance with 5 U.S.C.

§ 552(a)(4)(A)(iii) and the VA regulations, 38

C.F.R.

1.555, CREW requests a waiver of fees

associated with processing this request for records.

The

subject ofthis request concerns the operations ofthe federal

government and expenditures, and

the disclosures will

likely contribute to

a better understanding of relevant government procedures

by CREW and the general public in a significant way.

Moreover, the request primarily and

FOIA Officer

June 24,

2011

Page 4

fundamentally is

for non-commercial purposes.

5 U.S.C.

§ 552(a)(4)(A)(iii).

See,

e.g.,

McClellan Ecological v.

Carlucci,

835

F.2d 1282,

1285

(9th Cir.

1987).

These records are likely to

contribute to greater public awareness about how the VA plans

to fulfill

its records management requirements in a cloud computing environment.

"Cloud

computing is

a technology that allows users to access and use shared data and computing services

via the Internet or a Virtual Private Network."

See NARA Bulletin 2010-05, supra.

In

December 2010, the Office of Management and Budget ("OMB") announced a plan to

overhaul

federal

information technology and asked federal

agencies and departments to identify three

services they could move to

a cloud environment by May 2012.

See

Joseph Marks, Agencies

identify 78

services for cloud transition, Nextgov (May 26, 2011),

http://www.nextgov.com/nextgov/ng

20110526

1117.php (Attached as Exhibit C).

As

a result

of this initiative, several federal

agencies and departments have announced plans to

or have

already moved their email systems to a cloud.

See

e.g.,

Michael S.

Rosenwald, Federal

government loosens its

grip on the Backberry, The

Washington Post, May 30, 2011

(Attached as

Exhibit D).

The VA is

considering moving its email to

a cloud computing environment.

See

Montalbano, supra.

NARA has recognized there are records management challenges associated

with cloud computing;

at least one agency that uses cloud computing services already has

acknowledged records management requirements were not addressed with its cloud computing

system.

See NARA Bulletin 2010-05, supra.

CREW is

a non-profit corporation, organized under section 501(c)(3) of the Internal

Revenue Code.

CREW is committed to protecting the public's right to be aware of the activities

of government officials and to ensuring the integrity of those officials.

CREW uses a

combination of research, litigation, and advocacy to

advance its mission.

The release of

information garnered through this request is not in CREW's financial

interest.

CREW will

analyze the information responsive to this request, and will share its analysis with the public,

either through memoranda, reports, or press releases.

In addition, CREW will disseminate any

documents it acquires from this request to the public through its website,

www.citizensforethics.org, which also includes links to thousands of pages of documents CREW

acquired through its multiple FOIA requests as well as documents related to CREW's litigation

and agency complaints, and through www.scribd.com.

Under these circumstances, CREW satisfies fully the criteria for

a fee waiver.

News Media Fee Waiver Request

CREW also

asks that it not be charged search or review fees

for this request because

CREW qualifies as a "representative ofthe news media" pursuant to the FOIA and the VA

regulations, 38

C.P.R.

1.555(d)(3).

In Nat'! Sec.

Archive v.

US.

Dep 't of

Defense,

880 F.2d

1381,

1386 (D.C.

Cir.

1989), the Court of Appeals for the District of Columbia Circuit found the

FOIA Officer

June 24, 2011

Page 5

National

Security Archive was a representative of the news media under the FOIA, relying on the

FOIA's legislative history, which indicates the phrase "representative of the news media" is to

be

interpreted broadly; "it is critical that the phrase 'representative of the news media'

be broadly

interpreted if the act is to

work as

expected .... In fact,

any person or organization which

regularly publishes or disseminates information to

the public ... should qualifY for waivers as a

'representative of the

news media."' 132 Cong.

Rec.

S14298

(daily ed.

Sept.

30,

1986) (emphasis

added),

cited in id.

CREW routinely and systematically disseminates information to the public in several

ways.

First,

CREW maintains a frequently visited website, www.citizensforethics.org, that

received 36,383 page visits in May 2011.

The website reports the latest developments and

contains in-depth infotmation about a variety of activities of government agencies and officials.

In addition,

since April14, 2010, when CREW began postings its documents on

www.scribD.com, there have been 930,800 visits to its documents.

Second,

since May 2007, CREW has published an online newsletter, CREWCuts, that

currently has

15,632 subscribers.

CREWCuts provides subscribers with regular updates

regarding CREW's activities and information the organization has received from government

entities.

A complete archive of past CREWCuts is

available at

www.citizensforethics.org/newsletter.

Third, CREW publishes a blog,

Citizens Bloggingfor Responsibility and Ethics in

Washington,

that reports on and analyzes newsworthy developments regarding government ethics

and corruption.

The blog,

located at www.citizensforethics.org/blog, also provides links

that direct readers to

other news articles and commentary on these issues.

CREW's blog had

5,951

hits in May 2011.

Finally, CREW has published numerous reports to educate the public about government

ethics and corruption.

Examples include:

CREW's Most Corrupt 2010:

Unfinished Business;

Top

10 Ethics Scandals of 201 0;

and FOIA

at the Mid-term:

Obstacles to

Transparency Remain.

These and all other CREW reports are available at www.citizensforethics.org/reports.

Based on these extensive publication activities,

CREW qualifies for a fee

waiver as a

"representative of the news media" under the FOIA.

Conclusion

If you have any questions about this request or foresee any problems in releasing fully the

requested records, please contact me at (202) 408-5565.

Also, if CREW's request for a fee

waiver is not granted in full,

please contact our office immediately upon making such

determination.

Please send the requested records to

Anne L.

Weismann,

Citizens for

FOIA Officer

June 24, 2011

Page 6

Responsibility and Ethics in Washington,

1400 Eye

Street, N.W. , Suite 450, Washington, D.C.

20005.

Enclosures

e L.

Weismann

Chief Counsel

EXHIBIT A

Page

1 of2

.&..

Open

up a new

universe of possibilities

for your business.

VA To Migrate Email To The Cloud

The agency is

seeking a contractor to move 600,000 employees to a hosted system through a project

it's

calling the "Big 4."

By

Elizabeth

Montalbano,

lnformationWeek

February 28,

2011

U RL:

http:!

/www. informationweek. com/news/government/cloud-saas/229219490

The Department ofVeterans Affairs (VA)

plans to

move 600,000

of its employees

to

a cloud-based email and collaboration system in a comprehensive migration

project it's calling the

"Big 4."

IT managers must perfmm a detailed ROI analysis before transitioning to the

cloud.

Diss;._gver

how to

cost out the

cloud.

The depmiment is

looking for a contractor to

help

it migrate its entire backend email

system-- comprised of Microsoft Exchange and

SharePoint servers, an e-mail

archive system, BlackBerry software, and storage and back-up systems -- to

hosted cloud environment, according to a request for

information (RFI) it posted

online for

potential contractors.

(click image for larger

view)

Slideshow:

Top

20

Government Cloud

Service Providers

"Big 4"

refers to

the number of data centers that are required to

host the system, which the contractor will own

and manage for the agency.

The VA

will consider hosting in

a private cloud or going with a service provider's cloud infrastructure, but wants

to

entirely outsource management of the cloud, according to the RFI.

VA staff will provide support for end users

of the system but won't have administrative access to the applications.

Though the

project is

called the Big 4, there are actually nine separate sub-projects within

it to

handle each

individual aspect of the new cloud-based system, according to the RFI.

The nine projects the contractor will

be

required to

complete include:

Enterprise Exchange,

SharePoint, BlackBerry, archive, backup, tape encryption,

tape key management system,

storage system,

and network components.

The agency plans to

use its

existing Microsoft licenses for

SharePoint and Exchange, acquired as

part of an

enterprise agreement.

With the V A's existing relationship with Microsoft, the vendor seems a strong contender to

be

considered for

the contract. Microsoft provides hosted versions of both SharePoint and Exchange as

part of its

Business Productivity Management Suite (BPOS), which other federal

agencies are considering or using.

If it

goes after the project, Microsoft may find

itself competing against Google, which also has been actively

wooing federal

customers to

use its

cloud-based email and collaboration suite,

Google Apps for Govemment.

In

fact,

the two have already found

themselves

in

contentious competition for federal

customers.

http://www. information

week. com/news/

government/

cloud -saas/22 92194 90 ?printer_

friendl...

6/24/20 11

Page 2 of2

In January,

for

instance, Google and

reseller Onix Networks won

an

injunction

against the Department of the

Interior to

block the agency's move to

Microsoft BPOS for

80,000 employees.

The preliminary injunction, which

could impact future

federal

competition for

cloud services, arises from

a lawsuit the two companies filed

in

late

October claiming that last year Interior did not follow federal

guidelines

in

procuring hosted email and

collaboration.

Email and collaboration seem to be among the most cloud-friendly applications federal

agencies plan to

reconsider as

part of the government's

"cloud first"

strategy.

The plan, directed by U.S.

CIO Vivek Kundra in

December, requires federal

agencies to

look at cloud-based solutions first when planning new IT projects.

In

addition to

Interior's stalled plan, the Army also plans to

move a network of disparate email servers to

the

cloud in a move officials have said is

the first step

in

a broader email consolidation across the military. However,

instead

of using a commercial cloud provider, the Army will host its

email on a cloud managed by the Defense

Infonnation Systems Agency (DISA).

cSH;orbti

;rs

THE ULTIMATE RESOURCE

FOR IT,

BY IT

R, 1T ev ,J1D

$199 a year fQr unlimited a(cess to comprehensWe researda and anatysis

Copyright© 2011

United

Business Media

LLC,

All

rigl1ts

reserved.

http://www.informationweek.com/news/

government/cloud-saas/229219490?printer

_ friendl...

6/24/2011

EXHIBITB

NARA Bulletin 2010-05

NARA Bulletin

2010-05

September 08,

2010

TO:

Heads of Federal

agencies

SUBJECT:

Guidance on

Managing

Records in

Cloud

Computing

Environments

EXPIRATION

DATE:

September 30,

2013

1. What is the purpose of this bulletin?

This

bulletin

addresses

records

management considerations

in

cloud

computing

environments and

is

formal

articulation

of NARA's view of agencies'

records

management responsibilities.

As agencies

are

increasingly evaluating,

piloting,

and

adopting these

technologies,

they

must comply

with

all

Federal

records

management laws,

regulations,

and

policies.

2.

How does this

bulletin differ from "Frequently Asked Questions about Managing Federal

Records

in Cloud Computing Environments"?

NARA issued

an

FAQ

in

February 2010 to

provide agencies with

a basic overview of cloud

computing.

This

bulletin

expands

on

that discussion

by

including a more detailed

definition,

Federal

agency

examples of cloud

computing,

records

management guidelines,

and

contract language to

consider

when

procuring

cloud

computing services.

3.

What is cloud computing?

Cloud computing

is

a technology that allows

users to

access and

use

shared data

and computing

services via

the

Internet or a Virtual

Private

Network.

It gives

users access to

resources without having

to

build

infrastructure to

support these resources within

their own

environments

or networks.

General

interpretations of cloud

computing

include "renting" storage space on

another organization's

servers

or hosting

a suite of services.

Other interpretations of cloud

computing

reference

particular

social media

applications,

cloud-based

e-mail,

and

other types

of Web applications.

However,

the

National

Institute of Standards and

Technology (NIST)

has

been

designated to

develop standards

and

guidelines for the

Federal

cloud

computing effort and

to

provide an

authoritative definition.

NIST defines

cloud

computing

as

"a model for enabling

convenient,

on-demand

network access to

shared

pool

of configurable

computing

resources (e.g.,

networks,

servers,

storage,

applications,

and

services) that can

be

rapidly

provisioned

and

released with

minimal

management effort or service

provider interaction." (NIST Definitfon

of Cloud Computing,

Version

15,

10-07-2009) NIST has stated

that the

definition

of Cloud

Computing is

evolving.

The

user should consult the most current definition

available from

NIST and

other resources.

NIST also

identifies five

essential characteristics of cloud

computing:

On-demand self-service. A

consumer can

unilaterally

provision

computing

capabilities,

such

as

server time and

network storage,

as

needed

automatically without requiring

human

interaction

with

each

service's

provider.

Broad network access. Capabilities are

available over the

network and

accessed through

standard

mechanisms that promote use by

heterogeneous thin

or thick client platforms

(e.g.,

mobile

phones,

laptops,

and

PDAs).

Resource pooling. The provider's computing

resources

are pooled to

serve multiple

consumers

using

a multi-tenant model,

with

different physical

and

virtual

resources

dynamically

assigned and

reassigned

according to

consumer demand.

There

is

a sense of location

independence

in

that the

customer generally

has no

control

or knowledge over the exact location

of the

provided

resources

but may be

able to

specify

location

at a higher level

of abstraction

(e.g.,

country,

state,

or datacenter).

Examples

of resources

include storage,

processing,

memory,

network bandwidth,

and

virtual

machines.

http:/

/www.archives.gov/records-mgmt/bulletins/20 10/2010-05 .html

Page

1 of 5

6/24/2011

NARA Bulletin 2010-05

Rapid elasticity.

Capabilities

can

be

rapidly

and

elastically

provisioned,

in

some cases

automatically,

to

quickly scale out and

rapidly

released to quickly scale

in.

To the consumer,

the

capabilities available for provisioning

often

appear to

be

unlimited

and

can

be

purchased

in

any

quantity at any time.

Measured Service. Cloud systems automatically control

and

optimize resource

use

by

leveraging a metering

capability at some

level

of abstraction

appropriate to

the type

of service

(e.g.,

storage,

processing,

bandwidth,

and

active user accounts).

Resource usage can

be

monitored,

controlled,

and

reported

providing

transparency for both

the

provider and

consumer of

the

utilized service.

(NIST Definition of Cloud

Computing,

Version

15,

0-07-2009)

The terminology above

is

used

in

the

IT community and

by

NIST to describe characteristics

of

cloud

computing.

4.

What are cloud computing service and deployment models?

Cloud computing

service

models

refer to

how an

agency can

adopt cloud

computing.

Currently

NIST

describes the

models as follows:

Cloud Software as a Service (SaaS). The capability provided to

the

consumer is

to

use the

provider's applications running on

a cloud

infrastructure.

The

applications are accessible from

various

client devices through

a thin

client interface such

as

a web

browser (e.g.,

web-based

email).

The

consumer does not manage or control the

underlying

cloud

infrastructure including

network,

servers,

operating

systems,

storage,

or even

individual

application

capabilities,

with

the

possible exception

of limited

user-specific application configuration

settings.

Cloud Platform as a Service (PaaS).

The capability provided

to

the consumer is

to deploy onto

the

cloud

infrastructure consumer-created

or acquired

applications created

using

programming

languages and

tools

supported

by

the provider.

The consumer does not manage or control the

underlying

cloud

infrastructure including

network,

servers,

operating systems,

or storage,

but has

control

over the

deployed

applications and

possibly application

hosting environment

configurations.

Cloud Infrastructure as a Service (laaS).

The capability

provided to

the

consumer is

to

provision

processing,

storage,

networks,

and

other fundamental

computing

resources where the

consumer is

able to

deploy and

run

arbitrary software, which

can

include operating systems

and

applications.

The consumer does

not manage or control

the

underlying

cloud

infrastructure but

has

control

over operating

systems,

storage,

deployed

applications,

and

possibly limited

control of

select networking

components (e.g.,

host firewalls).

Depending

upon

user needs,

and

other considerations,

cloud

computing

services are typically

deployed using

one of the following

four models as

defined

by

NIST:

Private cloud. The cloud

infrastructure is

operated

solely

for an

organization.

It may

be

managed

by

the

organization

or a third

party and

may exist on

premise or off premise.

Community cloud. The cloud

infrastructure is

shared

by

several

organizations and

supports a

specific community that has shared concerns (e.g.,

mission,

security

requirements,

policy,

and

compliance considerations).

It

may be

managed by

the

organizations or a third

party and

may

exist on

premise or off premise.

Public cloud. The cloud

infrastructure is

made available to

the general public or a large

industry group and

is

owned

by

an

organization selling

cloud

services.

Hybrid cloud. The

cloud

infrastructure is

a composition

of two

or more clouds

(private,

community,

or public) that remain

unique entities

but are bound

together by

standardized or

http:/

/www.archives.gov/records-mgmt/bulletins/20 10/2010-05 .html

Page 2 of 5

6/24/2011

NARA Bulletin 2010-05

proprietary technology that enables data and

application

portability

(e.g.,

cloud

bursting

for

load-
balancing

between

clouds).

(All

definitions are from

NIST Definition of Cloud Computing,

Version

15,

10-07-2009)

Public and

private clouds

are terms

used

in

the

IT community and

by

NIST to

describe various cloud

configurations.

These terms

are

not

related

to whether records in

those

clouds

are

publicly accessible.

In

addition,

definitions do

not preclude agency

responsibilities to

manage the

records.

5.

How are

Federal agencies using cloud computing?

NARA interviewed

agencies that

are

using

cloud

computing

services to

achieve

benefits such

as

cost

savings,

accessibility,

scalability,

collaboration,

and

flexibility.

All

of the

agencies

interviewed

recognize

the

challenge

of managing data

in

the

cloud.

They

have

begun

to

address

concerns

around

cloud

computing environments

such

as

privacy,

security,

and

data

ownership.

However, the

agencies stated

that managing

records

in

a cloud

computing environment is

a concern that they

are only beginning to

address.

In

one

example,

an

agency

dealing with

globally-dispersed employees

needed a rapid

solution for

information

sharing.

Using

a commercial

contractor,

the

agency deployed

a private cloud

to

share

financial

data,

capture

reports,

provide world-wide access to

information,

and

solve security

challenges.

In this

instance,

the

agency

used

a separate commercial

platform to

prevent unauthorized

users from

using

the

application

as

a back door to

access secure agency servers.

The

agency

said

the

system

meets all fiscal

audit requirements,

but also said

it recognizes

that records management

requirements were

not

addressed,

and

no

data

is

being

deleted.

In

another example,

at

least two

units

in

the same agency

built and

offer cloud

computing

services as

providers to

other offices

in

different parts

of the

agency.

Both

units deal with

classified

information

and

need

to

retain

control of these

records within

their organizations.

They control

the

use of and

access to

the

system.

One

of the

units experienced

an

increase in the

use of its collaboration software

because customers

no

longer need to worry

about software and

hardware acquisition,

updating

software and

operating systems,

back-ups,

and

access/permissions control.

Customers are

responsible for the content and

determining

its

record

status

and

for managing

records

in

the

cloud.

In

a final

example,

at

least two

other agencies offer cloud

computing

services

both within

the

agency

and to

other agencies.

One

of these agencies

is

offering storage space over which

the

customer has

complete configuration

control.

While still

a pilot,

it is

anticipated that customers will

be

responsible for

managing

records

stored

in

the cloud.

The two

agencies are

considering "Terms of Service"

agreements that would

address

records management requirements.

For more agency examples see the CIO

Council's

report on

the

State of Public Sector Cloud

Computing

(pdf).

For security issues with

cloud

computing

see GAO's

report Federal Guidance

Needed to

Address Control

Issues with

Implementing Cloud

Computing

(pdf).

6.

What are some of the records management challenges associated with cloud computing?

NARA recognizes that the

service

and

deployment models affect how

records

may be created,

used,

and

stored

in

cloud

computing

environments.

The level of agency control

over the

design,

implementation,

and

operations of a cloud

computing environment containing

Federal

records may

vary depending on

service and deployment models.

For example,

in

the

case

of laaS and

PaaS

service models,

the agency

is

more

likely to

maintain the

records outside the

cloud.

In

the

SaaS

service model,

the

agency may maintain

records

in

contractor-provided

clouds,

and

any

negotiated

contract language will

need to

address specific records

management responsibilities.

See Question

for a general

clause that an

agency can

modify to fit the planned type

of service.

NARA has

identified

several

records

management challenges with

cloud

computing

environments:

Cloud

applications may lack the

capability to

implement records disposition

schedules,

including

the

ability to

transfer and

permanently

delete records

or perform

other records management

functions.

Therefore specific service and

deployment models may not meet all

of the

records

management requirements

of 36 CFR

Part 1236 (formerly 36 CFR part 1234 ).

Examples

of these

requirements include:

http://www.archives.gov/records-mgmt/bulletins/20 10/2010-05 .html

Page 3 of 5

6/24/2011

NARA Bulletin 2010-05

Maintaining

records

in

a way that maintains their functionality

and

integrity throughout the

records' full

lifecycle

Maintaining

links

between the

records

and their metadata

Transfer of archival

records

to

NARA or deletion

of temporary records

according to

NARA-
approved

retention

schedules.

Depending on

the

application,

cloud

service providers must be

made aware of the

record

retention

requirements governing a given

body of Federal

records stored

in

one

or more cloud

locations. Agencies

need to

be

able to

control

any proposed deletion of records

pursuant to

existing

authorities,

wherever the

records

may be

located

in

the

providers' cloud.

Cloud

service

providers

must also

act to ensure that records

are

accessible so

as

to

ensure agency

responsiveness to discovery,

or FOIA!Privacy Act,

or other access

requests.

Various

cloud

architectures

lack formal

technical standards governing

how data are

stored

and

manipulated

in

cloud

environments.

This threatens the

long-term trustworthiness and

sustainability of the data.

lack of portability standards

may result in

difficulty removing

records

for recordkeeping

requirements or complicate the

transition to

another environment. This

could

affect the ability of

agencies to

meet their record keeping

responsibilities for temporary or historically valuable

records

being

transferred to

NARA.

Agencies and

cloud

service providers should

anticipate

how continued

preservation

and

access

issues will

be

resolved

in

a contingency where the cloud

service provider's business operations

materially change (e.g.,

bankruptcy),

or cease

altogether.

7.

How can agencies meet their records management responsibilities?

Federal

agencies are

responsible

for managing their records

in

accordance with

NARA statues

including the

Federal

Records Act (44

U.S. C.

Chapters 21,

29,

31 ,33)

and

NARA regulations (36 CFR

Chapter XII

Subchapter B).

This

is

true

regardless of which

cloud

service and

deployment models

are

adopted.

However,

NARA recognizes that the differences between

models affect how and

by

whom

(agency/contractor)

records management activities can

be performed.

The following

are guidelines for creating

standards and

policies for managing an

agency's

records

created,

used,

or stored

in

cloud

computing environments:

1.

Include the

agency

records

management officer and/or staff in

the planning,

development,

deployment,

and

use of cloud

computing

solutions.

2.

Define which

copy

of records will

be declared

as

the

agency's

record

copy

and

manage these

in

accordance with

36 CFR

Part

i 222.

Remember,

the value of records

in

the

cloud

may be greater

than

the value

of any other set because

of indexing

or other reasons.

In

such

instances,

this

added

value

may

require

designation of the copies as

records.

3.

Include instructions for determining

if Federal

records

in

a cloud

environment are covered

under

an

existing

records

retention

schedule.

4.

Include instructions on

how all

records will

be

captured,

managed,

retained,

made

available to

authorized

users,

and

retention

periods applied.

5.

Include instructions on

conducting

a records

analysis,

developing and

submitting

records

retention

schedules to

NARA for unscheduled

records in

a cloud

environment,

These instructions

should

include scheduling

system documentation,

metadata,

and

related

records.

6.

Include instructions to

periodically test transfers of Federal

records to

other environments,

including

agency servers,

to

ensure the

records

remain

portable.

7.

Include instructions on

how data will

be migrated to

new formats,

operating

systems,

etc.,

so

that

records

are readable throughout their entire life cycles.

Include in

your migration

planning

provisions for transferring

permanent records in

the cloud

to

NARA.

An

agency choosing

to

pre-
accession

its

permanent electronic records

to

NARA is

no

longer responsible

for migration

except to

meet its

business purposes.

8.

Resolve portability and accessibility

issues through good

records

management policies and other

data governance practices.

Data governance typically addresses

interoperability

of computing

systems,

portability of data (able to

move from

one

system

to

another),

and

information

security

http:/

/www.archives.gov/records-mgmt/bulletins/20 10/2010-05 .html

Page 4 of 5

6/24/2011

NARA Bulletin 2010-05

and

access.

However,

such

policies

by themselves will

not address an

agency's compliance with

the

Federal

Records Act and

NARA regulations.

8.

What is an

agency's responsibility when dealing with contractors?

Ultimately,

an

agency maintains responsibility

for managing

its

records whether they

reside

in

contracted

environment or under agency physical custody (see 36

CFR

Part 1222.32 (b)).

When

dealing with

a contractor,

an

agency

must include a records

management clause

in

any contract or

similar agreement.

At a minimum,

a records

management clause ensures that the

Federal agency and

the

contractor are

aware

of their statutory

records

management responsibilities.

The following

is

a general

cia Lise

that an

agency can

modify to

fit the

planned

type

of service and

specific agency

records

management needs:

Use

of contractor's site and services may require

management of Federal records.

If the

contractor

holds Federal records,

the

contractor must manage Federal records

in

accordance

with

all applicable

records

management laws and regulations,

including but not limited to

the

Federal Records Act (44

U.S. C.

chs.

21,

29,

31,

33},

and regulations ofthe National Archives and Records Administration

(NARA)

at 36

CFR Chapter XII Subchapter B).

Managing the

records

includes,

but is

not limited to,

secure storage,

retrievability,

and proper disposition of all federal records including transfer of

permanently valuable records to NARA

in

a format and manner acceptable to

NARA

at the

time of

transfer.

The

agency also remains responsible

under the

laws and regulations cited above for ensuring

that applicable records management laws and regulations are complied with

through

the

life and

termination of the

contract.

If an

agency

decides to

create or join

a private

or community cloud,

it will

still

need

to

meet records

management responsibilities.

The agencies may describe these

responsibilities

in

agreements

among

the participating offices or agencies.

If a cloud

provider ceases to

provide services an

agency

must

continue to

meet its

records

management obligations.

Agencies should

plan

for this

contingency.

9.

Where do I go for more information?

NARA's National

Records

Management Program can

provide assistance.

See "List of NARA Contacts

for Your Agency."

In

addition,

NARA maintains the

Toolkit for Managing

Electronic Records as

resource for agencies to share and

access

records

management best practices.

DAVIDS.

FERRIERO

Archivist of the

United States

Contact

Us

Acces•:>ibi!ity

Privacy

Policy

Free:.1orn

or Information Ad

No

Fb\H

Ad

USA.qov

PDF

files

require the

free Adobe Reader.

More

information

on

Adobe Acrobat PDF files

Administration

1-86··Ni\RA-NAHA or

1·866 .. 272-627)

http://www.archives.gov/records-mgmt/bulletins/20 10/2010-05 .html

Page 5 of 5

6/24/2011

EXHIBIT C

NextGov.com- Agencies identify 78

services for cloud transition

Page

1 of 1

nex

'V TECHNOLOGY

AND

THE

BUSINESS

OF

GOVERNMENT

Agencies ide11tify 78 services for clotld tra11sition

By Joseph

Marks

05/26/11

Federal agencies have

idcntincd 78

computer systems they plan to migrate to

the cloud within a year,

according to

the Office of Management and Budget.

The listing follows

a directive in

OMB's 25-point plan to

reform

federal

IT,

published in

December 2010,

that ordered federal

agencies to

identifY three services they could move to the cloud by May 2012.

The transition to cloud computing should save the federal

government at least $5

billion annually,

federal

Chieflnforrnation Officer Vivek Kundra told members of a Senate panel Wednesday. A

firmer estimate of

those savings will

have to wait on individual contracts for the moves to be negotiated and other factors,

Kundra said.

Computer clouds essentially are

large banks of computer servers that can operate much closer to

full

capacity than standard servers by rapidly repacking data as one customer surges in

usage and another one

dips.

Data storage in

the cloud is operated like electricity grids or other utilities,

with customers paying only

for what they use.

A handful of low-risk government services,

such as

websites that don't take in

sensitive public information,

are already

in

privately owned cloud space.

But some government officials have expressed skepticism about

moving some very sensitive or complex operations to either private clouds or to government-only clouds,

worrying that the move could jeopardize security.

The majority of projects slated for transition seem to

be

low-hanging fruit,

securitywise. Out of the 78

cloud

-bound items,

for

instance,

14

are email systems, which are easy to standardize in

the manner required for

inclusion in

the cloud.

The General

Services Administration announced

on May 9 it

would include bids from

vendors offering to

transfer agency email systems to the cloud on

its GSA schedule, a list of approved contractors and prices

that allows

individual agencies to

drive down service costs by

leveraging the buying power of the entire

federal

government.

Other common items slated for cloud transition include websites and document storage, among other

services.

© 2011

BY NATIONAL JOURNAL GROUP,

INC.

ALL RIGHTS

RESERVED

http://www.nextgov.com/site_services/print_article.php?StoryiD=ng_2011 0526_1117

6/24/2011

EXHIBITD

Federal government loosens its grip on the

BlackBerry- The Washington Post

Back to

previous page

Federal government loosens its

grip on the

BlackBerry

By MichaelS. Rosenwald, Published:

May 30

Page

1 of 4

Somewhere in America, perhaps at this

very moment, a bad guy is

under video

surveillance.

He

is

being

watched, every movement, every step- but not on a little TV.

That's so

2009.

Instead, a special agent

from the Bureau of Alcohol, Tobacco, Firearms and Explosives is keeping tabs on an iPad.

This is not a movie.

This is

not a Steve Jobs dream.

This is the federal

government 2.0, where

technology upgrades no

longer come at a "Little House on the Prairie" pace.

Even President Obama, a

BlackBerry devotee, has upgraded.

He now owns an iPad, and it has been seen on his desk and under his

arm.

The flashy

consumer products that have been adopted in the corporate workforce - upending

BlackBerrys for

iPhones, Microsoft Outlook for

Gmail, and lately laptops for

iPads -are now invading

the federal

government. The State Department. The Army.

The Department of Veterans Affairs. NASA.

The General Services Administration is

in the process of moving

17,000 employees onto

Gmail.

The stakes are huge.

The change may damage companies long associated with Washington work culture,

but officials say the shift will make workers more productive while slashing billions from the $80 billion

spent annually on information technology.

The government is trying to keep up

with federal

workers'

interest in the new gadgets.

"The demand we are

seeing now in the last 90

days has been just extraordinary," said Tim Hoechst,

http://www. washingtonpost.comlbusiness/ economy /federal-government -loosens-its-grip-o...

6/24/2011

Federal government loosens its grip on the BlackBerry- The Washington Post

Page

2 of 4

chief technology officer at Agilex Technologies, which is

helping federal

agencies integrate Apple

products into

workforces.

(Like other contractors racing to meet demand, Agliex practices what it

preaches; it has replaced its

sign-in book at the reception desk with an iPad.) "It's like everybody is

saying,

'This is

really happening here now.' "

From home to work

Analysts and government officials say the demand for consumer technologies is

coming from

two

directions.

At the top,

agency directors and senior officials are using iPads, Android phones or Web-
based e-mail in their personal lives and asking IT administrators why they

can't use them at work.

But

the bigger push is coming from frontline workers, who

see the value consumer technology could add to

their working life, making them more mobile and less tied to

an office.

"People have better access to

information technology at their homes than they do

at work,

and that's

especially true in the public sector," said Vivek Kundra, the federal government's chief information

officer.

"If you look at the

average school kid,

he or she probably has better technology in his

or her

backpack than most of us

do in government offices."

And employees are no

longer taking no

for an answer.

A recent Forrester Research study showed 35

percent of workers in the United States either buy their own smartphone for work, use unsanctioned

Web sites or download unapproved applications on a work computer.

Why? Twenty four percent of do-
it-yourselfers say the technology is better than what their job provides. Thirty-six percent say they

need

it,

and their employer won't provide an alternative.

And nearly 40 percent say they use it at home and,

well, they want it at work, too.

"This is

about innovation and it's about bringing new ideas and new ways of doing things into the

workforce," said Ted Schadler, an analyst for

Forrester Research, which studies tech trends in the

government and corporate world.

"People now have easy access to

technology that can solve problems."

Kundra, the U.S.

top information officer, said, "The line between work and home in terms of technology

is

beginning to

blur." Asked what he typically hears from workers about government- or corporate-
provided technology,

Kundra said, "It's not a question of whether they don't like it.

They despise it."

So

many consumer devices are being brought in by

federal

workers that Rep.

Danell Issa (R- Calif.),

chairman of the House Committee on Oversight and Government Reform, recently voiced his concern

about authorized uses in a rather surreal hearing,

in which he

held up an iPad and asked a White House

official, "Are any of these carried into the White House?" When the official answered yes,

Issa replied,

"So people carry a product which circumvents your entire system by going to the AT&T network on a

daily basis

in the White House, isn't that true?" Eventually, the official conceded that was true.

Issa said

he

is concerned about what it means for presidential recordkeeping.

His office did not respond to

request for

comment.

Kundra's answer to the issue of people using unauthorized devices is simple:

Give them what they

want.

Like many federal

workers, he carries two devices- a BlackBerry (for work stuff) and an iPhone (for

personal stuff).

And like many people, Kundra says he wants to

be a "one-device guy." He recently

began pondering a radical

idea with federal

agencies:

Let workers use whatever mobile device they

want,

apply strict security settings, and have the government pay a stipend for

service.

Agencies and

cabinet departments, with the help of companies like Agilex,

could then build apps

for internal

employee use and distribute them on private app stores.

Potential savings

http://www. washingtonpost.com/business/economy /federal-government-loosens-its-grip-o...

6/24/2011

Federal government loosens its grip on the BlackBerry- The Washington Post

Page 3 of 4

The shift to

consumer technologies is

also about controlling costs:

By moving to

cloud-based e-mail

with Google, the GSA says it will cut expenses by

50 percent over the next five years by

not having to

maintain its own servers and pay for expensive updates to

software.

The Agriculture Department is

also

moving its

e-mail to

the cloud, though with a competing product from Microsoft, which is

going head-to-head with

Google on many cloud initiatives.

The USDA says it will

save about $6 million a year with the switch.

The new system is

"always updated," said Casey Coleman, the GSA's chief information officer.

"It's

always refreshed.

It's always modem."

And GSA workers

can easily access their e-mail from

iPhone or Android devices, which the

agency

is

testing.

The adoption of these consumer devices, though still modest in size, has been widespread across a

variety of agencies.

At ATF, there are about 50

iPads or iPhones in use,

and the number could increase to

100

soon.

At the

Pacific Northwest National Laboratory, the

1,000 BlackBerrys used last year have dropped to

about 700

as workers picked other smartphones.

The State Department is

testing iPads.

Congress now allows iPads

and iPhones on the House floor.

And the

Department of Veterans Affairs is

getting ready to

allow its clinicians to

choose an iPad or

iPhone instead of a BlackBerry. VA chief information officer Roger Baker said not offering access to

consumer devices threatened to

harm the department's services by making it an undesirable place for

young, bright doctors to

work.

"The more we

say no,

the more stodgy we would look," Baker said.

"So

we had to

figure

out a way to

say yes."

As iPhones,

iPads and Android devices pop up more in government, it could spell further trouble for

Research in Motion, the maker ofthe BlackBerry, whose market share fell

from 21

percent in 2009 to

14

percent last year.

Analysts say RIM focused too much on its highly secure e-mail service instead of building a flexible

application platform on which users and developers could innovate to

make customers'

working lives

more mobile and productive.

The company also

was late to the booming tablet market, which so

far

is

dominated by Apple,

with interest also

bubbling in a slew of Android entrants.

"The best way I can describe BlackBerry is as a one-trick pony," said Charlie Wolf,

an analyst for

Needham &

Co.,

an investment bank.

"The one trick was their secure messaging platform. Management

has yet to

understand that the world has changed. They didn't understand that it was a software game

going forward."

For their part, RIM executives say they are making great strides in expanding developer interest in an

updated version of the BlackBerry platform. And though a variety of third-party companies have popped

up

with services claiming to make iPhones and Android devices as secure as BlackBerrys, Theron

Dodson, a senior RIM executive, said, "This is

harder than it looks."

At the same time,

RIM quietly announced it was providing a new service allowing iPhones and Android

devices to

connect to

its secure e-mail system.

That was a tacit admission, analysts say, of the brutal

challenges posed by Apple and Google.

http://www. washingtonpost.com/business/economy /federal-government-loosens-its-grip-o...

6/24/2011

Federal government loosens its grip on the BlackBerry- The Washington Post

Page 4 of 4

"The rise

of consumer technology in the enterprise- it's here," Kundra said. "It's happening as

we

speak."

Sponsored

Links

Do

NOT Buy

Car Insurance!

Your Auto

Insurer Hates This.

Obey this

amazing

trick to

get extremely cheap rates!

NewsToday9.com

Hot Penny

Stock:

RMGX

Improves gas mileage &

lowers emission.

Smart investors

Learn

more now

www.GreenGainers.com

Reverse Mortgage Info

Free

Reverse

Mortgage Educational Video.

Request Your Kit Today.

www.MetlifeBank.com

© The Washington Post Company

Buy a link here

http://www. washingtonpost.com/business/economy /federal-government-loosens-its-grip-o...

6/24/2011

Sign up to vote on this title
UsefulNot useful