When you pass a military base, it isn't surprising to see barricades and armed guards. Similarly, the DoD (Department of Defense) is just as diligent about the security of its data and IT systems. Computer & Hi-Tech Management (CHM) (Virginia Beach, VA), an integrator focusing on the government vertical market, understands only too well the demands of government regulations such as DoD Directive 5015.2 and DITSCAP (DoD Information Technology Security Certification and Accreditation Process). "Most of our customers are third- or fourth-tier departments in the federal government or military," says John Montel, CHM's director of document imaging. "Federal mandates such as these are the primary concern when they are implementing imaging solutions." However, Montel warns that even integrators who aren't pursuing military customers can be affected by these regulations.
Named as one of the top 100 government integrators by Washington Technology, CHM has a complete arsenal of technology solutions including document management, mass storage, networking, and security. Its target market and breadth of solutions make CHM something of a regulatory expert as it helps customers comply not only with DoD 5015.2 and DITSCAP, but also HIPAA (Health Insurance Portability and Accountability Act), Section 508 (which governs accessibility for the handicapped), and other mandates. More than 60% of CHM employees have government security clearances, and the company is ISO 9001 certified. This expertise is paying off for CHM's document imaging division, which Montel estimates will triple its revenue this year.
The DoD's IT Rules Of Engagement
DoD 5015.2-STD (standard) is the design criteria standard for implementing records management applications established under DoD directive 5015.2. It describes everything including the baseline functionality, required interfaces, and search criteria. Any records management application used by a DoD agency must undergo 9 to 15 months of testing to receive certification from the JITC (Joint Interoperability Test Command). Information about the testing and a list of certified products are available at jitc.fhu.disa.mil/recmgt/index.htm.
DITSCAP covers not only records management applications, but also the network itself. DITSCAP "shall apply to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information," according to the DoD's instructional overview of the regulation. It includes risk and vulnerability assessments of new systems or infrastructure as well as enhancements of existing systems and any reconfiguration or upgrade. DITSCAP certification compares a user's system to a number of specific requirements and determines what percentage of those requirements is met. Of those that aren't met, a determination is made as to the level of risk they represent.
Unlike DoD 5015.2, the responsibility for testing and compliance reporting falls on the user, who often relies on the integrator to assist with the process. The four-phased process includes definition, verification, validation, and post accreditation based on specific user roles within the organization. More information on DITSCAP is available at iase.disa.mil/ditscap/.
More Imaging Customers Opting To Follow Martial Law
Because revisions and recertifications sometimes make DoD 5015.2 and DITSCAP moving targets, offering such solutions may seem prohibitively complicated. However, the potential rewards are great. As the largest employer in the United States, the DoD has 5.2 million users, including active and retired military and reserves as well as civilian employees. In fiscal year 2003, the federal government as a whole has a combined IT budget of $54 billion, and they are spending it. "We've seen a tremendous number of RFPs [requests for proposals] recently," reports Montel. "We responded to 23 in just the past month and presented 4 contracts with recommendations for existing implementations."
But even if you don't target DoD agencies, you should still be familiar with the regulations. "Most agencies use DoD specifications as guidelines, even though they have nothing to do with their agency," asserts Montel. "For instance, we also target state and local governments. Many of the RFPs we respond to in that market require compliance with the DoD regulations. They recognize it as a reliable standard, and it saves them from having to develop their own." In January 2003, NARA (National Archives and Records Administration) advised the heads of all federal agencies that it has endorsed DoD 5015.2. As the agency responsible for protecting and maintaining all federal records, NARA encouraged all agencies to adopt the standard and stated its intention to continue to work on the development of the standard.
An understanding of and experience implementing secure solutions are also attractive to private sector customers. A recent Gartner study found that security was a top priority for end users, followed by content management. Security, risk reduction, and the demands of regulatory compliance are key drivers in end user purchasing decisions. "Every organization wants to prove its system is secure," says Montel. "Customers want assurances that they won't have problems storing sensitive information such as Social Security numbers and that they are safe from other threats such as hackers." Gartner has also publicly advised both government and private sector organizations to give primary consideration to products with DoD 5015.2 certification.
Don't Get Besieged By Certification Processes
For most VARs, the biggest challenge in helping customers comply with these regulations isn't technical, particularly when it comes to DITSCAP. "Projects that have to be DITSCAP certified can potentially cost me money," says Montel. "We had one project that was a month behind because of the DITSCAP certification process. If we bid from a fixed price, sometimes we have to eat the added expense of working with them to get them up to speed." Montel points to the example of a records management implementation for Sierra Military Health Services (SMHS), a subsidiary of Sierra Health Services, Inc. (Las Vegas), which delivers managed care to active and retired military personnel. "SMHS has a patient's complete identity in its system. Because they can be sued for security breaches, SMHS has to be prepared to prove that it adequately manages and maintains the system."
Obtaining DITSCAP certification is self-directed, but there are specific requirements for how the software and procedures are shared with the governing agency. It also requires certification reports and other documentation, though there are no specific time lines for how long each phase of the process should take. Managing the process often falls to internal IT and security officers, but smaller organizations may not have the resources in place and need to rely more heavily on the integrator. Montel points out that for many customers, such as state and local governments, DITSCAP is voluntary, but important to credibility and liability reduction.
The Best Offense Is A Good Defense
"Inexperienced VARs can overlook a lot of stuff, and end users often have no clue how to comply with these standards," warns Montel. "That's why it's important to have an installation log. This lets the customer know how the system runs. VARs should have customers sign off on what they are storing, how it has to be stored, and what potential vulnerabilities exist."
Because most VARs maintain ongoing relationships with their customers, DoD compliance isn't a one-time concern. For example, new versions of software have to be recertified for the DoD 5015.2 standard. In the case of DITSCAP, mandates such as Army Regulation 380-19 require re-accreditation within three months of a defined list of "events." That list includes any change to the system, the physical structure where the system is housed, a threat or breach of the system, and a change to the user group or the classification level of information being managed.
To win the battle against a weak economy and intense competitors, successful imaging VARs are focusing on protecting customer data as well as managing it. While demonstrating military-style information security isn't essential for all customers, it's yet another way VARs can help their customers feel safe with their choice in a solution provider.
Imaging Software Passes Muster For Regulatory Compliance
Because it specializes in the government and military vertical markets, Computer & Hi-Tech Management (CHM) (Virginia Beach, VA) must choose products that support compliance with regulations such as DoD Directive 5015.2 and DITSCAP (DoD Information Technology Security Certification and Accreditation Process). For example, CHM recently implemented a mail room scanning application for one government agency that had to meet the demands of these regulations. All incoming mail is scanned in an off-site clean room and sent to recipients electronically.
The backbone of the mail scanning project is document imaging and management software from LaserFiche (Long Beach, CA). The product suite includes solutions for capture, distribution, and workflow. It is on the list of DoD-certified records management products, and CHM has also used it successfully in applications that require HIPAA (Health Insurance Portability and Accountability Act) compliance as well as other regulated environments. LaserFiche also offers an accessibility package for the visually impaired that meets the demands of Section 508 of the Rehabilitation Act, which provides for access of federal information to employees and the public.
"I've been working with LaserFiche since it was in DOS [disk operating system]," says John Montel, director of document imaging at CHM. "It has always been easy to install and simple to maintain, which helps us reduce overhead costs."
Montel also cites scalability as one of the key features of LaserFiche software, as it allows CHM to provide options for entry-level desktop users as well as enterprise-level systems. "Even though it looks simple, LaserFiche can ramp up to 50,000 simultaneous users," says Montel. "As we continue to grow with LaserFiche, we've found that we can pitch a $600,000 to $700,000 proposal for a thousand users and be competitive on price and functionality."
LaserFiche was recently named to the Deloitte & Touche LLC Fast 50 for the Los Angeles area. Fast 50 rankings are based on percentage of growth over a five-year period. According to Chris Wacker, senior VP at LaserFiche, much of the company's growth is attributed to its expanding presence beyond the government vertical to an increasing number of financial and healthcare customers. Like government, these markets are also struggling to comply with intense regulatory pressures.
Secure Records Management Requires Storage Expertise
DoD 5015.2-STD (Department of Defense 5015.2 standard) outlines the security and functionality specifications for records management applications, but it doesn't specifically address storage hardware. However, Enterprise Storage Group predicts that eventually DoD will require certification of mass storage products. So does EMC, apparently, which has voluntarily obtained certification for Centera, a content addressed storage device.
While mass storage sales aren't a core component of Computer & Hi-Tech Management's (Virginia Beach, VA) document imaging business unit, they are still viewed as an important service. The integrator offers a complete range of mass storage solutions from plug and play NAS (network attached storage) to multi-terabyte SANs (storage area networks). "We don't make a lot of money on hardware," admits John Montel, CHM's director of document imaging. "The biggest value is the ability to provide a solution without making a customer go through five different vendors."
The most common mass storage sale for CHM's imaging business is tape backup, usually a combination of hardware from Exabyte Corp. and software from VERITAS Software Corp. Even in highly regulated government environments, Montel finds that customers often require some advice about backup. "Many customers don't realize that they have to be able to restore the data from any specific day within one year," he notes. He says that some customers will try to get by with weekly backups or rotating tapes on a weekly basis. Not only does he help them set up a yearlong rotation, Montel also provides advice about off-site storage, environmental conditions, and media choices. As a result, customers trust CHM for advice about all aspects of data security.