Secure Imaging Customers With Military Intelligence
As DoD (Department of Defense) mandates become the security standard for more government and private sector customers, Computer & Hi-Tech Management's regulatory expertise is driving triple-digit growth for its document imaging division.
When you pass a military base, it isn't surprising to see barricades and armed guards. Similarly, the DoD (Department of Defense) is just as diligent about the security of its data and IT systems. Computer & Hi-Tech Management (CHM) (Virginia Beach, VA), an integrator focusing on the government vertical market, understands only too well the demands of government regulations such as DoD Directive 5015.2 and DITSCAP (DoD Information Technology Security Certification and Accreditation Process). "Most of our customers are third- or fourth-tier departments in the federal government or military," says John Montel, CHM's director of document imaging. "Federal mandates such as these are the primary concern when they are implementing imaging solutions." However, Montel warns that even integrators who aren't pursuing military customers can be affected by these regulations.
Named as one of the top 100 government integrators by Washington Technology, CHM has a complete arsenal of technology solutions including document management, mass storage, networking, and security. Its target market and breadth of solutions make CHM something of a regulatory expert as it helps customers comply not only with DoD 5015.2 and DITSCAP, but also HIPAA (Health Insurance Portability and Accountability Act), Section 508 (which governs accessibility for the handicapped), and other mandates. More than 60% of CHM employees have government security clearances, and the company is ISO 9001 certified. This expertise is paying off for CHM's document imaging division, which Montel estimates will triple its revenue this year.
The DoD's IT Rules Of Engagement
DoD 5015.2-STD (standard) is the design criteria standard for implementing records management applications established under DoD directive 5015.2. It describes everything including the baseline functionality, required interfaces, and search criteria. Any records management application used by a DoD agency must undergo 9 to 15 months of testing to receive certification from the JITC (Joint Interoperability Test Command). Information about the testing and a list of certified products are available at jitc.fhu.disa.mil/recmgt/index.htm.
DITSCAP covers not only records management applications, but also the network itself. DITSCAP "shall apply to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information," according to the DoD's instructional overview of the regulation. It includes risk and vulnerability assessments of new systems or infrastructure as well as enhancements of existing systems and any reconfiguration or upgrade. DITSCAP certification compares a user's system to a number of specific requirements and determines what percentage of those requirements is met. Of those that aren't met, a determination is made as to the level of risk they represent.
Unlike DoD 5015.2, the responsibility for testing and compliance reporting falls on the user, who often relies on the integrator to assist with the process. The four-phased process includes definition, verification, validation, and post accreditation based on specific user roles within the organization. More information on DITSCAP is available at iase.disa.mil/ditscap/.
More Imaging Customers Opting To Follow Martial Law
Because revisions and recertifications sometimes make DoD 5015.2 and DITSCAP moving targets, offering such solutions may seem prohibitively complicated. However, the potential rewards are great. As the largest employer in the United States, the DoD has 5.2 million users, including active and retired military and reserves as well as civilian employees. In fiscal year 2003, the federal government as a whole has a combined IT budget of $54 billion, and they are spending it. "We've seen a tremendous number of RFPs [requests for proposals] recently," reports Montel. "We responded to 23 in just the past month and presented 4 contracts with recommendations for existing implementations."
But even if you don't target DoD agencies, you should still be familiar with the regulations. "Most agencies use DoD specifications as guidelines, even though they have nothing to do with their agency," asserts Montel. "For instance, we also target state and local governments. Many of the RFPs we respond to in that market require compliance with the DoD regulations. They recognize it as a reliable standard, and it saves them from having to develop their own." In January 2003, NARA (National Archives and Records Administration) advised the heads of all federal agencies that it has endorsed DoD 5015.2. As the agency responsible for protecting and maintaining all federal records, NARA encouraged all agencies to adopt the standard and stated its intention to continue to work on the development of the standard.
An understanding of and experience implementing secure solutions are also attractive to private sector customers. A recent Gartner study found that security was a top priority for end users, followed by content management. Security, risk reduction, and the demands of regulatory compliance are key drivers in end user purchasing decisions. "Every organization wants to prove its system is secure," says Montel. "Customers want assurances that they won't have problems storing sensitive information such as Social Security numbers and that they are safe from other threats such as hackers." Gartner has also publicly advised both government and private sector organizations to give primary consideration to products with DoD 5015.2 certification.
Don't Get Besieged By Certification Processes
For most VARs, the biggest challenge in helping customers comply with these regulations isn't technical, particularly when it comes to DITSCAP. "Projects that have to be DITSCAP certified can potentially cost me money," says Montel. "We had one project that was a month behind because of the DITSCAP certification process. If we bid from a fixed price, sometimes we have to eat the added expense of working with them to get them up to speed." Montel points to the example of a records management implementation for Sierra Military Health Services (SMHS), a subsidiary of Sierra Health Services, Inc. (Las Vegas), which delivers managed care to active and retired military personnel. "SMHS has a patient's complete identity in its system. Because they can be sued for security breaches, SMHS has to be prepared to prove that it adequately manages and maintains the system."
Obtaining DITSCAP certification is self-directed, but there are specific requirements for how the software and procedures are shared with the governing agency. It also requires certification reports and other documentation, though there are no specific time lines for how long each phase of the process should take. Managing the process often falls to internal IT and security officers, but smaller organizations may not have the resources in place and need to rely more heavily on the integrator. Montel points out that for many customers, such as state and local governments, DITSCAP is voluntary, but important to credibility and liability reduction.
The Best Offense Is A Good Defense
"Inexperienced VARs can overlook a lot of stuff, and end users often have no clue how to comply with these standards," warns Montel. "That's why it's important to have an installation log. This lets the customer know how the system runs. VARs should have customers sign off on what they are storing, how it has to be stored, and what potential vulnerabilities exist."
Because most VARs maintain ongoing relationships with their customers, DoD compliance isn't a one-time concern. For example, new versions of software have to be recertified for the DoD 5015.2 standard. In the case of DITSCAP, mandates such as Army Regulation 380-19 require re-accreditation within three months of a defined list of "events." That list includes any change to the system, the physical structure where the system is housed, a threat or breach of the system, and a change to the user group or the classification level of information being managed.
To win the battle against a weak economy and intense competitors, successful imaging VARs are focusing on protecting customer data as well as managing it. While demonstrating military-style information security isn't essential for all customers, it's yet another way VARs can help their customers feel safe with their choice in a solution provider.