Governmentwide Electronic Mail for the Federal Government Report of the Electronic Mail Task Force Prepared for the Office of Management and Budget, Office of Information and Regulatory Affairs April 1, 1994 Foreword By memorandum on July 22, 1993, the Honorable. Sally Katzen, Administrator, Office of Information and Regulatory Affairs (OIRA), of the Office of Management and Budget (OMB), chartered an interagency task force to address "Electronic Messaging Among Federal Agencies." That memorandum related the role of the task force to the National Performance Review, and stated six goals: Identify support for, provide advice to, and evaluate the results of electronic mail pilots currently underway. Develop and issue a Request for Information (RFI) to industry. The RFI will outline the challenges faced by the Federal government in its progress toward electronic mail interconnection and solicit possible technical solutions. The task force will evaluate industry responses and use this information to fulfill its other goals. Analyze the current use of the Internet by Federal agencies and its potential contribution to both near and long-term e-mail requirements. Coordinate proposals for improving mail interoperation with the High Performance Computing and Communications Initiative. Develop a near-term (24 month) Program Plan, including financial and technical resource requirements, to assist agencies in improving their capabilities for electronic mail and electronic commerce. Develop program options for long-term, governmentwide electronic commerce. Identify technical, administrative, and policy issues that need to be resolved. The task force was directed to complete its work by April 1, 1994. On December 3, 1993 Solicitation Number RFI-16-94-HHS-OS was issued with the project title "Electronic Mail Services to Link Federal Government Agencies with their Clients and Business Partners, and with One Another." It discussed the goal and objectives of the task force, and presented 17 questions. Twenty-three vendors submitted responses by the February deadline, ranging in length from one to thirty pages. Several were very thoughtful, evidencing considerable effort, for which the task force is most grateful. Recognition is given to the task force participants, who undertook their participation as a collateral effort to their ongoing agency responsibilities: Maya A. Bernstein, Office of Management and Budget Chuck Chamberlain, U.S. Postal Service Michael Corrigan, General Services Administration Paul Grant, Department of Defense David Lytel, Office of Science and Technology Policy Jerry Mulvenna, National Institute of Standards and Technology Alan Proctor, Federal Trade Commission Michael St. Johns, Advanced Projects Research Agency Kenneth Thibodeau, National Archives and Records Administration Tony Villasenor, National Aeronautics and Space Administration. Appreciation is also extended for the assistance of Jonas Neihardt (Office of Management and Budget), Michael Ransome (National Institute of Standards and Technology), Dan Schneider (Department of Justice), Martin Smith (International Trade Commission), and Mike Stein (Environmental Protection Agency) from the Integrated Services Panel, and to Lisa Pugh (Department of Health and Human Services). Neil J. Stillman, Ph.D., Chairman Deputy Assistant Secretary for Information Resources Management Department of Health and Human Services Table of Contents EXECUTIVE SUMMARY GOVERNMENTWIDE E-MAIL REQUIREMENTS The Vision Functional Requirements Management Requirements Technical Requirements LEGAL AND POLICY ISSUES Legal Requirements Access Issues in Context Electronic Mail Within An Agency Organizational Impacts E-MAIL SURVEY RESULTS AND ANALYSIS Current State of Electronic Mail PILOT PROJECTS Performance Measurements Pilot Project Descriptions Pilot Baseline Activities (How government Works Today) E-mail Enhancements (How the government Might Work) IMPLEMENTATION PLAN Two Year Implementation Plan (Present through FY96) RECOMMENDATIONS 1. Promote Electronic Government 2. Require Governmentwide E-mail Connectivity 3. Establish a Governmentwide E-Mail Standard 4. Promote Public Access 5. Establish Governmentwide E-mail Directory 6. Issue E-mail Policy 7. Establish E-mail Program Office 8. Establish E-mail Management Council 9. Provide Funding for Governmentwide E-mail LIST OF APPENDICES APPENDIX A Copy of E-Mail Task Force Charter APPENDIX B Solicitation For Information or Planning Purposes OMB No.0990-0115 APPENDIX C Respondents to the RFI APPENDIX D E-Mail Policy Checklist APPENDIX E E-Mail Implementation Survey EXECUTIVE SUMMARY The Vice President's Report of the National Performance Review identified a number of new technologies that, if made available to government organizations, would help in the administration's goal of making government "work better and cost less". Among these new technologies, electronic mail (e-mail) was identified as an area that was sufficiently developed and accepted, and for which commercial products were available. In fact, most agencies have some form of e-mail in place for intra-agency communications. To adequately leverage this existing e-mail capability, government organizations would have to extend the reach of their systems to an interagency and extra-government community. Our vision for effective interagency e-mail is: A service that appears to the user to be a single, unified electronic postal system that offers robust and trustworthy capabilities with legally-sufficient controls for moving all forms of electronic information among employees at all levels of government, and with the public we serve; and, like the Nation's telephone network, is affordable, ubiquitous, efficient, accessible, easy-to-use, reliable, cost-effective, and supported by an effective directory service. Interagency and extra-government e-mail, however, introduces a number of new issues and hurdles that organizations may not have addressed during the implementation of their current systems. Because many corporate and government e-mail systems are already in use, and because e-mail systems are financed and managed by their owners, there are a variety of terminals, systems and protocols in use, representing the investment in, and deployment of, several generations of equipment. Yet, despite the differences, all parties must be able to intercommunicate at given minimum levels of service. Further, all parties must be able to "find" each other, i.e., a high quality directory service, that includes all users and describes their capabilities, is needed to provide the e-mail service described above. Official use and the conduct of business require assurance of timely delivery, message accountability, delivery acknowledgments and receipts, security, and management control features which transcend the simple connectivity of the telephone system. They are attributes that we associate with the higher grades of postal service, a third-party conveyer whose operations have the presumption of trustworthiness in courts of law. The term, "business-quality e-mail," used by the Department of Defense, refers to these functionalities which, when added to those of simple interpersonal messaging, yield a service suitable for the regulatory and financial operations of government. The report categorizes governmentwide requirements for e-mail, identifying functional requirements (connectivity, interoperability, message accountability, ease of use and directories), management requirements (performance and measurement, security, user support, public access, and financing), and technical requirements (addressing and systems engineering). Legal requirements for records management, security, and adjudication are discussed in the context of electronic mail within an agency, between government organizations, and in government interactions with the public. In order to establish a baseline and perform ongoing assessments of progress toward effective electronic government, we will conduct quarterly surveys, the results of which will provide "snapshots in time". The results of the first survey on the status of e-mail in Federal agencies shows the varying levels of external e-mail connectivity that exist in Federal agencies today. The E-mail Task Force sponsored four e-mail pilots to demonstrate the effectiveness, efficiency and relative cost benefits of e- mail based enhancements when compared to existing, paper based business processes. Centralized support services, including a centralized help desk and an electronic post office, were established in conjunction with the pilots in a coordinated attempt to facilitate problem solving and user assistance. Total centralized costs for implementation of governmentwide e- mail are estimated at $3 million dollars for Fiscal Year 1995 and include establishment and operation of an E-mail Program Office, provision of value added services, support of agency cross- cutting e-mail initiatives, and directory services. Fiscal Year 1996 costs are estimated at $6 million dollars and include, in addition to the above items, the common use costs of migrating to X.400 standards and simultaneously supporting Internet access to governmentwide e-mail. A detailed implementation plan will be prepared by the E-mail Program Office. The report concludes with the following recommendations: OMB should promote the immediate use of e-mail as the preferred medium for the conduct of government business. OMB should require agencies to implement governmentwide e-mail connectivity to support improved government performance. OMB should work with the National Institute of Standards and Technology to adopt immediately the DoD Defense Message System (DMS) operational characteristics specifications as the basis for business quality governmentwide e-mail, in conjunction with changes required to ensure full interoperability and compatibility with SMTP-based networks, and enhanced at a minimum to incorporate business quality requirements for unclassified communications as defined in the DMS specifications. Public access must be a priority in the establishment of an electronic government. Citizens must be provided with a consistent and agency independent e-mail interface to government (Federal, state, and local). Directories are essential to effective use of e-mail. Immediate efforts should build on the existing volunteer efforts to construct a centralized directory of e-mail addresses. OMB should assist this effort by directing agencies to provide electronically, and regularly update, their existing internal directory information to the central directory. In FY95, an X.500 directory should be established and populated initially with the information from the centralized directory. As agencies establish and maintain their own X.500 directories linked to the central directory, directory maintenance will progressively be decentralized. OMB should provide within 90 days a "model" e-mail policy which agencies should use in formulating policies to promote the effective and efficient use of electronic mail for the conduct of agency business. Agencies will be required to have policies in place by September 30, 1994 and should refer to National Archives and Records Administration's (NARA) proposed rule on e-mail record-keeping (59 Federal Register 13906) and the Checklist in Appendix D of this report. OMB should establish an E-mail Program Office with explicit governmentwide responsibility and authority for facilitating the implementation, maintenance, and support of governmentwide e- mail. OMB should charter an Interagency E-mail Management Council to provide management direction to, and conduct oversight of, the E- mail Program Office in implementing governmentwide e-mail. The Council would report to, and receive program and policy guidance from, the Government Information Technology Services (GITS) Working Group. Governmentwide e-mail will require substantial sustained funding. Existing centralized funds may be a source of initial support to establish the E-mail Program Office and to support common use infrastructure investments that are required immediately. In the longer term, i.e., FY96 and beyond, OMB should identify a dedicated appropriation to fund staff in the E-mail Program Office and for common-use resources required to implement governmentwide e-mail. OMB should also direct agencies to include and highlight internal e-mail initiatives, e.g., networks, gateways, and applications, in their FY96 budget requests. GOVERNMENTWIDE E-MAIL REQUIREMENTS The Vision A service that appears to the user to be a single, unified electronic postal system that offers robust and trustworthy capabilities with legally-sufficient controls for moving all forms of electronic information among employees at all levels of government, and with the public we serve; and, like the Nation's telephone network, is affordable, ubiquitous, efficient, accessible, easy-to-use, reliable, cost-effective, and supported by an effective directory service. Based on this vision, the E-Mail Task Force reviewed the requirements for what we consider to be business quality e-mail. Although there is significant overlap among requirements, and one requirement is often dependent upon another, for the purposes of this discussion, we have identified three basic groups: Functional Requirements, Management Requirements, and Technical Requirements. Functional Requirements Connectivity The task force's survey found that government organizations have focused principally on networking workstations within their organizations, and less on linking internal networks, or on establishing gateways to link internal and external systems. Connectivity within a single government agency, between agencies, and with parties outside the Federal government are both technical and management challenges. Some key technical issues are protocol standards and emerging telecommunications infrastructures, including telephone and cable technologies, and wireless high-bandwidth systems. In the next few years, it is expected that ATM/SONET-based services will become popular if not ubiquitous, while mobile radio systems will continue to expand. Cable television operators are trying to enter the network services arena, as are the telephone companies. All of these changes point to a more diverse network fabric in the very near future. At the agency level, selection of a single network service may guarantee connectivity. However, what is suitable for one agency (or even just one application within one agency) may not be suitable for another agency. The private sector is also likely to adopt a mix of technologies, balancing service requirements and costs in a manner that will ensure that diversity exists. Thus, there is a high potential for a varied but poorly integrated network infrastructure across the Federal government as well as the rest of the Nation. Interoperability E-mail interoperability is the ability of users on disparate mail systems to exchange messages with other users. Although application relays can be used to provide some limited application-specific interoperability, a more general solution requires choosing a common network protocol to be used over the underlying services available from network providers; one example is the TCP/IP protocol set which already runs on many different networks. For a common network protocol to succeed in unifying disparate provider services coordination of such issues as address management, protocol convergence, and billing management must be accomplished. While technical solutions are available for good network connectivity, these have tended to be fielded in the environment of government-funded networking, where the applications are academic and limited, and do not take into account the need to deal with multiple, competing providers. Many of the requirements detailed herein address business-quality e-mail, and will best be implemented using a single standard. A choice has been made based on the following factors: the current Government Open Systems Interconnection Profile mandates the CCITT X.400 Message Handling System; the application of the Federal Internetworking Requirements Panel which recommends selection of Federal standards based on mission, product availability, product affordability, and standards maturity, the relative efficiency of X.400 as compared to the Multi-media Internet Mail Extensions (MIME), and the fact that both X.400 and MIME are operational on the Internet. We therefore recommend that the standard should be the X.400 international standard, enhanced to incorporate the operational requirements defined in the DOD Defense Message System (DMS) specifications. It will need to be implemented in conjunction with the changes required to ensure full interoperability and compatibility with SMTP-based networks. Limited interoperability exists today within and between the FTS2000/X.400 and Internet/SMTP domains. Enhancements are needed to achieve business-quality e-mail, some of the details of which are addressed in subsequent sections. Message Accountability Message accountability is a requirement for any electronic mail service intended for use in conveying formal regulatory and business transactions. Message originators must be able to prove that their messages were submitted at a specific date and time, and must have the option of being notified that their messages were delivered to the addressees. Accountability is the ability to trace the flow of a message between originators and addressees, and to establish a record of time and place of both origin and delivery. A non-repudiation service, such as the one specified in the 1988 X.400 Message Handling Systems Recommendations, provides a guarantee that is legally sufficient. Many current e-mail implementations provide an audit trail to the message envelope which can be used to determine how a message was routed from its originator to its intended recipient. This audit trail information can be used also to determine billing when a message is carried by more than one commercial service. However, the delivery notification provided in some current electronic mail implementations does not provide the needed assurance of actual receipt, because there could be a receiver system failure after a delivery notification was made and before the message had been "opened" or actually seen or recorded by its addressee. Accountability is provided on some selected closed community systems, such as the Defense Automatic Digital Network. It is not generally available to users of casual e-mail, but is a necessary element of service for business-quality e-mail. Specific requirements include the ability to trace lost messages to identify why, where and when they were not delivered, to trace messages delivered to unintended as well as intended recipients, to insure non-repudiation by sender and recipient, and to associate recorded security events with the message trace. Ease of Use Ease of use is the attribute of a system that makes it a natural part of the user's normal conduct of business and workstation environment. E-mail operation should be no more complicated than using the telephone, and just as intuitive. Therefore, addressing should be simple and straightforward, regardless of where (i.e., what network) the recipient is physically; functions should be easily understood and should not produce unexpected side effects; and messages should not be easily "lost" or "destroyed" unintentionally. Directories Directories are a crucial support element behind almost all electronic services. Obvious uses include electronic mail address lookups as well as the lookup of more mundane information such as telephone numbers and physical addresses. Less obviously, directories can be used in support of such services as security (by storing and facilitating the dissemination of public keys), messaging interoperability (by providing a means for building and sharing address mapping information), directory synchronization (providing a uniform means for disparate proprietary directories to exchange information), and other tasks. Many of these areas are already under development in the Information Infrastructure Task Force (IITF) or in other bodies. In order to serve the disparate networks used by Federal agencies and their business partners, the directory information model must itself be highly flexible, and be independent of the directory protocols which distribute and provide access to the information. Key issues in the deployment of directories include choices of technologies to use (most likely X.500 or other distributed database architecture), privacy and distribution of directory data (how to control the access to the directory data and prevent its misuse), and ensuring that the directory is well-populated, widely enough available to be considered a useful service, and reliable. Required features of a useful directory are described below: Coverage: The directory should ideally include all of the addresses needed by a government user. Ease of use: The directory should be no more difficult to use than current commercial e-mail directories or address books, and should not require the user to learn a separate system for different situations (e.g., for internal and external e-mail.) Further, it should be convenient to address messages to any recipient. Maintainability: The key challenges to maintaining a directory are (1) changes in information relevant to the directory (e.g., a person moving from one office to another) are not easy to capture; and (2) it is difficult to assure that only authorized changes are made to directory information when using a distributed update process. Accuracy: Addresses in the directory should be current and accurate. This implies frequent updating and an effective feedback mechanism to correct errors quickly. Accuracy and maintainability will both be improved if users can directly add or correct their own identification information in the directory. Speed: Users must be able to address a message quickly and easily. It is very desirable that the address lookup should be perceived as "instant," especially for commonly-used addresses. Variety of attributes: The more attributes (name, organization name, location, mailing address, title, job specialty, telephone and fax numbers, network voice-mail address, one or more "affinity group" interests, group memberships, "distribution list" interests, etc.) that the directory contains, the more useful it will be. The ability to look-up someone in a directory via alternate keys is highly desirable, such as use of one's telephone number to locate the e-mail address. Although cost and other complications of building and maintaining the directory will increase as the number of attributes increases, adding attributes to the directory database could add substantial value in at least three ways: (1) Additional attributes are useful to users who have only partial or uncertain information about their desired addressee(s). (2) Adding attributes to the directory could meet ongoing needs for locating other information about government employees, such as locating telephone numbers, FAX numbers, networked voice- mail addresses, or conventional mail addresses. (3) Adding attributes that identify employees as members of functional, organizational, membership groups, etc. could facilitate whole new range of capabilities for improving communication among relevant groups of employees. Four current major efforts in the area of Federal e-mail directories are: (1) Several large agencies, including Energy, USDA, HHS and Commerce, are working toward enterprise-wide (Agency-wide) consolidation of multiple existing internal e-mail systems, including achieving physical connectivity and synchronization of directories into a central database; (2) NASA and the US Postal Service are cooperating to implement a multiagency directory based on the CCITT X.500 standard and accessible via the Internet. Partners include FAA and IRS for pilot testing. The USPS is working with the NADF to operate X.500 directory synchronization. (3) Several agencies (e.g., NSF, Transportation) are making addresses of their Internet-connected employees available for public access via standard Internet tools like anonymous FTP, gopher, and finger; and (4) The FIRMPoC Integrated Service Panel's E-Mail User Group (EMUG) is soliciting agency contributions of e-mail addresses for a centralized interagency directory that is currently accessible via e-mail address lookup or by physical replication of the database via diskette. This effort directly builds on the internal synchronization efforts of individual agencies. There are also major directory prototype efforts outside the government, notably the European PARADISE project based on X.500 directory service agents linked over the Internet and the North American Directory Forum's X.500 directory pilot. The investment in a Directory in which the data quality is high, and in which access is fast and flexible represents a significant step toward providing business quality messaging. The directory population currently stands in excess of one million individuals in 50 countries. A set of agreements has been formulated which defines how distributed directory management domains for the North American environment will be managed. This model includes the massive existing postal residence and organization registry database. Management Requirements Performance and Measurement E-mail is an enabling technology in reengineering the Federal government. In implementing e-mail, it is critical that results oriented measures be established, so that the investment in e- mail can be assessed as a function of its contribution to improving mission performance, e.g., providing better service to the citizen. Measurement of performance is a critical factor in meeting government's overall goal of improving the efficiency & effectiveness with which it conducts its business. A comparison of the level of resources required to perform specific government functions before and after the function is redesigned to make use of e-mail and e-mail enabled applications is needed. In the longer term, government functions will be redesigned to take advantage of the special characteristics provided by e-mail and e-mail enabled applications. Security Security is required to establish the authenticity of the e-mail source and integrity of the message content, as well as to prevent unauthorized access, ensure privacy, support electronic commerce, etc. Multiple security levels will be required to meet the broad range of Federal requirements. A key issue to be addressed is how and to what extent security can be provided in electronic mail transfers. The Department of Defense is providing electronic mail security by utilizing a cryptography card, called the TESSERA card, which will be issued to each e-mail user. This card allows the use of multiple algorithms and multiple keys to provide message authentication, message integrity, and message encryption and decryption services. The TESSERA card's effectiveness is now being assessed in prototype implementations. User Support To utilize governmentwide e-mail effectively, users will need access to help desks, training courses, and effective documentation and instructional material. Currently many users do not know either how to send interagency e-mail, or cannot give their interagency e-mail address to someone who desires to send them interagency e-mail. A pilot help desk, staffed by GSA, is operational. However, documentation on how to use interagency e-mail is not generally available. Public Access Public access allows any e-mail-enabled person or organization outside of the Federal government to correspond electronically with a person or organization within the Federal government. Universal access will require public terminals, and will need to address the needs of non-English speakers and the illiterate. Access should be intuitive and predictable to individuals and organizations. Anyone should be able to access a government mail service directly or through their Value Added Network (VAN) to locate addresses, post messages , and have those messages delivered. In addition, the respective government organization should be able to send return messages that in the future will be enhanced by voice, graphics, and video. Financing A cost-effective mechanism to finance governmentwide e-mail, including common use infrastructure investments, e.g., directory, maintenance, training, user support, permanent help desk, and individual agency infrastructure and service requirements must be established. E-mail program management Although the current web of largely volunteer and grass roots, committees has brought substantial creativity, energy, and impetus to the implementation of government e-mail, the magnitude and criticality of current needs is too great to leave to ad hoc and volunteer efforts. Implementation of governmentwide e-mail will require dedicated staff who have the analytical, technical, program support, and service oriented skills to work with similarly skilled agency staff across the government. Governmentwide e-mail is an essential and enabling tool to support government "reinvention", and as such, warrants investment in a dedicated organization to support its evolution. Technical Requirements Addressing Addressing and naming management are fundamental to any large- scale electronic messaging service. Address registration, particularly for international e-mail communication, is complicated by the overlap of civilian, defense, commercial, and research/education domains. A possible US solution is to split registration authority between DoD (military), GSA (civilian government), and the USPS (all other). A directory service is needed to mitigate at worst, and completely hide at best, "ugly" addresses. For example, PC based autodialers now remove the need to "see" an individuals telephone number. The user enters or selects the name of the called party and the workstation initiates the connection. It could, from the same directory, and in the same transparent manner, supply e-mail addresses, add individual security parameters, etc. Systems Engineering Today's governmentwide e-mail capabilities are largely the result of the distributed activities of the various agencies. Loose coordination has been provided by the E-mail Users Group and the Federal Networking Council (FNC). In order to progress to a more integrated, ubiquitous service, governmentwide system engineering and management will be needed. Systems engineering of governmentwide e-mail will need to address impacts to current operations; transition planning to produce minimal disruption; integration of cost-effective solutions commensurate with mission needs, staffing, and budget; flexibility and adaptability, assurance of backward and forward compatibility with existing infrastructure; and, most importantly, the reengineering of business processes to take advantage of emerging technologies. LEGAL AND POLICY ISSUES As the Federal government expands its use of electronic mail to conduct public business and deliver services, the need for a clear understanding of legal requirements that concern e-mail and for sound policies governing its use becomes critical. Satisfying this need is especially challenging because e-mail has a range of different characteristics. E-mail can consist of a suite of messages between two individuals; it can be used to broadcast a message from a single source to multiple recipients, or to collect information from many sources into one place. E- mail communications may be one-time or repetitive, unique or standardized. E-mail can include official records, private communications, and automated transactions. In mail-enabled applications, the sender and recipient of e-mail may not be persons, but other computer applications. The use of electronic mail is affected by a variety of laws and regulations, some of which apply only to Federal agencies, others to the nation at large. This chapter identifies legal and policy issues that the Federal government must address as it implements electronic mail. The principal areas addressed are records management, privacy, security, permissible use, and organizational, social and ethical impacts. The focus of the discussion is on aspects of these issues specifically related to Federal government use of electronic mail. Issues that relate to Federal information or communications in general are discussed only when necessary to clarify e-mail issues. Legal Requirements Records Management The Federal Records Act (FRA) (44 USC 2101-2118, 2901-2910, 3101- 3107, 3301-3324) requires agencies (as defined in the Administrative Procedure Act, 5 USC 553) to maintain records documenting their official business. It states: The head of each agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the government and of persons directly affected by the agency's activities. (44 USC 3101) The FRA defines "records" as: all books, papers, maps, photographs, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States government under Federal law or in connection with the transaction of public business... (44 USC 3301) All agencies create "records" under the FRA and must comply with its requirements. Agencies are responsible for managing records that are made or received via e-mail according to the same requirements that apply to Federal records in general. The Armstrong et al v. Executive Office of the President (Armstrong v. EOP) case is a lawsuit related to electronic mail in the Executive Office of the President during the administrations of Presidents Reagan, Bush and Clinton. In this case, Federal courts have ruled that information and data in e- mail systems must be managed as Federal records when they satisfy the statutory definition of record in the FRA; that printed copies of e-mail are not adequate substitutes for the electronic records when there are qualitative differences between the two versions. As a corallary to these rulings, it seems that e-mail is subject to the Freedom Of Information Act (FOIA). The National Archives and Records Administration (NARA) is publishing extensive guidance to agencies concerning managing Federal records made or received via e-mail. Access Freedom of Information The Freedom of Information Act (FOIA) (5 USC 552) requires disclosure of Federal records when a request is received from the public, with certain exceptions. Any Federal record, as defined by the FRA, is subject to the FOIA. The FOIA may also apply to documents not considered records under the FRA (e.g. office chronological files and suspense copies). Agencies should make sure to search records on e-mail when a conducting a search under the FOIA. Privacy The Privacy Act of 1974 (5 USC 552a) grants certain access and amendment rights to individuals for records about themselves maintained by agencies. It also requires agencies to maintain only accurate, relevant, timely, and complete records and to protect them from unauthorized disclosure.1 The Privacy Act defines "record" as information about an individual together with an individual identifier (such as name, Social Security Number, or fingerprint). One interpretation is that an e-mail record is not "about" the individual who wrote or received it, based on some case law says that a memorandum on paper is not considered to be about the author or addressee, unless it refers to actual personal information or personal affairs of the sender or recipient. Therefore the purpose to which e-mail records are put, rather than solely their contents, may determine whether they are records under the Privacy Act. For example, e-mail which is simply used to transmit official business may not be a record under the Act; however, if a supervisor monitors the electronic mail or uses it to evaluate an employee's work, then the messages which are monitored, and possibly the e-mail system, would constitute a system of records. When it is established that a record exists, the retrieval of records by an individual's name or other identifier triggers the access, amendment and due process rights of the Privacy Act. If e-mail records are retrieved by the identity of the sender, the recipient, or an individual who is the subject of a message, the e-mail constitutes a 'system of records,' as defined by the Privacy Act. Information created or received through e-mail may also become records subject to the Privacy Act even if the agency does not retrieve the e-mail using the name or other identifier of the individual. For example, an agency may use e-mail to receive and transmit information related to processing claims. Messages received from individuals might immediately be transferred to another system, such as case files or a data base. If information is retrieved from the other system by individual identifier, that system is a Privacy Act system of records. While the agency's e-mail system in this case might not itself qualify as a system of records, the agency must ensure that Privacy Act violations do not occur as records are moved through e-mail. The agency must issue notice of the existence of any system of records and describe it in the Federal Register. It must also maintain accurate, timely, relevant, and complete records according to standards which guarantee fairness to the individual when making determinations about her or him. The agency must protect Privacy Act records from unauthorized disclosure, and make an accounting of record disclosures, other than those made within the agency or under the Freedom of Information Act. E-mail systems can facilitate the accounting of disclosures because they maintain data on when and to whom messages are sent. However, agencies need to supplement this transmission data with other data that can be used to establish that the disclosures were permissible under the Privacy Act. The Privacy Act imposes on Federal agencies a requirement to collect information about individuals directly from those individuals to the greatest extent practical. E-mail can facilitate such direct collection because it diminishes the impediments of time and location for individuals who can be reached through e-mail. The Act also requires agencies to inform individuals of the authority under which the agency is asking them to provide information about themselves, the consequences to them of not providing it, and the uses the agency may make of the information. When agencies collect personal information using paper forms, they often guarantee that this requirement for notification is satisfied by printing it on the form. If an agency intends to use e-mail to collect records subject to the Privacy Act, it would be well advised to implement a comparable, systematic means of providing the Privacy Act notification. The Privacy Act requires agencies to provide individuals with access to their records and with the opportunity to request amendment of the record, except under certain conditions. Agencies can facilitate access by individuals in remote locations by sending them copies of the record via e-mail. If a request for amendment is granted, the agency must notify parties to whom it disclosed the record about the amendment. The transmission data in e-mail systems could facilitate this notification. If an agency denies a request for amendment, it must allow the individual to file a statement of disagreement with the record, and it must attach this statement whenever it discloses the record thereafter. When an agency implements a mail-enabled application where there is a significant probability that individuals may disagree with the agency's records, the agency should consider building into the system the ability to handle requests for amendment and statements of disagreement. The Electronic Communications Privacy Act (ECPA), (18 USC 2701 et seq.), makes it a crime for unauthorized parties to access or disclose someone else's electronic mail. The ECPA also permits individuals whose e-mail is intercepted or disclosed to sue for civil damages. However, the ECPA allows organizations to read employees' e-mail transmitted on its own internal e-mail systems. Legal Rights Federal agencies must ensure that their use and management of electronic mail does not infringe on legal rights, such as copyright and other intellectual property rights, individuals' rights to privacy and the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th Amendment). The Privacy Act prohibits agencies from maintaining any records about the exercise of First Amendment rights, except with the consent of the individual, or when specifically authorized by statute or for law enforcement. Security The Computer Security Act of 1987 (Public Law 100-235) requires sensitive information in Federal computer systems to be protected commensurate with the potential risk and harm to the agency from the loss, misuse, or unauthorized alteration or disclosure of the information. Information systems must provide a level of security commensurate with the importance and sensitivity of the business functions which they support. When e-mail is implemented within other systems, such as local area networks and host computers, security mechanisms in those systems will be applicable to the mail subsystem. However, providing appropriate security in electronic mail is more difficult than for other types of applications because to be effective e-mail must facilitate, rather than restrict, communication, and because the same e-mail system can be used to transmit messages which vary from information intended for public dissemination to information which is very sensitive and must be restricted from unauthorized access. While electronic mail improves the ability to exchange information quickly and widely, it creates new vulnerabilities. These vulnerabilities should be considered when systems are designed. Risks must be evaluated in the context of specific e- mail systems. Agencies must establish management controls, technical safeguards, recovery mechanisms, and user training programs in order to prevent, detect, and correct security problems. As with most information systems, internal threats, such as the misuse or release of sensitive information by employees, create the greater risk, because authorized users have better access to automated information. One method of guarding against such threats, as well as overseeing proper use of the technology in general, is monitoring. Monitoring is discussed in depth below. Security requirements can be expressed in terms of availability, integrity, and confidentiality. These three attributes are essential for the use of e-mail to conduct government business. Availability Availability means that both the technology and the information are available when and where needed. The e-mail system should be available to all legitimate users at all times when use is appropriate. Conversely, the system should not be available for inappropriate use. The electronic link to external computers or electronic mail servers must prevent unauthorized access to an agency computer. Unauthorized access is itself a criminal offense under the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (18 USC 1030). Federal computer systems provide an attractive target. Digital files coming from outside the system should be checked for worms or viruses. As with other computer and communications systems, electronic mail systems must be protected from power outages and system crashes, and backup systems must be provided in case of failure. There are a variety of management and technological means of providing appropriate system availability. They include emergency and disaster planning, protection from power surges outages, recovery mechanisms, regular backups, hot/cold sites, and others. Integrity Integrity means that the information is what it purports to be and it is protected from unauthorized or inadvertent modification. The integrity of e-mail encompasses sender, recipient and content. The sender must have a high level of confidence that the message will reach the only addressee(s). Conversely, the recipient must be reasonably certain of the identity of the sender. Both must be confident that the message was delivered as sent. In e-mail systems which provide for storage and retrieval of messages created or received by a user, stored messages must not be altered. The e-mail system should protect authenticity by not allowing anyone to send mail in the name of someone else, or to alter incoming mail before forwarding it to others, or to create messages which have the appearance of having been forwarded from other authors. Digital signatures and digital date and time stamping are useful means of authenticating messages. Confidentiality Confidentiality means that the information is protected from unauthorized disclosure. The risk of unauthorized disclosure is heightened by the ease of retransmitting e-mail messages to other recipients and the ease of transmitting e-mail to multiple recipients. Moreover, a few inadvertent keystrokes (e.g., sending the wrong file) may mistakenly release sensitive information to the wrong recipients. Agencies must provide adequate protection against unauthorized disclosure for all sensitive information, including information about individuals, trade secrets, proprietary information, and national security information. Protection should also extend to certain types of information which are destined to be made public, but which must be restricted until certain deadlines or conditions are met. This includes, but is not limited to politically sensitive information, information related to proposed or pending procurements, information that is pre-decisional, and certain reports or forecasts where premature release would give the recipient an unfair economic advantage. Users should be trained to exercise caution so as not to send or forward messages to persons who should not receive them. Adjudication In addition to the requirement to conform to applicable laws, there is another important legal issue related to electronic mail. It is the possible use of information communicated through electronic mail in adjudication. For the Federal government, this issue arises in the context of cases heard in the courts and in administrative law proceedings. The principal concerns are the admissibility of e-mail communications as evidence in legal proceedings and the susceptibility of the messages to discovery in civil actions. The Federal Rules of Evidence (Rule 803(8)) provide that official records may be admitted as evidence in lieu of the personal appearance of the official responsible for the activity which the records document. The Department of Justice has issued guidance to agencies on the admissibility of electronic records in Federal court.2 If agencies use electronic mail to facilitate actions or proceedings under administrative law, they must ensure that the use of this technology does not disadvantage a party which might not have ready or full access to e-mail capabilities. Issues in Context The use of electronic mail may have significant impacts on the structure of Federal agencies, on the way people interact both within the agency, and in dealings between the government and the public. Some of these impacts may involve ethical questions. Government agencies should anticipate and explore these issues when adopting e-mail. The organizational, social and ethical impacts are discussed more fully below in the different contexts of intra-agency e-mail, interagency e-mail, and e-mail between the government and the public. The use of electronic mail to communicate within an organization and with the public may introduce new efficiency and productivity, increase morale, and allow creativity and innovation to flourish. However, various unintended consequences may result as individuals are connected electronically to each other and to extra-agency or extra-governmental organizations. These issues should be explored more thoroughly and anticipated when adopting electronic mail in any organization. Electronic Mail Within An Agency Responsibilities for Information Management A basic policy issue that agencies face related to the use of e- mail is the extent to which the agency should allow employee discretion in the management and use of this technology for the conduct of business. Sound management practice suggests that agency policy should make clear who may use an agency's electronic mail system and what kinds of activities are authorized. When an agency establishes a mail-enabled application, it establishes standards and procedures for that application. Mail- enabled applications are subject to the same requirements for life-cycle management as other information technology applications. The agency should validate the need for the application and address requirements for electronic collection, storage and dissemination in initial plans, system design and system management. Specifications for operation should include when and how electronic mail is to be used. Enabling employees to use e-mail at their discretion creates significant opportunities for improvements in economy, efficiency, timeliness, and quality of agency operations. While some level of employee discretion in the use of e-mail is desirable and inevitable, the agency needs to know, at least in general terms, how an employee uses e-mail in the performance of duties. When an employee is absent, the agency may need to access the employee's e-mail when it might contain information that is required to deal with an emergency or to ensure timely action where the nature of the government's business requires timeliness, such as in procurements or processing of applications for loans, grants, or entitlements, or under statutory or judicial deadlines. Employee discretion must be exercised in conformance with the legal requirements described above. In addition to training employees in the use of the technology, agencies should include in e-mail training instruction on how employees should meet the requirements for records management, privacy, security, and other legal requirements discussed above. Besides formal training, employees should be informed in advance and have ready access to agency policies concerning the use of e-mail. Contractors who have access to agency e-mail systems should also be informed of policies and standards for use. Any penalties for violating legal requirements or policies should be published, equitably imposed, and include due process protections for alleged violators. Permissible Use Each agency must determine who is permitted to use its e-mail systems and under what circumstances. Some agencies may choose to allow contractors or the public to use the system, while others may prohibit anyone but an agency employee from access. The Federal Information Resource Management Regulation (41 CFR 201-21.6, FIRMR bulletin C-13) prohibits the use of government telecommunications systems for other than authorized purposes. Official business is the most obvious legitimate purpose for use of e-mail; however, as discussed elsewhere in this chapter, the agency should articulate standards and procedures for business use. Certain incidental uses of government telecommunications systems have been authorized by the General Services Administration. An agency should consider which incidental uses of the system it will authorize. Consistent with GSA guidelines, it may allow limited use of e-mail for personal communications. Discouraging all non-official uses of its system may make some activities less efficient and more cumbersome, such as leaving phone messages, or making lunch appointments. Another aspect of 'permissible use' is the issue of the distribution of information through e-mail. E-mail systems facilitate disseminating information to multiple recipients. When an employee has a recurring need to communicate with a defined group of addressees, the employee can set up a mailing list identifying all the members of this group. Thereafter, the employee need only address a message to the group; the system will take care of sending it to each member. At its extreme, e- mail users can broadcast messages to all other users of the system. Broadcast capability is essential in some cases, such as for e-mail administrators to inform all users of impending actions which will affect them; however, there is no business need for all users to be able to broadcast to everyone. Agencies should define who has broadcast rights, who may create mailing lists, and under what circumstances. Related to wide distribution is the issue of respecting intellectual property, such as copyrighted or licensed materials. Employees may have easy access to a large volume of copyrighted or licensed material through computer networks. Employees should guard against violating copyrights or licenses when distributing information even to a single addressee. The converse of distribution to multiple addressees is receipt of broadcast messages. When agency e-mail systems are linked to public systems, such as the Internet, users can subscribe to networked news or distribution lists. There are hundreds of distribution lists, sometimes called listservers, on the Internet. Anyone who subscribes to a list receives all messages sent to the list. Some lists receive hundreds of different messages each day. Employees can spend considerable time just scanning messages on a list to see if any are relevant. Agencies should establish guidelines on subscriptions to lists, on the time employees may spend reading messages on the list or posting messages to it, as well as guidelines concerning what types of information employees may post to the list and under what circumstances. Employees should consult with their supervisors about what lists are appropriate to them. Monitoring e-mail E-mail technology makes it possible for Federal agencies to monitor the communications that flow through their e-mail utilities. Some monitoring may be necessary for system management, trouble shooting, capacity planning and similar purposes. Additional monitoring, concentrating on the parties involved and what information is communicated, may be appropriate to manage records, to protect privacy and confidentiality, in the interests of national security, for law enforcement, and for other legitimate purposes. However, such monitoring of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. However, the agency may wish to access or monitor an employee's mail when the employee's official duties are carried out through the use of e-mail, as a basis for evaluating the quantity, quality, or efficiency of the employee's work. Access to an employee's electronic mail by an employer is a potentially contentious area that should be directly addressed. Choices range from treating all electronic mail as accessible at any time, to limiting access to particular circumstances when such access is necessary. An agency should first decide for what purpose(s) it wishes to conduct monitoring and determine that all such purposes are legitimate. Legitimate purposes for monitoring or accessing individuals' e-mail include: To conduct system management, trouble-shooting, maintenance, or capacity planning, to correct addressing problems, or for similar reasons related to performance or availability of the system. In such cases, to the extent possible, the content of messages should not be accessed. If it is necessary to access contents, then those who actually gain access to e-mail messages should be careful to protect privacy and confidentiality. To maintain security of the system. To carryout records management responsibilities. To conduct authorized law enforcement surveillance or investigations, including tracking unauthorized access to a system. To conduct business during a business crisis if an employee is absent when information is required. In such a case, the agency should notify the employee affected that such access was obtained when the employee returns. To conduct business during a prolonged absence of an employee, when information in the employee's e-mail is required. In such a case, the agency should notify the employee affected that such access was obtained when the employee returns. For purposes of national security. When an agency decides to monitor the contents of e-mail messages or the identities of the parties communicating, the agency should specifically identify the purpose(s) of such monitoring, ensure that the purpose(s) are legitimate, and establish and implement controls and constraints that prevent the misuse of monitoring. An agency which monitors e-mail should do so in the least intrusive way possible to acquire the required information. Usage statistics, for example, may only require the date and time stamps of messages, rather than the sender and recipients' names. System maintenance on a mailbox may only require gathering header information, rather than the entire contents of messages. Intrusive monitoring may have a "chilling effect" on usage of the system. Similar considerations apply to access to e-mail by employer in employee's absence. In all cases, it is important to notify individuals subject to monitoring in advance what the rules are. Individuals subject to monitoring must be notified in advance of the following: the authority to conduct monitoring, the circumstances under which monitoring would be applicable, the particular type of monitoring which will be used, the kind of information which will be collected during the monitoring, the uses to which the information collected may be put, the potential effect on the individual of the monitoring, and the effect on the individual of refusing to participate in such monitoring. Employees should be notified when they are hired, or when they are given access to e-mail, of any monitoring programs in effect. In addition, they should be notified in advance before any new monitoring program. Business partners should be notified about monitoring when the partnership is established or in advance of any new monitoring program. Agencies should also conisder whether, and how, to notify any other correspondents of their employees. In addition, individuals must be granted due process rights to access and amend Privacy Act records created as a result of monitoring, or when an adverse action is initiated as a result of monitoring. Organizational Impacts E-mail can be used to increase productivity, to improve timeliness of service to agency clients, and in general to facilitate and strengthen program capabilities. Internal communications has major impacts on corporate culture. Electronic mail has the potential for effecting both the contents and the patterns of communication within an agency. Agencies should consider the potential impacts of e-mail on organizational hierarchy and chain of command. It may also be appropriate to establish "etiquette" guidelines, such as the procedure to follow when in receipt of mail intended for others, or limiting use of features which allow "snooping" on coworkers. The system should not be used to satisfy someone's idle curiosity about another employee's affairs. Employees should be instructed what to do with misdirected mail and when it is appropriate or inappropriate to forward mail or to send blind copies. It has been observed that individuals using electronic mail tend to "flame" more readily than in other forms of communication; that is, to display dislike or use insulting or discourteous language. Employees should be trained both to maintain an appropriate tone in e-mail messages, and to expect and deal with "flaming" by their correspondents. Electronic Mail Between Government Organizations When electronic mail is used for communication between government organizations, several issues arise. Perhaps the most obvious is the need for coordination at the technical level to ensure maximum interoperability. Such coordination must encompass technology refreshment so that upgrades or changes in one organization do not needlessly degrade communications capabilities. Beyond the technical level, agencies may wish to designate certain channels or officials for the flow of information related to significant decisions. The more important the business processes that are conducted using interagency e-mail, the greater the importance of ensuring that the agencies involved share a common language for describing these functions. Designs for interagency e-mail must also balance the need for, and benefits of, interagency communications against the specific requirements of an agency. For example, providing interagency e- mail capability may enable employees to avoid going through the chain of command on interagency matters. Each agency needs to determine when peer-to-peer communications between employees of the two agencies are appropriate and establish safeguards and procedures to ensure that decisions and commitments are made at the appropriate level. Interaction with the Public A variety of issues arise when Federal agencies use electronic mail for communicating with their business partners and with the public in general. The nature, importance and sensitivity of these issues will depend on the type of government business involved. Three general issues related to interactions with the public are directory information, equal access, and quality of service. Directory Information The use of e-mail for communication between the government and the public, including business partners, requires that the public be able to initiate communications. Members of the public must be able to find not only the e-mail addresses of Federal employees, but also appropriate addresses when they have no knowledge of who in the government might be responsible for, or able to respond to, their messages. A variety of approaches might be taken to satisfy this requirement. Agencies might include in e-mail directories attribute data about employees, such as titles or areas of responsibility. Agencies might also include organizational addresses and mail boxes set up to receive requests of a certain type, or messages concerning certain topics such as agency programs or legal rights. Such special purpose mail boxes should include a central directory service that would assist correspondents in locating desired addressees and addresses. In the context of governmentwide e-mail, the public interest would be served by consistency in the way agencies solve this problem. At the baseline level of organizational addresses, and the levels of officials whose titles are included in directories, there should be consistency across the government. In other cases, such as special purpose mail boxes, there should be consistency at least among agencies that serve overlapping customer bases. At the baseline, The United States Government Manual could be taken as a model: agencies could be required to include in their directories the names and addresses of all organizational units, the names, titles and addresses of all officials who are named in the Manual, and the e-mail addresses corresponding to all telephone numbers included in the Manual. The public's ability to determine where in the government they should address e-mail would be significantly enhanced by ready access to descriptive information about Federal organizations, programs, and activities. As an initial step, the government could provide access to the Manual, with the addition of e-mail addresses, as a mail-enabled application. Equal Access Equal access becomes an issue through the combination of the government's need to be fair and not discriminate among different business partners or customers and the fact that the public's access to electronic mail capability is neither universal nor standard. Whatever government business is involved, agencies must ensure that the use of electronic mail does not disenfranchise or disadvantage any individuals, groups of customers, or business partners. First, agencies should inform current and potential customers and business partners of the intention to establish an e-mail channel for the conduct of business and, once established, of its existence and how to use it. This effort to inform the public should use appropriate communications channels besides e- mail. The measure of appropriateness here is how well these channels will serve to reach the intended audience. A second basic step to promote equal access is for the government to maintain or establish alternate communications paths for the business functions that are supported by e-mail. Agencies should balance the use of various channels to ensure that a comparable extent and quality of service is provided in all cases. While the government should strive to take advantage of the speed of communication which is available through e-mail, it must ensure that deadlines and other time frames established for the conduct of public business do not put persons who do not have access to e-mail at a real disadvantage. Another step to promote equal access is for the government to create opportunities for persons who do not have their own connections to engage in electronic mail with the government. Agencies might place terminals that the public can use in Federal buildings and offices or in other convenient places, such as local government offices, libraries or shopping malls. The government could also take advantage of other electronic communications capabilities, such as private sector networks and systems used by libraries for inter-library access to bibliographic information. The increasing use of e-mail for the conduct of government business and the delivery of government services will of itself tend to increase the penetration of this technology throughout the nation. In expanding the use of e-mail, Federal agencies need to recognize the need to accommodate the specialized needs of persons with disabilities and to provide access to persons who do not speak, read, or write English. Quality of Service The speed and efficiency of electronic mail and the advantages it has in terms of the location and timing of communications offer significant potential for improvements in quality of service. Agencies can use these technological advantages to expand hours of service and to deliver services where the public needs them. More importantly, the use of e-mail for communications between the government and the public needs to be coordinated on a governmentwide basis. If agencies establish different technical requirements and different interfaces, apply different standards of quality, and are very inconsistent in the types of business which can be conducted using e-mail or in the way business of a specific type is conducted, then e-mail could become the 'red tape' of the information age. The Federal government should strive to establish common service delivery standards for access to a broad range of government services, including information and programs, as well as persons who can provide assistance, answers and decisions. It should define a standard set of equipment capabilities which would enable the public to communicate via e-mail with all agencies and from all access points. These capabilities should be defined in a way which does not require the government's customers and business partners to acquire special hardware or software solely for the purpose of communicating with the government. Agencies should coordinate their use of alternative communications technologies and service delivery mechanisms, and share routes around technological barriers. Efforts towards coordination should not be limited to the Federal government, but should include State, local and tribal governments. Given the range of government services and the existence of different legal requirements and different circumstances, it is probably unrealistic to expect that government e-mail could ever be seamless and standardized in all places, for all purposes, and in all ways. More than unrealistic, it is undesirable. The goal of coordination should be neither to create a monolithic technology for government e- mail nor to achieve maximum standardization, but to improve the quality and timeliness of government service delivery while minimizing difficulties due to unnecessary differences in technology. Besides avoiding negative consequences, measures towards coordination should lay the foundations necessary to make e-mail an important instrument in improving the delivery of government services. Federal agencies need to recognize other requirements, besides coordination, for the effective use of e-mail to improve service delivery. To facilitate communications with the public, the government needs to provide information, referral and reference services to answer complex citizen and business questions. Parallel with the implementation of the technology, agencies need to reengineer their procedures in order to promote rapid, on-the-spot decisions. Agencies must take positive steps to avoid using the technology in a way which results in inflexible, mechanical processes. The ultimate gauge of quality of service is customer satisfaction; therefore, agencies should include in their e-mail systems user feedback mechanisms the public can use to inform the government of its satisfaction, or dissatisfaction. Conducting Business via E-mail When an agency uses e-mail to conduct business, it needs to implement standards of quality which are appropriate to the business functions involved and to the sensitivity of both the transactions undertaken and the information communicated. Certain universal standards of quality are established in law, such as the requirements of the Federal Records Act that agencies create and retain "adequate and proper" records of "organization, functions, policies, decisions, procedures, and essential transactions" (44 U.S.C. 3101), and Privacy Act requirements to maintain records about individuals that are accurate, complete, timely and relevant. Particular standards of quality derive from statutes which authorize particular programs or govern administrative functions, such as personnel and procurement. In many cases, however, agencies have considerable latitude in determining what specific quality standards should apply to specific categories of business transactions, and at what stages in the process. As the Federal government increasingly uses e-mail in the conduct of business, it will be increasingly important that different agencies apply comparable standards of quality to the same types of transactions. Consistent standards of quality are the business level counterpart to interoperability at the technical level. Consistent quality standards will facilitate both the use of e-mail and the conduct of business. In addition to the issue of business quality standards, is the issue of accountability. The Federal Records Act establishes a fundamental requirement of accountability for the conduct of all public business. It establishes requirements to create and keep records as the instrument of accountability. When the government conducts business through e-mail, it is accountable not only for the messages but also for audit trail information about senders, recipients, and time and date of transmission and receipt. E-MAIL SURVEY RESULTS AND ANALYSIS Current State of Electronic Mail In order to assess the current state of e-mail in the government, the E-Mail Task Force surveyed all agencies asking them to describe their ability to communicate via e-mail with other agencies, and what types of management structures exist to support this communication. 73 percent of the agencies contacted responded. The responses, as expected, varied from agencies that do not even have internal networks to agencies who have over 50 percent of their employees reachable via e-mail from other agencies and outside the government. Although the results of the survey are promising, it has made even clearer that the government as a whole does not have sufficient access to e-mail; and, in some cases, agencies do not have access to the basic internal infrastructure that would precede external connectivity. Connectivity The current level of inter-agency connectivity varies greatly between agencies. Of the agencies who have some interagency connectivity only 30 percent have more than 50 percent of their employees reachable by e-mail. For the purposes of analysis, reachable employees refers to those employees who need a workstation to perform their duties (agencies were asked what percent of their employees did not need workstations). Many agencies have only one or two individuals connected to e-mail, usually through a dial-up, and presumably commercial, service. Of those who have a large number of employees reachable, only in a very few (11) cases did that number approach 80 or 90 percent. Internal connectivity is significantly better. Most agencies had some type of Local Area Network (LAN) and many had all of their workstations networked. Internal connectivity alone permits, at most, internal messaging. However internal networks are important because they lay the foundation for future external connectivity. When a gateway is added to these networks, everyone on these networks can have access to external e-mail. The agencies were also asked to indicate which officers in their agencies were reachable, which had received an interagency message, and which had sent an interagency message. Of those agencies that had external connectivity, the majority of the Senior IRM Officials were reachable and had received and sent interagency messages. Also, many of the Legislative Liaison Officers were reachable and had received or sent interagency messages, presumably because of the OMB pilot connecting those offices. 50 percent of agency heads were reachable, yet only 25 percent had received an interagency message, and even less, 20 percent, had sent an interagency message. Interoperability Of those agencies who had external e-mail capabilities, 49 percent had "direct access" to X.400 service.3 52 percent had "direct access" to SMTP/Internet mail services. In some cases agencies had a combination of X.400 and SMTP/Internet connectivity (38 percent). Only 59 percent of agencies reported any access to Internet services such as FTP and Gopher. In many cases X.400 or SMTP/Internet services were only available by dial-up access. Public Access and Directories Although the survey did not specifically ask about public access patterns and history, external capabilities are obviously related to the ability of the public to reach an individual or office in an agency. Directories and "postmasters" are essential to this public access yet only 41 percent of agencies have submitted a "postmaster" e-mail or telephone address to the GSA IAC/IRM directory. This "postmaster" exists to answer questions for the public or other agencies about how to communicate via e-mail with the specific agency. Significantly less, 23 percent, had submitted information to the Federal IRM Policy Council endorsed Interagency E-Mail Directory Project.4 Conclusions While we do not yet operate an "electronic government", technology does not appear to be the major impediment. Impetus from the top is required to "make it happen". A requirement to conduct business electronically will require agencies to develop policies and procedures, and train its workforce. Today, only 23 percent of agencies that have external connectivity have conducted training on how to use that connectivity. Also, only 13 percent of agencies have distributed a policy on inter-agency e-mail use. And, as shown above, many agencies are ignoring external connectivity and concentrating only on internal networking. In an attempt to provide a baseline by which to measure future improvements and identify areas in need of attention, survey answers have been synthesized to provide a "score" for each agency.5 Exhibit A shows these scores and how agencies compare to one another. The chart makes obvious that there are agencies who have made strides in interagency connectivity. It also makes quite clear that significant improvement and commitment from agencies is necessary to establish and operate the national infrastructure needed for effective electronic operations. PILOT PROJECTS Three Pilot Projects were selected by the EMTF for funding support based on their ability to demonstrate the effectiveness, efficiency, and relative cost benefits of E-mail-based enhancements when compared to existing, paper based business processes. A fourth pilot has been added, which is supported by customer funding. By concentrating on an existing process, direct correlation can be made between current methods and e-mail enhanced methods. The size of each pilot project was restricted to approximately 30 end users. Such a focus allows the scope of each project to be limited, so that any implementation issues and anomalies can be addressed in a timely manner. While formulating the requirements for each pilot through the development of Action Plans, a number of E-mail related support services were identified that would assist each of the participating organizations. These services, which include a centralized help desk, an electronic post office, and library "service centers", represent a coordinated approach to problem solving and user assistance. Established as the Electronic Support Services Environment (ESSE), these services attempt to promote interagency E-mail use by making advanced capabilities available to end users. The E-mail services provided by ESSE are: Interagency Help Desk. Using the customer service paradigm, a professionally staffed Inter-agency E-mail Help Desk has been established, responsible for acting as a single point of contact for the end users and technical personnel when a problem occurs or a question arises. The Help Desk has established points of contact with the FTS2000 vendors as well as with other commercial E-mail service providers to assist in tracing problems. In addition, a database of participating agencies' technical and end user points of contact has been created to facilitate problem resolution and improve the reliability of inter-agency E-mail as a whole. Mail List Services. A mail list, in the context of E-mail, is an electronic list of E-mail addresses that allows a user to send E- mail to a group of people, e.g., all of the participants in each pilot. The mail lists enable distribution of meeting announcements, minutes, and other official information to a constituency with a single mailing. Directory Services. A common shortfall of inter-agency E-mail, as well as every other E-mail implementation, is determining an intended recipient's E-mail address. A common, Federal government E-mail directory currently does not exist, and attempts to consolidate agency E-mail directories have not yet produced a widely available system. The directory services provided by ESSE at this time are focused on the user and technical community involved in the Pilot projects. Performance Measurements The NPR promotes a government that works better and costs less. The NPR E-Mail pilots promote one element, an "electronic government", which works better and costs less by utilizing faster and more efficient electronic communications which speed the delivery of government services and reduce errors and rework. Intangibles such as organizational "flattening", improved employee satisfaction, and greater empowerment may also lead to higher performance. Performance measurements have been developed to document pilot progress and successes. They rely on "hard" and "soft" metrics. Mean time to deliver correspondence and the number of agencies successfully exchanging e-mail, as well as analysis of the cost of providing secretariat support to working groups with and without electronic support services are examples of hard metrics. Customer satisfaction survey results and interviews of working group chairpersons and members, which will address improvements noted by implementation of E-mail in their business processes, and documentation of anecdotal customer experiences are examples of soft metrics. Each pilot sponsor will be asked to provide a final analysis of performance based on improvements to his business processes. Final laboratory reports may include tabulated results based on hard metrics and insight based on soft metrics. Many experts in the e-mail industry are reporting that electronic mail and messaging is a critical part of the core infrastructure of the new electronic era. These reports are already confirmed through early experiences with pilot participants. Pilot Project Descriptions At this time, four Pilot Projects have been initiated. These include three GSA funded projects: the Office of Management and Budget (OMB) Legislative Liaison Pilot; the Office of Science and Technology Policy (OSTP) Model Agency Pilot; and the Administrative Conference of the United States (ACUS) Alternative Dispute Resolution (ADR) Pilot. A forth, customer funded project, the National Communications System (NCS) National Security/Emergency Preparedness Pilot was also approved by the EMTF. A brief description of each project is provided below. A more detailed description of the pilots can be found in the Action Plans which describe the requirements for each pilot and an implementation plan to satisfy them. The final version of each pilot Action Plan can be found on the Internet via anonymous FTP at DS.INTERNIC.NET. The Action Plans include participation rosters and participant survey results as appendices. The sponsoring agencies for each pilot were selected by the EMTF based on several defined criteria. These criteria were developed to ensure that each pilot provides a means to measurably demonstrate the effectiveness of interagency E-mail and to elucidate the issues involved in the implementation of such capabilities. The selection criteria also were used to ensure that each pilot addressed a different subset of E-mail issues. The selection criteria are as follows: Business Mission. The agency sponsoring the Pilot should have a clear, existing, business process that could be improved or enhanced through the implementation of inter-agency E-mail. In addition, the sponsoring agency should have the authority to recommend changes in the business process as it relates to the participating agencies. Multiple Agencies. This criterion was used to ensure that a proposed pilot's business process, and the associated E-mail issues, involved more than one other agency. Non-Federal Requirements. This criterion was used to determine if a proposed pilot's business process was within the scope of the E-mail laboratory. For example, a process that involved only State Medicaid Offices would not be within the scope of the laboratory because there is no Federal involvement. Manageable Size. While it was desirable to have pilot projects that involved multiple agencies, a limit to the number of participating agencies was necessary. A group of approximately 30 participating agencies was felt to be the maximum that could be supported under the laboratory structure. Unclassified Material. The issues addressed within the pilots should be applicable to as wide an agency audience as possible. OMB Legislative Liaison Pilot One of OMB's primary business missions is the review and clearance of executive branch legislation and testimony. The Legislative Reference Division (LRD) of OMB is responsible for the coordination and clearance of administration positions on proposed, pending, and enrolled legislation. LRD acts as the hub in the collection, dissemination, and coordination of a large volume of executive-branch legislative information. Frequently, these tasks involve very complex issues and require responses quickly. Large documents are continually faxed between OMB and the executive-branch agencies. An accelerated document distribution process and the refinement of the techniques for providing edits and comments on the documents will enable reviewing officials to have more time to spend on quality reviews. The use of E- mail is ideally suited to help improve the legislative reference process. The OMB Legislative Liaison Pilot met the selection criteria of a multiple agency application of manageable size (32 users), with the intent of exchanging unclassified materials. OSTP Model Agency Pilot The Office of Science and Technology Policy's (OSTP) business mission is the policy communications between OSTP directors and the National Science and Technology Council. OSTP is responsible for providing authoritative information and expert scientific, engineering, and technical advice to the President, Congress, and Federal agencies. On November 23, 1993, President Clinton established the cabinet-level National Science and Technology Council (NSTC) to coordinate science, space, and technology policies throughout the Federal government. An important objective of the NSTC is to establish clear national goals for Federal science and technology investments and to ensure that science, space, and technology policies and programs are developed and implemented to effectively contribute to those national goals. To prepare coordinated research and development (R&D) strategies, the NSTC will establish a number of R&D coordinating committees. Each of these committees will be chaired by a high-level agency representative and has one of the OSTP Associate Directors as its co-chair. The Assistant to the President for Science and Technology (also OSTP's Director) needs efficient communications with the members of the NSTC, and the OSTP Associate Directors need efficient communications with their co-chairs of the committees of the NSTC. E-mail represents an efficient, available means to provide communications between the NSTC representatives and the OSTP staff. The OSTP Model Agency Pilot satisfies the selection criteria of multiple participating agencies, manageable size (28 users) who exchange unclassified materials. ACUS ADR Pilot The Administrative Conference of the United States (ACUS) has served as the government's nonpartisan "think tank" on issues affecting the fairness and efficiency of agency decision making. Its mission is to identify causes of unfairness and inefficiency in government procedures, to recommend improvements to Congress or the agencies, and to help implement recommended reforms. In the past five years, Congress has passed five major pieces of legislation assigning ACUS new and ongoing responsibilities. The Administrative Dispute Resolution Act has given ACUS the principal responsibility for promoting and coordinating the governmentwide effort to encourage the use of "alternative means of dispute resolution" (ADR) by Federal agencies in an effort to reduce needless litigation costs to the government and private sector. The ACUS business mission is the coordination and distribution of ADR-related information and materials. ACUS provides educational and training services to agencies on ADR and supplies agencies and the private sector with primers, source books, guidance, and other materials to assist their ADR use. ACUS must communicate extensively with government and private sector entities, as well as make available its collection of documents on ADR. The use of E-mail will improve communications and facilitate more effective implementation of ADR by Federal agencies. The ACUS Alternate Dispute Resolution Pilot satisfied the selection criteria of multiple agencies (24), using unclassified information. In addition, the ACUS participants include non- Federal users, whose numbers and goals contribute additional perspectives to the identification of E-mail issues. NCS National Security/Emergency Preparedness E-mail Pilot The objective of the NCS is to provide communications for the Federal government under all conditions ranging from routine telecommunications to national emergencies, international crisis, and nuclear attack. During the last decade, the Office of the Manager, NCS (OMNCS) has focused its efforts on the development of governmentwide National Security/Emergency Preparedness (NS/EP) procedures and enhancements to the Nation's public telecommunications networks. As an organization, the NCS brings together the assets of 23 Federal departments, agencies, and entities. In day-to-day communications, the NCS uses telephone, facsimile, the United States Postal Service (USPS), electronic bulletin boards (BBS), and E-mail. In an emergency scenario, cellular telephone, high frequency radio, microwave, and satellite communications are also used. This pilot will establish methods for communications using E-mail in all situations, in both encrypted and unprotected modes. The NCS National Security/Emergency Preparedness Pilot satisfied the selection criteria with its group of 23 participating agencies. In addition the NCS Pilot will support exchange of encrypted E-mail through the use of the Tessara encryption card, even though the messages to be sent will be unclassified. Pilot Baseline Activities (How government Works Today) As the descriptions above indicate, each Pilot focuses on a distinctly different business process and, while each pilot involves some of the same organizations, a different end-user community is represented in each. There are, however, a number of similarities among the Pilots in the way their business is conducted. These similarities involve the methods by which information is transferred between the participating organizations and end users. A brief review of these similarities is provided below. A more detailed analysis of each Pilot's information flow is provided in the appropriate Action Plan. The most common methods for information transfer today are the telephone and the fax machine. Both methods are considered familiar, reasonably fast, and, most importantly, reliable. In addition, both the telephone and fax machine can be found in the great majority of offices across the country. This provides an extensibility of communications that can be convenient or essential, depending on the circumstances. Above all, the telephone and fax are considered reliable. It has become clear from the Pilots that any alternative method of information transfer must, at the very least, provide the same level of reliability that currently exists with the telephone and fax. A second characteristic of the current methods, related to reliability, is timeliness. A telephone call is nearly instantaneous, and faxing a multiple page document can be accomplished in a few minutes. Like the assumed reliability of the telephone and fax, the timely transfer of information must be duplicated by any replacement technology. Most larger agencies have an established internal E-mail system, primarily LAN-based, with high functionality. A number of these agencies have gone a step further and installed an external E- mail capability, either Internet or X.400. However, while the use of the internal E-mail capabilities is widespread, the use of the external capabilities are disparate and inconsistent. This lack of use of the existing external systems seems to be due to two factors. First, with an internal system, it is relatively easy to address a message to the intended party or parties using the e-mail directory incorporated into the E-mail software. At this time, no such directory of external addresses exists. Industry standard e-mail addresses tend to be longer, more cryptic and less familiar than internal agency addresses, making manual lookup and entry a severe impediment to user acceptance. The second factor is a widespread lack of training in the use of the E-mail systems. In the initial surveys conducted for the OMB and OSTP Action Plans, fully 60 percent of users surveyed had received no training on their agency E-mail system. Still fewer end users, perhaps significantly fewer, have received training on the use of inter-organizational e-mail. Agency failure to train end users on the use of external e-mail services may be the result of a reluctance on the part of information resource managers to take responsibility for delivery of messages where recipients are external to the organization. E-mail Enhancements (How the government Might Work) The Pilot Projects are centered on replacing existing communications methods with E-mail communication which is potentially faster and more efficient and reliable than the current methods. OMB in particular has specified strict response time requirements for the exchange of E-mail messages. It is the OMB pilot sponsor's belief that unless E-mail provides a distinct improvement over the current techniques, the time and effort required to move to the new procedures would not be worthwhile. Enhancing business processes through E-mail involves similar steps for each of the Pilot groups. The first, and most daunting, step is to establish a reliable external E-mail capability in each participating agency. This is a complex undertaking due to the diverse mix of environments, as well as the differing sizes and funding resources, among the organizations. Fortunately a number of the larger agencies have already begun to establish a standardized, external E-mail capability. With these agencies, it is necessary only to verify that the installed E-mail system is configured to meet reliability, response time, and other requirements specified in each Action Plan. Those agencies that have not yet implemented such a capability will require varying levels of support during their implementation stages. Preliminary Implementation Issues At the time this document was written, Laboratory support for the implementation of E-mail capabilities for the OMB Legislative Liaison Pilot had just begun. Implementation support for the OSTP, ACUS, and NCS Pilots is set to begin at three to four week intervals after the start of OMB's effort. At this stage of the implementations, there are no identified examples of problems and successes. However, based on interviews and conversations with agency technical personnel as well as on the experience of developing support services, it is possible to anticipate a number of issues that are likely to be encountered during the various implementation efforts. Availability of User Training Arguably the most significant issue that will be encountered during implementation will be the lack of available training for the end users. While the pilot implementations will include training related directly to changes in Pilot business processes, more general training in the use of agency software will be required. In addition, each agency is responsible for determining and promulgating its own records management policy. Comprehensive Technical Support (Help Desks) What recourse is available to users when they encounter problems in the use of e-mail? What recourse is available to agency e- mail administrators when they encounter problems with e-mail external to their agency? What recourse is available to the Federal government when it encounters problems with e-mail external to the government? Today there are no clear or consistent answers to these questions. The result is a patchwork of technical support with no global assurance of availability or quality. A hierarchical system of Help Desk services will be required to properly support e-mail users as they expand to interagency and extra-government use of e-mail. Quality of Service Federal agencies do not have commonly recognized benchmarks for governmentwide e-mail Quality of Service. How long is too long for message delivery? Is it appropriate to expect a one megabyte file to be delivered? How many levels of mail priority is the right number and what does each priority level guarantee? Under what circumstances is a message appropriately considered lost? These and other similar service quality issues are important to end users. If an organization is to "trust" e-mail, then service providers must define the quality of service to be delivered, and then stand by the promise. Acceptance of Responsibilities (Standard Operating Procedures) There is no clear definition of the roles and responsibilities of e-mail administrators, either within the agencies or on the part of the providers of service to the government. There is no generally accepted top level authority or a formally established network of authorities within government agencies, specific to e- mail. More importantly, there are no universally accepted procedural documents which are shared throughout the government. This creates a vacuum with respect to "who, when, and how". Who is contacted? When will they be available? How are they to do their job? To answer these questions, the government will need documented Standard Operating Procedures. To be effective, there will need to be endorsement and adherence to these procedures, on the part of formally recognized service administrators. Administrators must in turn enforce contracts which require adherence to these procedural standards. Addressing Standards Although there are two industry standard address types, Internet and X.400, it is often necessary to reformat an address to make it acceptable to an agency's software. With some X.400 services, conversion is necessary if the message recipient resides on a different service provider's network. During the early Pilot phases, each participating end user will be provided with the appropriately formatted addresses of all other participants. However, as users then attempt to broaden their use of E-mail to other uses and organizations, the address conversion problem will reappear. There is no apparent solution to this issue at this time. Inclusion of Format Rich Documents A binary attachment capability is the capability to include, in an e-mail message, a file other than a simple text message. Such an attachment can be a word processor file, a program, or any other computer file, which can be termed a format rich document. Using binary attachments, a user can send an entire word processor document to a recipient, who can in turn open, edit, and print the document complete with the original formatting. Due to differing implementations by vendors, attachments are not always delivered. Modifications may be required for a number of agency systems to ensure that binary attachments sent from any of the participating organizations will be received correctly. Binary attachments are not inherently supported in the most common Internet service based on the Simple Mail Transfer Protocol (SMTP), but will be possible using the newer Multimedia Internet Mail Extensions (MIME). IMPLEMENTATION PLAN Implementation of governmentwide e-mail will facilitate establishment of electronic government. A plan to accomplish this must be visionary in its goals and practical in its implementation and must meet governmentwide needs without ignoring agency specific needs. Although a detailed plan will be provided subsequently by the E-mail Program Office, we present here the broad outlines of the tasks and resources envisioned to move forward over the next two and a half years. Two Year Implementation Plan (Present through FY96) The following are funding estimates for implementation of the EMTF recommendations: Establishment and operation of the E-Mail Program Office will require about $1M in both FY95 and FY96. This estimate includes personnel, benefits, rent, and other administrative costs. The Program Office will be responsible for facilitating the implementation, maintenance, and support of governmentwide e- mail, specifically including provision of value added common services such as a directory, postmaster, user training, help desks, etc. The cost of providing the value added services is estimated at $700K in FY95 and $1M in FY96. In Fiscal Years 1995 and 1996, agencies will continue to reengineer and transition their paper-based processes to electronic processes. Projects begun in 1994, such as the EMTF pilots, would continue and new projects deemed worthy of centralized support would be funded. These projects would be managed by the E-mail Program Office and implementation support for these cross-cutting initiatives is estimated at $500K for FY95 and $1M for FY96. A distributed X.500 e-mail directory is to be established in FY95, initially populated from the existing centralized directory. The X.500 directory will be managed by the E-mail Program Office and will be linked to other U. S. Government, private, and public X.500 directories to provide a distributed directory facility. The cost of establishing and maintaining the X.500 directory is estimated at $1M for both FY95 and FY96. This cost is based on a directory of one million entries, and includes operation of a directory registration authority; a synchronization facility to integrate agency provided directory information; query by mail; directory assistance, advanced user agents, support and training. Other common use system components will be needed in FY96 as the governmentwide system evolves to X.400 standards. Components such as message transfer agents, multi-function gateways, security certification terminals, and support for Internet access to governmentwide e-mail need to be acquired. The cost of these items is estimated at $2M in FY96. Individual agencies will need to accelerate immediately their move to electronic government. Agencies will need to continue to fund their internal networks and acquire gateways necessary to provide external e-mail connectivity. They will also need to fund development of vertical applications that will support their business processes and begin to use e-mail to interact with the public. The cost for each agency's move to electronic government will depend upon their current level of connectivity and technical infrastructure already in place. Total centralized costs for implementation of governmentwide e- mail are estimated at $3M for FY95 and $6M for FY96. The breakout figures referenced above are summarized in the table that follows: INITIATIVE Cost FY95 FY96 E-mail Program Office $1M $1M Value Added Services $500K $1M Agency Implementation Support $500K $1M Directory Services $1M $1M Common System Components $2M SUM $3M $6M RECOMMENDATIONS The following recommendations are the result of many hours of deliberation by the members of the E-mail Task Force and are recognized as challenges requiring significant initiative by many parties to be successfully implemented. However, their implementation will result in the governmentwide e-mail system envisioned in the National Performance Review. 1. Promote Electronic Government OMB should promote the immediate use of the existing e-mail infrastructure for the conduct of interagency business where feasible. OMB should promote electronic, as opposed to paper, distribution of reports, briefings, memoranda, policy, etc. as the preferred medium for conduct of government business. Specifically, OMB and other central agencies, such as GSA, NARA, and OPM, should designate e-mail addresses and define appropriate procedures for using e-mail for routine interagency transactions between the central agencies and other agencies within six months. Business quality e-mail is expected to be generally available in about 18 months. At that time, OMB should take the initiative to ensure the use of e-mail for the conduct of government business between agencies and their business partners, and between agencies and the general public. Specifically, OMB should establish a Program for E-mail Priorities (PEP), similar to its former Program for Priority Systems. Under the PEP, OMB should designate lead agencies to address specific categories of business processes, such as contracting, hiring, grant applications, etc., as e-mail priorities and require all agencies conducting such business to use e-mail. It is recognized that these initiatives may require significant changes in legislation, organization, and procedures. In the interim, OMB should take appropriate steps to establish common (governmentwide) standards of quality, procedures, and service delivery mechanisms for each business process included in the PEP. 2. Require Governmentwide E-mail Connectivity OMB should require agencies to establish as a priority the goals of connecting all of their office-based workstations to internal local area networks, and of connecting their internal networks to one another. Agencies should be expected to have 75 percent of their workstations networked by the end of 1995, and all of their workstations networked by the end of 1996. The time has come for all Federal agencies to take positive action to implement governmentwide e-mail connectivity in support of Recommendation 1. Agencies should provide access to interagency e-mail service for all current or future local area networks and provide internal networking of all workstations not now networked. This is necessary to assure that the new e-mail infrastructure required to support improved government performance is implemented as fully and widely as our telephones. 3. Establish a Governmentwide E-Mail Standard We recommend that OMB work with the National Institute of Standards and Technology (NIST) to establish a governmentwide e- mail standard based on the X.400 international standard, implemented in conjunction with changes required to ensure full interoperability and compatibility with SMTP-based networks, and enhanced at a minimum to incorporate business-quality requirements for unclassified communications as defined in the DOD Defense Message System (DMS) specifications. Our recommendation is based on the current Government Open Systems Interconnection Profile (GOSIP) which mandates the CCITT X.400 Message Handling System, the application of the Federal Internetworking Requirements Panel recommendations for selection of Federal standards (mission, product availability, product affordability, and standards maturity), and the relative efficiency of X.400 as compared to the Multi-media Internet Mail Extensions (MIME). Furthermore, both X.400 and MIME are operational on the Internet. We therefore specifically recommend that the government immediately adopt the DOD Defense Message System (DMS) operational characteristics specifications as the basis for business-quality governmentwide e-mail. A joint civilian/DoD committee should be formed to assure compatibility with civilian agency requirements, in the face of changing needs and evolving technology. Agency and contractor-supported e-mail gateways should be required to be in compliance with this standard within 18 months of final award of the DMS contract(s), i.e., June, 1996. Moreover, in the interest of facilitating governmentwide cooperation and assuring maximum availability of DMS compliant products and services to meet the government's needs, DoD should be requested to accelerate activities to support testing of products and systems from independent vendors and certification of the compliance of such products and systems with applicable DMS specifications to assure that these services are provided in parallel with rollout of the DMS contract(s). In addition, DoD should work with vendors to speed the development of the commercial products (such as directory user agents) that will maximize the utility of X.500 directories by connecting desktop/LAN based systems with a distributed X.500 directory. 4. Promote Public Access Establishment of an electronic government must include public access as a priority. The citizen's e-mail interface to government (Federal, state, and local) must be consistent and agency independent. If agencies establish different technical requirements and interfaces, apply different standards of quality, and are inconsistent in the types of business which can be conducted using e-mail, or in the way business of a specific type is conducted, then e-mail could become the 'red tape' of the information age. OMB should therefore direct the establishment of common service delivery standards for public access to a broad range of government services, including information and programs, as well as persons who can provide assistance, answers and decisions (e.g., Government Information Locator System [GILS]), directory standards, and standard equipment capabilities which would enable the public to communicate via e-mail with as many agencies as possible from a wide variety of access points. Specifically, OMB should require agencies to implement and publish by September 30, 1994, a basic set of "service point" e-mail addresses (e.g., "Job Applications Information", "Public Information", "Secretary") to facilitate use of e-mail for communication with Federal agencies. In addition, OMB should require agencies by September 30, 1995, to review all existing published mail addresses for contact with the public, e.g., inquiries, comments, submission of applications and other materials, etc., and to add an e-mail address as an alternate means of contact. The government's customers and business partners must not be required to acquire special hardware or software solely for the purpose of communicating with the government. In addition, public access e-mail pilots should be included in one stop government services programs and should attempt to provide access to people who do not read, write or speak English. 5. Establish Governmentwide E-mail Directory Directories are essential to effective use of e-mail. Advanced directories might also serve as information locators and otherwise enhance communication with, and within, the Government. The X.500 directory standard, included in the Defense Message System RFP, is a sound technical basis for future Government directories. However, most e-mail systems on Government employees' desktops today cannot access X.500 directories. We therefore recommend a two step approach to directory implementation to accommodate today's e-mail users while moving to a more capable system in the medium term. In the short term we need to build on existing volunteer efforts to construct a centralized directory of e-mail addresses. OMB should assist this effort by directing agencies' Senior IRM Officials to provide the requested information in electronic format from existing internal e-mail directories and human resource files, and update it at least monthly. The central directory must be available via e-mail query and file copy. Core attributes should be provided for all e-mail reachable employees, including name, agency/organization name, and e-mail address. Telephone number should be a mandatory attribute by September 30, 1994. Work should also begin as soon as possible to develop a database/directory application that would enable the use of e- mail to support program objectives. This framework, including database structure and supporting procedures, should be defined for establishing and maintaining mailing/distribution lists or other address groupings, e.g., senior IRM officials, chief financial officers, procurement officials, functional managers, etc., to support the effective use of e-mail for official government business, as well as various interagency and "affinity group" organizations and interests. In fiscal year 1995 an X.500 directory should be established and populated with the information from the centralized directory. Links should be established with other US Government, private, and public X.500 directories to provide a distributed directory facility. A schema definition should be produced by a committee of agency Registration Officials. Large agencies should establish and maintain their own X.500 directories linked to the central directory, thus progressively decentralizing directory maintenance. The central directory should remain as a residual facility to accommodate small agencies that cannot economically maintain their own directory facility. Facilities for self- registration in the central directory and self-correction of directory entry attributes should be implemented as soon as adequate security/authentication tools are available to improve accuracy, reduce maintenance costs, and facilitate inclusion of additional directory attributes such as title, alternate address, FAX number, etc. 6. Issue E-mail Policy OMB should provide within 90 days a "model" e-mail policy which agencies can use in formulating policies appropriate to their individual circumstances. The model policy should be based on the policy discussion in Chapter 4 of this report and incorporate any other issues which OMB may see fit to include. In issuing the model policy, OMB should instruct agencies to have their own individual policies in place by September 30, 1994 which promote the effective and efficient use of electronic mail for the conduct of agency business, and address the legal and policy issues in the context of each agency's programs and operations. Agencies should also be instructed to refer to NARA's proposed rule on electronic mail recordkeeping (59 Federal Register 13906) for guidance on records management of electronic mail systems and the Checklist in Appendix D of this report. 7. Establish E-mail Program Office OMB should direct the establishment of an E-mail Program Office with explicit governmentwide responsibility, resources, and authority for facilitating the implementation, maintenance, and support of governmentwide e-mail. Although the current web of largely volunteer, grass roots, committees has brought substantial creativity, energy, and impetus in the implementation of government e-mail, and this was perhaps a good way of pursuing early opportunities, the magnitude and criticality of current needs is too great to leave to ad hoc and volunteer efforts. Therefore, the E-mail Program Office should be staffed by dedicated government employees who have the analytical, technical, program support, and service oriented skills to work with similarly skilled individuals across the government to develop a top-quality governmentwide e-mail program. Governmentwide e-mail is an essential and enabling tool to support government "reinvention", and as such, warrants investment in a dedicated organization to support its evolution. The E-mail Program Office will need to continue support of pilot project prototypes and support development of a consistent set of value-added services for the Federal community that reflect the kind of enterprise-level approach to government functions and services endorsed by the National Performance Review. Work process reengineering is a complex subject which requires careful planning and execution. The current e-mail pilots, once completed, are expected to provide case study examples of work process reengineering with measurable performance improvement. These successes should be widely publicized by the E-mail Program Office. 8. Establish E-mail Management Council OMB should charter an Interagency Electronic Mail Management Council to provide management direction to, and conduct oversight of, the Electronic Mail Program Office in implementing governmentwide e-mail. The Council would be the "Office of Primary Responsibility" for the implementation of National Performance Review Information Technology Recommendation #8 (IT08), "Plan, Demonstrate, and Provide Governmentwide Electronic Mail", and would report to, and receive program and policy guidance from, the Government Information Technology Services (GITS) Working Group. 9. Provide Funding for Governmentwide E-mail Governmentwide e-mail will require substantial sustained funding. Initial funding to support the establishment of the E-mail Program Office and to support common use infrastructure investments is required immediately. Existing centralized funds may be suitable vehicles to assist in meeting these needs, particularly as a quick, interim way of meeting urgent, near term needs. Another longer term option would be "innovation funds" collected from all agency budgets. In addition, OMB should issue specific budget guidance to agencies to include and highlight internal e-mail funding initiatives in their FY96 budget requests. Agencies will need to continue to fund their internal networks and gateways to establish e-mail connectivity and should be developing vertical applications to conduct business electronically with their business partners and the public. Lastly, for the longer term, OMB should identify for FY96 and beyond, a dedicated appropriation to fund staff in the E-mail Program Office, and for other common-use resources required to implement governmentwide e-mail. Some usage related resources or services funded under this appropriation might be charged back to the agencies. LIST OF APPENDICES APPENDIX A, E-Mail Task Force Charter APPENDIX B. Request For Information (RFI) APPENDIX C. List of Respondents to the RFI APPENDIX D. E-Mail Policy Checklist APPENDIX E. E-Mail Survey APPENDIX A Copy of E-Mail Task Force Charter MEMORANDUM FOR AGENCY SENIOR INFORMATION RESOURCES MANAGEMENT OFFICIALS THE ADMINISTRATOR OF GENERAL SERVICES THE ARCHIVIST OF THE UNITED STATES THE DIRECTOR OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FROM: Sally Katzen Administrator Office of Information and Regulatory Affairs (OIRA) SUBJECT: Electronic Messaging Among Federal Agencies This memorandum establishes and announces the first meeting of an interagency planning task force to improve electronic mail and messaging among Federal agencies. The task force will work to establish promptly a government infrastructure for interagency electronic mail. It will also plan for such mail-enabled applications as electronic filing, electronic commerce, interaction with State and local governments, and service to the citizen. This initiative is consistent with the Administration's efforts to "reinvent government" and the National Performance Review's mandate to improve all areas of Federal management. The Department of Health and Human Services (HHS) has agreed to chair the planning task force, with dedicated support from the General Services Administration. As authorized by the Paperwork Reduction Act, the Office of Management and Budget's Office of Information and Regulatory Affairs will oversee the task force's work and coordinate it with other initiatives. The members of the task force are experts from across the government selected after consultation with Federal agencies. A membership list is attached. The task force will draw technical advice and support from the Federal Information Resources Management Policy Council, the FTS2000 Interagency Management Council, the High Performance Computing and Communications Information Technology Subcommittee of the Federal Coordinating Committee for Science, Engineering, and Technology, and their associated working groups. It has six goals: Identify support for, provide advice to, and evaluate the results of electronic mail pilots currently underway. Develop and issue a Request for Information (RFI) to industry. The RFI will outline the challenges faced by the Federal government in its progress toward electronic mail interconnection and solicit possible technical solutions. The task force will evaluate industry responses and use this information to fulfill its other goals. Analyze the current use of the Internet by Federal agencies and its potential contribution to both near and long-term e-mail requirements. Coordinate proposals for improving mail interoperation with the High Performance Computing and Communications Initiative. Develop a near-term (24 month) Program Plan, including financial and technical resource requirements, to assist agencies in improving their capabilities for electronic mail and electronic commerce. Develop program options for long term, governmentwide electronic commerce. Identify technical, administrative, and policy issues that need to be resolved. The task force will report to OMB monthly on its progress against the tasks described in the attachment, and on any issues it has identified. The first meeting will be on July 27 from 1:00-3:30 p.m. in Room 405A of the Hubert H. Humphrey Building at 200 Independence Ave. S.W., Washington, D.C. 20201. Please contact the task force Chairman, Dr. Neil Stillman, (202-690-6162) or Jonas Neihardt of my staff (202-396-4814) if you have any questions. Attachment APPENDIX B ================================================================= Solicitation For Information or Planning Purposes OMB No.0990-0115 ================================================================= AGENCY: DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF THE SECRETARY WASHINGTON, D.C. 20201 SOLICITATION NUMBER: RFI-16-94-HHS-OS ISSUE DATE: December 3, 1993 DUE DATE AND TIME: January 31, 1994, 4:00 PM LOCAL TIME PROJECT TITLE: Electronic Mail Services to Link Federal Government Agencies with their Clients and Business Partners, and with One Another The Government does not intend to award a contract on the basis of this solicitation or to otherwise pay for information solicited except as provided in subsection 31.205-18, bid and proposal (B&P) costs, of the Federal Acquisition Regulation. This solicitation is issued for the purpose of obtaining public comment on the best and most cost-effective strategies to achieve governmentwide e-mail. DELIVER OR MAIL RESPONSES TO: DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF THE SECRETARY DIVISION OF CONTRACT OPERATIONS ROOM 443H, HHH BUILDING 200 INDEPENDENCE AVENUE, S.W. WASHINGTON, D.C. 20201 NOTICE: ALL HAND-DELIVERED RESPONSES ARE SUBJECT TO FLUOROSCANNING DUE TO SECURITY MEASURES. THE FLUOROSCANNING TAKES AN INDETERMINATE PERIOD OF TIME AND MAY INVOLVE THE DELIVERER RELINQUISHING THE PACKAGE TO SECURITY GUARDS AND FLUOROSCAN PERSONNEL. RESPONDENTS ARE ADVISED THAT THE GOVERNMENT ASSUMES NO RESPONSIBILITY FOR ANY DELAYS IN DELIVERY WHICH MAY BE CAUSED BY THIS PROCESS. IT IS RECOMMENDED THAT THOSE RESPONDENTS PLANNING TO HAND-DELIVER TAKE THIS INTO ACCOUNT. SECTION B The interagency Electronic Mail Task Force (EMTF) thanks you for your interest in this Request For Information. Our group was chartered in July 1993, by the Office of Management and Budget (OMB) as an interagency planning task force of selected participants from several different Executive Branch organizations "to improve electronic mail and messaging among Federal agencies." (For purposes of this RFI, the term "e-mail" refers to both electronic mail and electronic messaging.) The memorandum announcing this action is provided as Attachment A, and this RFI is issued pursuant to the second of the six goals set forth in that memorandum. PURPOSE: The purpose of this RFI is to obtain public comment on the best and most cost-effective strategies to achieve governmentwide e- mail. BACKGROUND: The urgent need for governmentwide e-mail is highlighted by key Administration documents: Governmentwide e-mail is an underlying element of the Administration's vision for a National Information Infrastructure (NII). (See, The National Information Infrastructure: Agenda for Action, Information Infrastructure Task Force, September 15, 1993). Governmentwide e-mail is an enabling technology that is required to achieve many of the goals expressed in the Administration's National Performance Review initiatives. (See, From Red Tape to Results: Creating a Government that Works Better & Costs Less, Report of the National Performance Review, September 7, 1993). Governmentwide e-mail is required to implement President Clinton's commitment to "fundamentally altering and improving the way the Federal government buys goods and services by ensuring that electronic commerce is implemented for appropriate Federal purchases as quickly as possible". (Presidential Memorandum for the Heads of Executive Departments and Agencies & The President's Management Council, "Streamlining Procurement Through Electronic Commerce," October 26, 1993). B-1 The emerging importance and potential value of e-mail has also been recognized in a number of individual government organizations and several interagency groups that have been working on related issues for some time. These issues include directory services, standards, use of existing infrastructure, connectivity, operations and policy. One of these groups, the Governmentwide E-mail Working Group, has developed one vision of an e-mail environment required to meet the government's needs in the long term. (See, A Unified Federal Government Electronic Mail Users' Support Environment (M.U.S.E.), Final Report of the Working Group on Governmentwide Electronic Mail, November 1993.) Another group has stressed that governmentwide e-mail will improve the scope and quality of government service to the public. (See, We The People: Service to the Citizen Conference Report, June 1993, Richmond, Virginia; and Service to the Citizens, project report issued by the Information Resources Management Service, U.S. General Services Administration, February 1993, publication number KAP-93-1). SUBMISSIONS: Not every respondent will have expertise or interest in every issue presented. Respondents may select the issues to which they respond and should address any other issues which they believe are important. Responses should be limited to 30 pages. Respondents should submit one paper copy and one electronic copy by January 31, 1994 (with the format clearly indicated on the diskette) to: Department of Health and Human Services Division of Contract Operations Room 443H, HHH Bldg 200 Independence Avenue, SW Washington, DC 20201 Early submissions are highly encouraged. Responses will not be returned and will be retained by the government. Proprietary information must be clearly marked and will be protected in accordance with 5 U.S.C. 552 and Executive Order 12600. Non-proprietary responses are preferred unless the information is required to support key points. Questions concerning this RFI must be submitted in writing no later than December 23, 1993, and should be mailed to the address above or faxed to (202) 690-5698. All questions and answers will be sent to all respondents promptly. In accordance with FAR 52.215-3, "Solicitation for Information or Planning Purposes," the Government does not intend to award a contract on the basis of this RFI and incurs no liability or responsibility to compensate any respondent for information or materials provided in response to this RFI. All communications must be made in writing to the contracting office at the address above. GOAL AND OBJECTIVES: The government's goal is to improve efficiency and effectiveness through electronic conduct of its business. The key to these improvements is a consistent, comprehensive, and easy to use approach that integrates the individual efforts of agencies. The environment resulting from this approach will be based on products and services provided by industry. Effective governmentwide e-mail is complicated and difficult to achieve because of the scope, complexity, and diversity of the Federal agencies, their business and trading partners, and the public with which they interact. The problem is further complicated by the variety and incompatibility of the products, services, and systems used. Governmentwide e-mail should meet the following 10 objectives, among others: Cost-Effectiveness. E-mail is currently implemented within many agencies. In some cases, there are several systems within an agency. The problem now is to connect these existing systems in a usable way. The initial approach to this has been through loose coordination of agencies in working groups, purchase of X.400 gateways, use of X.400 services provided under the FTS2000 contract, use of Internet electronic mail, manual exchange of address and procedure information, and ad hoc volunteer help desks. While this approach works adequately for small amounts of interagency e-mail, it will rapidly become extremely costly as the amount of such e-mail increases. A more rational, coordinated approach is necessary to realize cost savings in current methods of conducting business, and to maintain a cost- effective program in the future. Reliability. Interagency e-mail in the current Federal environment is unreliable. Attachments to messages get garbled, and delivery of messages is not guaranteed. Shared enhancements will increase the level of reliability compared to that found in agency internal e-mail systems. Security. As stand-alone systems become interconnected, security risks to which they are exposed increase. Local stand- alone e-mail systems have fewer security problems than wide area systems accessible to multiple organizations. Technologies exist to support secure e-mail in both environments, but there is limited experience with the acceptability of this technology to users. Accountability. Interagency e-mail, and in many cases intra-agency e-mail, does not provide adequate accountability to allow it to be relied upon for official business. Governmentwide e-mail must be of "business quality" and support stringent government requirements, such as maintenance of official records and electronic data interchange. Business quality e-mail also requires dependable transport, authenticity, integrity of content, delivery guarantees, identification and non-repudiation of senders and recipients, and reliable signatures and date and time stamps. Ease of Use. To be effective, the basic e-mail processes of sending and receiving a message must be as easy to use as a telephone or fax machine. While most internal e-mail systems are relatively straightforward, government officials often resort to means other than electronic mail for interagency communication, even though it is potentially more efficient or effective, because it is simply too complicated, arduous, or difficult to use. Some e-mail within an agency is supported by graphical user interfaces which integrate directory access and message preparation and retrieval. While interagency e-mail does not have to be graphical to be easy to use, message directories, preparation, and retrieval should be integrated in a meaningful way. A help desk staffed by knowledgeable people may be required to assist users. Directories. Directories of individuals, organizations, and groups are required to support easy-to-use interagency e-mail. Interagency e-mail currently requires intervention by e-mail administrators on both end systems and substantial specialized knowledge by users to properly address messages between agencies. Directories should also permit individuals to find relevant addresses based on a variety of attributes (e.g. location, function, agency). Connectivity. Many agency e-mail systems do not have external connectivity. Establishing external access among agencies, their citizen clients, and their trading partners is required. Interoperability. The current level of interoperability between e-mail systems varies on a system by system basis. The government must increase the level of interoperability so that sensitive messages with a range of attachments (such as word- processing documents, spreadsheets, electronic commerce forms, video, or voice) can be sent confidently in a multi-platform, multi-vendor, multi-network environment. Public Access. It is now difficult for members of the public to interact electronically with the Federal government in a consistent manner. Citizens, corporations, and other organizations should be able to address various government agencies via e-mail the same way, independent of what sort of system they are using. To any individual, sending e-mail to the Patent and Trademark Office should be similar to sending e-mail to the Social Security Administration. Users will select the types of systems best suited to their own needs, but once selected, each of those systems ought to be able to interact the same way with any agency of the Federal government. Speed and quality of implementation. Support for present governmentwide electronic mail is completely voluntary and approaching its limit. Dedicated resources are necessary to support this effort now, and the need will increase as interagency e-mail expands. Resources will also be required to support direct work with users and integration of user feedback into the technology to increase the range of applications which e-mail can support. Performance. An interagency message in the current government environment may take a long time to be delivered. Because of the difficulty of correctly addressing such e-mail without directory services, much of it is never delivered due to user errors. Varying standards for delivery based on urgency are required. Government users and those with whom they communicate require the ability to designate several delivery priorities and rely on them even within a multi-vendor environment. PLEASE RESPOND TO THE FOLLOWING QUESTIONS: Please describe your organization's involvement in the e- mail industry, electronic mail support, or network and information services in the United States. How would you recommend the government meet the above goal and objectives? Are there other objectives which are necessary to achieve the goal? What changes, if any, to current law and regulation would facilitate or be required in order to deliver Federal Government services via e- mail? What implementation strategy do you believe would be most successful and most cost-effective for the government to pursue? To what extent do the specifications of the Defense Message System meet the objectives described above? Would use of the Defense Message system be a desirable way for the rest of the government to proceed? Is the X.400 standard adequate and appropriate as the basis for government e-mail? What strategy would you recommend to the government with regard to an e-mail directory? Is establishment of a governmentwide directory based on the X.500 standard a feasible and appropriate medium-term (2-5 years) goal? Why or why not? Should other approaches to directory information for e-mail and other purposes be considered? What are the key issues in migration from the current state of affairs to full implementation of a directory? What would you consider to be the essential minimum functions needed to support the implementation actions in the President's memorandum on electronic commerce (Attachment B)? Can these characteristics be provided within the time-frames shown in the President's memorandum? What is the impact of a generally available networking infrastructure, as envisioned in the Agenda for Action, on the future provision of electronic mail services? What current products and services can best meet the objectives described above? Which ones can be provided by modifying existing products or services? What future products or services do you anticipate, if any, which would expand the Government's service capabilities or reduce the Government's costs? What special devices or procedures are required in order to accomplish legal requirements for sender/receiver authentication, message accuracy verification, and message non-repudiation. What suggestions or recommendations would you make on this matter? Do you have experience with cost-recovery for e-mail? If so, please describe the schemes and indicate how they have affected user behavior. Do you have experience with e-mail being provided without usage-based cost-recovery? If so, how have the costs been managed, and how have user behaviors been affected? What approaches do you recommend for cost-recovery of traffic flowing between Federal and non-Federal e-mail systems? Please speak to both directions of flow. Which functions of a governmentwide system will have greatest impact on implementation costs, and why? What strategies would you recommend to minimize and control the costs? Which functions of a governmentwide system will have greatest impact on speed of implementation, and why? What strategies would you recommend to increase the speed of implementation? Would you be willing to participate in a cooperative government- industry effort to develop and implement governmentwide e-mail? What roles would you recommend for the government, your organization, or other parties? SOURCES FOR REFERENCES All reference documents for this RFI except the Defense Message System documentation are available for free, electronically, from the National Technical Information Service's FedWorld: Dial: 703-321-8020 or telnet fedworld.gov The Defense Message System documentation (including draft RFP) is available for free, electronically, from the Air Force Standard Systems Center Bulletin Board 205-416-5653 Both are menu-driven systems which should be self-explanatory to the user. APPENDIX C Respondents to the RFI AT&T Business Communications Services Banyan Systems Boeing Booz, Allen & Hamilton Inc. COMM POWER Computer Data Systems, Inc. Computer Sciences Corporation, Network Integration Division Control Data Systems Inc. Digital Equipment Corporation Falcon Microsystems GTE Electronic Defense Systems Division, GTE Govt. Systems Harris Corporation, IS Division IBM and Advantis IBM Corporation J.G. Van Dyke & Associates MCI Telecommunications Corporation, Govt. Systems Oracle Soft-Switch Software AG, Federal Systems, Inc. Sprint Sterling Software UNISYS, Government Systems Group Wheat International Communications Corporation APPENDIX D E-Mail Policy Checklist Each agency should review this checklist in order to ensure that its existing and proposed policies concerning the use of electronic mail are comprehensive and balanced, and that it has appropriate and adequate means of implementing these policies. I. LEGAL REQUIREMENTS A. Records Management Has the agency reviewed the NARA guidance on the management of Federal records which are made or received through electronic mail? Are agency policies concerning electronic records consistent with the NARA guidance? Has the agency established a combination of procedures, technology and training of employees which enables it to satisfy records management requirements for records made or received via e-mail? B. Access Has the agency established the capability to review and, if needed, produce copies of e-mail messages for responsiveness to FOIA and Privacy Act requests? 1. Freedom of Information Do agency policies inform employees of their responsibilities under the Freedom of Information Act to provide access, upon request, to information stored in e-mail systems? Does the agency have effective means of searching and retrieving information in e-mail systems in response to FOIA requests? 2. Privacy Has the agency determined whether e-mail is used to send or receive records subject to the Privacy Act? Has the agency published in the Federal Register a notice of system of records for any new system that results from or is related to the use of e-mail? Has the agency published a notice for any system of records which is modified as a result of e-mail? Does the agency directly notify individuals from whom it collects information about themselves via e-mail, as required by the Privacy Act? Do agency policies define the safeguards, procedures and other necessary measures to ensure compliance with the Privacy Act? Has the agency implemented appropriate controls and capabilities? Has the agency evaluated the potential for using e-mail to facilitate collecting information about individuals directly from them? Do agency policies and/or training advise employees against the establishment of unauthorized systems of records? Does the agency monitor or intend to monitor e-mail usage in a way that requires the establishment of a system of records? Do agency policies inform employees about the requirements of the Electronic Communications Privacy Act? Do agency policies address the protection of personal privacy beyond the scope of the Privacy Act, such as for information which does not qualify as a record under the Act? Are employees advised to delete purely personal messages from e-mail systems as soon as possible? Are employees advised not to use e-mail to communicate information, such as gossip, that would infringe on the personal privacy of others? C. Legal Rights Does agency policy address the need to protect the intellectual property of others, without unduly restricting the flow of information in agency programs and services? Are employees advised not to use e-mail to collect or store information about the exercise of First Amendment rights, except as permitted by statute? D. Security Do agency policies require that information communicated via e- mail be secure at a level commensurate with the importance and sensitivity of the business functions which they support, as required by the Computer Security Act? Does agency policy provide guidance on the importance and sensitivity of specific functions? Does agency policy provide useful guidelines on how to assess the importance and sensitivity of agency functions which are not explicitly addressed? Are the security measures available in the e-mail system well matched with agency policies concerning the use of e-mail to transmit confidential or sensitive information? Are e-mail users, both within and outside of the agency, informed of the extent to which privacy or confidentiality can be protected in the e-mail system? 1. Availability Has the agency ensured that e-mail availability meets business needs? Do agency policies define, or provide guidance on defining, appropriate levels of availability of e-mail capability to agency officials, employees, business partners, and the general public? Does the agency ensure that user directories, access privileges and routing instructions are correct, complete and up to date? 2. Integrity Has the agency identified the requirements for integrity of information sent or received via e-mail? Has the agency provided adequate means for satisfying such requirements? 3. Confidentiality Has the agency determined what categories of sensitive information are, or are likely to be, transmitted via e-mail? Has the agency defined the criteria for adequate protection of the confidentiality of information in each such category? Does the agency provide procedures, training, technology and other means which are adequate to protect information from unauthorized disclosure, consonant with its established criteria for different categories of information? Does the agency prohibit e-mail users from reading e-mail messages addressed to others, except when designated by the author or addressee to receive a copy? Has the agency defined the purposes which legitimize access by officials or system administrators to the e-mail of others? Are system administrators and others with special access to the system prohibited from reading e-mail messages of others, except to the extent necessary to perform their functions? E. Adjudication Has the agency determined whether it is likely to need to submit information from e-mail systems as evidence in judicial proceedings? If so, has the agency taken steps to ensure that this information will satisfy requirements for admissibility in Federal courts or, if relevant, in state courts? Does the agency use or intend to use electronic mail to facilitate actions or proceeding under administrative law? If so, has the agency taken steps to ensure that use of this technology does not disadvantage a party which might not have ready or full access to e-mail capabilities? II. ISSUES IN CONTEXT A. Electronic Mail Within An Agency Has the agency sought input from throughout the organization, including managers, employees, employee organizations and unions, legal counsel, and others, in developing e-mail policies? Does the agency provide its employees with adequate training on the use of e-mail technology and on legal requirements and agency policies? 1. Responsibilities for Information Management Has the agency defined responsibilities of (i) agency management, (ii) e-mail administrators or system managers, and (iii) e-mail users concerning access to, management and use of e- mail and e-mail systems? Has the agency defined and communicated to its employees requirements for the use of e-mail in the conduct of agency business? Are employees instructed on basic business standards and etiquette for the production and transmission of e-mail messages? Has the agency established and communicated standards and procedures for specific mail-enabled applications? Has the agency defined and communicated to its employees norms for employee discretion in the use of e-mail in the conduct of agency business? 2. Permissible Use Has the agency defined permissible uses of e-mail for purposes other than the conduct of agency business? Has the agency communicated its standards for such permissible uses to its employees and, if applicable, to members of the public? Has the agency identified activities considered to be inappropriate use of e-mail? Has the agency defined appropriate disciplinary actions in the event of such activities, and established appropriate due process protections related to potential disciplinary actions? Does the agency inform employees in advance of what will happen to their e-mail if their employment ends or during extended absences? Does the agency have effective means to ensure timely termination of the e-mail accounts and access privileges of departing employees, contractors and other e-mail users? Are departing users debriefed concerning their accounts, passwords, and records stored on e-mail systems? Has the agency defined standards for the use of broadcast capabilities in e-mail systems? Are e-mail users advised to send e-mail only to interested addressees and to avoid unnecessary use of distribution lists? Has the agency established guidelines on subscriptions to e-mail distribution lists and access to fee-for-service capabilities? 3. Monitoring e-mail Has the agency defined the purposes and conditions for which it will authorize monitoring e-mail? Has the agency established rules and controls for monitoring so that monitoring only occurs when legitimate and the intrusion into e-mail communications is the minimum required for the specific purpose of the monitoring? Does the agency inform e-mail users in advance of the possibilities that their e-mail may be monitored? Do employees have ready access to agency policies concerning e- mail? If monitoring is conducted in a manner that collects information about individuals and the information is retrieved by individual identifier, does the agency ensure that the requirements of the Privacy Act concerning records and systems of records are met? 4. Organizational Impacts Does agency policy promote the use of e-mail in ways that increase productivity, improve timeliness of service to agency clients, and facilitate and strengthen program capabilities? Does the agency provide incentives and awards for managers and employees who are responsible for significant improvements in productivity, timeliness or capability? Does the agency have effective channels for communicating with its employees about new ways to improve performance through the use of e-mail? Has the agency analyzed potential effects of e-mail on the chain of command and determined both when business needs require that the chain of command remain intact and when the public or the government would be better served by empowering employees to communicate directly with customers, business partners, or counterparts in other agencies? Are e-mail initiatives integrated with agency efforts to reengineer business processes? B. Electronic Mail Between Government Organizations Has the agency identified opportunities for improving interactions with other government organizations through the use of e-mail? Has the agency defined appropriate standards and procedures for intergovernmental e-mail? Does the agency coordinate its service delivery mechanisms with other agencies which serve the same customers or have the same business partners? Does the agency coordinate the use of e-mail for agency business with appropriate state or local government agencies? C. Interaction with the Public 1. Equal Access Does the agency use e-mail and other communications channels in combination to ensure that it does not discriminate against or disadvantage any member of the public or business partner in the conduct of agency business or the delivery of services? Are current and potential correspondents informed of the existence of e-mail and of other ways of communicating with the agency? Has the agency taken positive steps to avoid imposing technological barriers, such as unusual, proprietary, or difficult to use technology, to e-mail between the agency and the public or its business partners? Has the agency determined whether it is in the public interest for the agency to provide e-mail capabilities to the public or to business partners? Has the agency accommodated the needs of persons with disabilities? Has the agency determined whether it needs to provide access to e-mail capabilities to persons who are illiterate or not fluent in English? 2. Quality of Service Does agency policy promote the use of e-mail to expand hours of service, to deliver services to places where the public needs them, and to effect other improvements in services? Has the agency established adequate support for both technical and business questions and problems that may arise in the use of e-mail for communicating with the public? Do agency e-mail systems include feedback mechanisms that the public can use to inform the agency of its level of satisfaction? APPENDIX E E-Mail Implementation Survey This survey is being conducted to determine the extent to which Federal agencies can communicate through electronic mail ("e- mail") with other outside organizations, including other Federal agencies. We are collecting baseline information at this time and will be updating survey information in the future to track and report progress in implementing governmentwide e-mail over time. Agency responses are to be coordinated by and through Agency Designated Senior Officials for IRM and should include data for all components of respective agencies and organizations. Please feel free to estimate; the survey is intended to be easy to complete and absolute accuracy is not required. For purposes of this survey, the terms "interagency e-mail" and "external e-mail" mean mail systems that permit electronic communication between individuals associated with your agency and individuals not associated with your agency, and which use either standard SMTP (Internet) or X.400-based services and gateways. The term "workstation" means the electronic tool used by an individual at his or her place of work, including microcomputers, terminals, and other similar equipment. An "e-mail-enabled workstation" is a workstation that has any form of access to e-mail. Finally, this survey seeks only information about unclassified e-mail systems. Thank you for your assistance in responding to this survey. 1. Agency Name: 2. Agency Designated Senior Official for IRM: Name: Title: Telephone number: Response Date: 3. Approximately how many individuals worked in your agency as of September 30, 1993? Include full and part-time regular government employees and contractor employees who work on- site, in government-furnished space: 4. Approximately how many of these individuals were grade GS-14 or higher (and equivalents) managers? 5 Approximately how many of the individuals identified in response to question 3 have a workstation? 6 Of the individuals identified in question 3, approximately what percent do not need a workstation to do their work? 7. What categories of individuals have you included in response to question 6 who do not need a workstation to do their work? 8 Approximately how many of the workstation-equipped individuals identified in response to question 5 are reachable by e-mail by individuals external to your agency? 9 Estimate the percentage of the individuals identified in response to question 5 who have access to the following external e-mail services (include all that apply): Percentage Service "Direct access" (whether dial-up, hard-wired, or network gateway connection) to X.400 e-mail service (other than through an Internet- based gateway to X.400 services) "Direct access" (whether dial-up, hard-wired, or network gateway connection) to SMTP/Internet e-mail service (other than through an X.400 service-based gateway to the Internet) Full access to Internet (Mail, FTP, Telnet, etc.) For those users who have access to one or more of the e-mail services listed above, what percentage are limited to dial- up access? 10. Estimate the percentage of workstations associated with individuals identified in response to question 5 that are joined together with other workstations in any form of one or more internal networks that at the minimum permit exchange of point- to-point electronic messaging among networked workstations? % 11. Estimate the largest percentage of the internally-networked workstations referred to in question 10 all of which can communicate with one another using electronic messaging. (For example, in an agency where the workstations that are networked are joined through just 3 networks, A, B, and C, each of which serves, respectively, 25, 35 and 40 percent of the networked workstations, the answer would be 40 percent if each network is isolated from the others, 60 percent if just networks A & B are interconnected, and 100 percent if all three networks are interconnected.) % 12. Can you estimate reasonably easily one or more aspects of your volume of e-mail as listed below? _____Yes _____No and if so, what are your estimates for any of the following indices below for the most recent month for which estimates are available? (leave blank if not practical to estimate) Month: Total e-mail messages (internal and external) Total "internal" e-mail messages (e-mail exclusively within your overall organization) Total "external" e-mail messages (e-mail between individuals associated with your agency and individuals not associated with your agency) 13. Which of the following officials within your agency can be accessed by interagency e-mail, and to what extent have they used it? (Check all that apply) Reachable Has received message Has sent message Agency Head Chief Financial Officer Chief Operating Officer Senior IRM Official Senior Regulatory Official Budget Officer Alternate Dispute Resolution Official Legislative Liaison Officer Public Affairs Officer 14 Has your agency submitted a "Postmaster" address to GSA's IRM Directory to which telephone and/or e-mail queries concerning access to your agency via e-mail may be addressed? (Contact Vivian Ronen, 202-501-0154 for more information.) _____Yes _____No 15. Approximately what percent of the addresses of your agency's GS-14 or above managers (and equivalents) identified in response to question 4 have you submitted in electronic format to the FIRMPoC-endorsed Interagency E-Mail Directory Project? (For more information, contact either the Interagency E-mail Help Desk, on 816-926-3068 (e-mail: manager@helpdesk.fed.gov) or GSA Office of Telecommunications Services, on 202-501-0108. % 16 Approximately what percent of the individuals identified in response to question 8 as having workstations and access to interagency e-mail have been given training on using interagency e-mail?_______% 17. Have you disseminated an agency-wide policy on interagency e-mail? _____Yes _____No Maximum Possible The number of employees who are reachable by external e-mail divided by the number of employees who need a workstation to do their work. 30 The percent of networks that are interconnected. 10 The total points for Officials divided by points possible. (Agency Head gets 2 pts for each category, each other Official gets 1 pt for each category). 20 Postmaster Address. 10 The percent of managers in FIRMPoC endorsed e-mail directory. 10 The percent of employees trained on inter-agency e-mail. 10 Policy on inter-agency e-mail. 10 TOTAL 100 1 Some Federal entities are exempt from the Privacy Act because they are not "agencies" within the meaning of the Act; for example, the Office of the President or of the Vice President, and the Congress. However, a document originating in such an organization, when transmitted to an agency and under the control of that agency, would be covered by the Privacy Act if it were filed in a Privacy Act "system of records". 2 Cite DOJ memorandum 3 "Direct access" is defined as dial-up, hard-wired, or network gateway connection to e-mail services. For X.400 e-mail it does not include Internet based gateways to X.400 services and vice versa. 4 Department of Defense addresses are available on the InterNic. 5 See Appendix E for a copy of the scoring methodology. ?? EMTF Final Report Page 33