The man who shot and killed 26 people at a church in Texas in 2017 used guns he wouldn’t have been able to purchase if the Air Force had properly managed its records.
On six occasions, military officials failed to send Devin Kelley’s records to the FBI while the Air Force investigated, court-martialed, and imprisoned him for abusing his wife and stepson. Had the FBI received the records, the killer would have been barred from buying the weapons used in the massacre.
While the Air Force case may appear unique, federal records management failures are behind some of the biggest national headlines in recent years. The largest breach of government systems in the history of the United States in 2015 was quantified specifically by the number of records stolen from the Office of Personnel Management (OPM)—21.5 million. Similar failures figured in the scandal of the Internal Revenue Service (IRS) selectively auditing conservative groups and then-Secretary of State Hillary Clinton’s use of an unauthorized private email server.
Rather than being an anomaly, the preventable failures that contributed to the Sutherland Springs, Texas, massacre are a symptom of a vast problem spanning the entire federal government, according to two experts with decades of experience with the electronic records management application standard that undergirds virtually all records management software deployed in agencies across the government.
A task force at the Pentagon’s Defense Information Systems Agency (DISA) created the standard, the 5015.2 Electronic Records Management Software Applications Design Criteria, in 1995. Three years later, the National Archives endorsed the standard for use by all government agencies. Over the more than two decades that followed, the government has spent billions of taxpayer dollars on records management applications certified under that standard.
But the money has largely been wasted, since the applications became unusable at the turn of the century as technological advances enabled a new era of interconnected digital workspaces bursting with records to manage. The 1990s-era applications require each government employee to declare every record manually. As both the amount and the types of records ballooned, the task became unmanageable.
Daryll Prescott led the DISA task force that drafted the records management application standard from 1993 to 1995. He became aware of the issues in the early 2000s.
“People are busy. They don’t have time to be dragging and dropping things,” Prescott said. “Billions have been spent on records management applications, which are not working and people are not using them. It’s a disservice to the citizens of the United States and a disservice to the people of this industry.”
Don Lueders, a former federal contractor for IBM and other software companies, spent two decades developing and selling records management applications based on the Department of Defense (DOD) standard. He was often in a position to witness firsthand whether the applications bought by the government were actually put to use.
And, according to Lueders, they never were, including at the Department of Justice, the Department of State, the Department of Treasury, the IRS, and multiple components of the DOD, such as the White House Communications Agency.
“I trained on it. I consulted on it. I made a great deal of money off of that thing,” Lueders said. “About seven or eight years ago, I came to the conclusion that I couldn’t support it anymore. And I couldn’t support it anymore because I knew that not only had I never seen one record in a production environment enter into a DOD-certified repository, I’ve never even seen any of those applications successfully deployed. So they’re empty.”
A former senior Pentagon official told The Epoch Times that he had never used a records management application during his decadeslong tenure at the DOD. The official’s records management practice consisted entirely of placing files in folders on drives on the government-issued computer, a far cry from the exacting declaration, storage, retention, and destruction processes built into the records management applications the Pentagon mandated each official to use.
“People are not rewarded for records management,” the official, who spoke on the condition of anonymity, said. “I’ve never seen a bonus for properly doing records management. You are rewarded for production on the hot topic for management. When I retired and left government service, my records probably didn’t get preserved.”
Marc Ruskin, a former FBI special agent, likewise confirmed to The Epoch Times that he had never used a dedicated application to manage any of the records he created or received over the course of his two decades at the bureau.
He recalled a failed attempt to bring on a records management application in 2004 and 2005 during the tenure of FBI Director Robert Mueller. After the software was scrapped, the FBI began working on deploying a new system. Ruskin never used the new software, despite being trained on it, right up until he left the bureau seven years later.
“There was a big paperless failure during Mueller’s tenure,” said Ruskin, who is also a contributor to The Epoch Times. “He was pushing aggressively to digitize everything. The FBI went ahead to transition to a system that was not fully developed, sort of a beta system, not ready for use. No one had the [courage] to tell the director they couldn’t meet his deadline.”
Heart of Accountability
Despite its stuffy title, records management cuts to the core of the relationship between the government and the American people, who fund it. The ongoing contract is based on accountability and transparency, neither of which are possible without records. The explosion in records that accompanied the information technology boom has greatly diminished the government’s ability to be accountable and transparent.
In theory, the Pentagon-certified applications were meant to address the issue. Instead, they provide little more than the illusion of records management, as the vast majority of these applications are never implemented.
“You don’t have a democracy without accountability and transparency,” Lueders said. “You don’t have accountability and transparency without records management.”
Without an effective system to preserve, protect, track, and—when required by law—destroy records, the ensuing chaos hands the power over the government’s records to career administrators, who can choose which records see the light of day and which simply disappear.
“That’s been going on for almost a quarter-century,” Lueders said. “And it doesn’t matter who’s in the White House. I’ve seen it with my own eyes at these agencies. Information is the most valuable currency in the world now, and they control the information.
“So they can do and say whatever they want with absolute impunity. That’s a terrifying thought.”
After developing the DOD 5015.2 standard, Prescott had largely walked away from the records management industry when he received a call from John Carlin, the archivist of the United States, in 2003. Under one of President George W. Bush’s initiatives, the National Archives was seeking to create and implement policies to regulate the maintenance of federal electronic records. Prescott interviewed for the job and began working as a detailee to the National Archives in 2004. He led an interagency effort to create a new standard for records management based on services, which would allow the government to catch up with the rapid advances in technology.
After 4 1/2 years, a collaborative effort between 19 cabinet-level agencies led by Prescott resulted in the creation of a new standard. It spelled out the requirements for records management services (RMS), which would handle the insurmountable burden of manual tasks imposed on end-users by the DOD-certified applications.
When the National Archives endorsed the DOD 5015.2 standard in 1998, big tech companies instantly had the business case to develop products to meet the government’s criteria since sales would be assured. Prescott knew this would also be the case if the National Archives endorsed the new RMS standard. Expecting an endorsement, two tech companies had approached his team with prototypes based on their services.
But before a working solution was built, the National Archives walked away from the new standard.
“The question remains: Why?” Prescott said.
Prescott handed the new standard to the Object Management Group (OMG), an international technology standards consortium. The OMG used the standard to create high-level models that could be used to create RMS software for any system.
After the OMG published the standard in November 2011, Larry Johnson, who is now on the board of directors at the OMG, presented it to the National Archives. Johnson was surprised the agency again didn’t endorse the standard.
“I was kind of shocked,” Johnson said.
At the time, the National Archives was looking for ways to comply with the presidential memorandum on managing government records, issued by President Barack Obama in late 2011. The RMS standard addressed almost all of Obama’s requirements. However, the National Archives showed no interest.
“I was a little bit taken aback by the glassy-eyed response,” Johnson said.
The National Archives didn’t respond to a request for comment on why the RMS standard was never endorsed.
Despite spending billions on records management applications, today the federal government is stuck with unusable software.
“The standard is not wrong. The systems are not wrong,” Prescott said. “The applications are just not viable for the current environment.”
Lueders initially aired his concerns on his industry blog and social media several years ago. He then sounded the alarm at IBM, where he worked on a team selling records management software to the government.
Seeing that IBM wouldn’t budge, Lueders filed a formal whistleblower complaint with the DOD inspector general (IG) in May 2017. The DOD IG relayed the complaint to the DISA IG, which interviewed Lueders a month later. The DISA IG declined to investigate and forwarded the complaint to the Joint Interoperability Test Command as a business issue.
IBM didn’t respond to a request for comment.
In July 2017, Lueders submitted another whistleblower complaint to the Intelligence Community (IC) IG, but never heard back. Suspecting that the IC IG wouldn’t investigate the complaint, he initiated contact with the office of his congresswoman at the time, Rep. Barbara Comstock (R-Va.), and stayed in touch before Comstock’s staff abruptly cut ties. Comstock lost her seat in November 2018. Comstock didn’t respond to a request for comment.
Applications built to meet the Pentagon’s standard include crucial functionality for government transparency and accountability. They require every government employee to declare records into a certified system, where the record is secured so it can’t be deleted or altered.
Records that should be destroyed after a certain time are forensically deleted by the application so they can’t be recovered. This should have been the case for a significant portion of the 21.5 million records stolen from the OPM beginning in 2015, according to both Lueders and Prescott. If the records were in a DOD-certified records management repository or managed by the RMS standard, the software would have wiped out a significant portion in compliance with federal laws and regulations, long before a cyberattack, reported to have originated in China, breached the OPM systems.
Records that shouldn’t be destroyed or altered are secured and made immutable if they are declared in the application. This should have been the case with the emails of Lois Lerner, the IRS official at the center of the controversy surrounding the IRS’s targeting of conservative groups. Instead, the IRS claimed that the emails, which were under subpoena from Congress, were lost due to a computer crash. The IRS later claimed that the emails for five more officials were missing due to computer crashes. Those emails wouldn’t have been lost if Lerner and the other officials used a records management application.
The government’s failure to use the certified applications is rooted in the nature of the DOD standard itself. Prescott developed the standard at the office of the assistant secretary of defense for command, control, communications, and intelligence in the 1990s, in response to the records management failures exposed when the federal government attempted to collect data on troops who suffered from Gulf War syndrome. Prescott worked on the standard from 1993 to 1995. The DOD released the first version in 1997.
In the 23 years since then, the standard was updated twice, but none of the changes adjusted the standard to the staggering advances in technology made since 1995. The core of the problem is that the standard guides the creation of applications that require manual input rather than services, which would handle this work in the background. The vast majority of the electronic records management applications at government agencies sit unused because the work required to manually enter each record into them is unsustainable.
“You have the appearance [of records management] and you have the reality,” Prescott said. “That is not responsive to our republic.”
The DOD standard doesn’t include a usability requirement. Legal teams vetted the standard to determine that it would satisfy the records management mandates imposed by Congress and adhere to the regulations of the executive branch. Usability and viability weren’t part of the process.
“Nobody—including the task force—tested these solutions to see if they would really work in a production environment,” Lueders said. “And they don’t.”
Prescott, during his time on detail to the National Archives, noted in a presentation that records management applications “must be inserted in uncountable places in the business process” and have “never met requirements originally documented in the 1990s.”
As an example of the work involved to declare a single record, a government official who sends an email would have to determine, based on records management training, whether the email even constitutes a record. The official would then have to drag the email from his or her outbox and drop it into the records management application and fill in the metadata, such as the classification level and a date for when the record should be deleted. This should be done for every record, be it an email, text message, social media post, text document, spreadsheet, calendar entry, or any other document so recognized.
“You’re always pressed for time to do a lot of action. If you’re saying you can’t do that because you’re following the records standard, you’d be viewed as crazy,” said the former senior Defense Department official.
IBM hired Lueders in 2015 after he became a vocal critic of the failures stemming from the limitations of the applications. Lueders says he agreed to come aboard because IBM claimed to be interested in developing a solution unbound from the DOD’s standard. He said that when he discovered that IBM was still selling the software based on the same standard, he complained and was eventually pushed out.
‘The Nation’s Recordskeeper’
Despite endorsing the DOD standard for all federal agencies since 1998, the National Archives and Records Administration (NARA), which describes itself as “the nation’s recordskeeper,” uses a DOD-certified application only for its email records.
“NARA recognizes that a one-size-fits-all solution that addresses all of an agency’s electronic records management needs is generally not practical,” a spokesperson for the National Archives told The Epoch Times in an email.
The National Archives said it manages the rest of its records “in the system in which they are created, with dispositions being applied in manual or automated methods.” The agency didn’t respond to a request to explain what processes and policies are in place to meet extensive federal electronic records management requirements, including how the records are declared, made immutable, managed through their retention schedule, and, when required, forensically destroyed.
In 2017, the National Archives issued guidance clarifying that only the DOD is governed by the 5015.2 standard. In 2018, the agency issued its own set of universal electronic records management requirements.
“These requirements do not depend on a particular approach or tool, which gives agencies and vendors more flexibility to find records management solutions that meet NARA requirements,” the spokesperson added.
Despite the recent changes at the National Archives, DOD-certified applications remain the go-to software most government agencies carry, in part because the standard is the only one specifically listed in the federal regulation governing electronic records management and the only solution that bears a DOD certification.
Cost to Taxpayers
The total cost to taxpayers after two decades of deploying the unviable records management software is hard to estimate, due in part to poor federal contract award record management. A non-exhaustive search for DOD-certified products turned up contracts worth tens of millions of dollars. According to Lueders, the tab easily could run into the billions.
“If you add up all the contracts that were awarded because the software included a DOD-certified repository and the services provided to support those contracts, you get into the billions pretty quickly,” Lueders said.
The records management application industry in the United States was valued at $17 billion to $19 billion in 2016, according to GEP, a procurement and supply chain consulting firm. The General Services Administration recently rebid a contract for Defense Enterprise Office Solutions—a cloud office package that includes a DOD-certified component—for $7.6 billion.
But the true cost of the chaos caused by poor record-keeping could be exponentially greater. In 2016, the DOD IG found that the Pentagon had insufficient records to account for $6.5 trillion in expenses.
The cost of the opportunities lost due to insufficient records, as in the cases of those suffering from Gulf War syndrome, is likewise significant. Beyond the money, records management failures have more tragic consequences.
The families of the victims of the 2017 Texas church massacre filed several lawsuits against the government, claiming that the Air Force’s records management negligence allowed the killer to purchase the weapons used in the killings. The lawsuits have since been consolidated into a single case. The families cleared a major hurdle last year when federal Judge Xavier Rodriguez allowed some of the charges in the case to proceed. The trial starts on Sept. 8.
In the ruling, Rodriguez noted that the Pentagon has long been aware of its records management failures, specifically when it comes to notifying the FBI about personnel being investigated, prosecuted, and convicted. In 2014, the DOD IG found that the Air Force Security Forces failed to submit fingerprint cards and final disposition reports to the FBI in 60 percent of cases. In 2015, the DOD IG examined the issue across several branches of the military and found that the Air Force failed to submit criminal conviction records to the appropriate computer databases 30 percent of the time.
The Air Force didn’t remedy its records management failures by 2017 when the watchdog found deficiencies in reporting criminal convictions to the FBI in 94 percent of cases. The report stated, “Any missing fingerprint card and final disposition report can have serious, even tragic consequences, as may have occurred in the recent church shooting in Texas.”
None of the IG reports from 2014, 2015, 2017, and 2018 include a single mention of the DOD’s 5015.2 standard, which formally guides the handling of the electronic records examined in each report. In Kelley’s case, Air Force personnel were, in some instances, simply unable to find the documents that would have been preserved if they had used a DOD-certified application.
By the time the Air Force had its third opportunity to send Kelley’s records to the FBI on June 8, 2012, the FBI no longer accepted hard-copy fingerprint cards. As a result, the fingerprint cards should have been scanned and declared as electronic records into a DOD-certified application. The Pentagon took two more years to notify its personnel about the FBI’s new requirement.
The Air Force and the Air Force IG declined to answer a question on why a review of compliance with the DOD 5015.2 standard was omitted from the reports.
The DOD, the Air Force, and the Air Force IG declined to comment, citing the pending litigation by the Sutherland Springs families.
An attorney for the Holcombe family, which lost nine family members in the massacre, also declined to comment due to the pending litigation.
IBM, the OPM, the DOJ, the State Department, the Treasury, the Patent and Trade Office, and the White House Communications Agency didn’t respond to requests for comment.
Unlike the compliance failures uncovered in the Air Force IG reports, the records management failures related to the DOD-certified applications are connected to more than the federal government. In IBM’s case, Lueders was vocal about the software being unused. He said the company kept on selling it.
Other tech giants have long been aware their records management software is unviable in current electronic environments, according to Prescott.
In a first for IBM’s DOD 5015.2-certified products, the company announced it would discontinue support for one of its records management products in April.