Protecting FCI and CUI – Federally Compliant Record Repository

Duration: 22 Minutes
Industry:  Government
Speaker:  Ray Davis

Conducting business with the government and its agencies comes with requirements.  The requirements to manage FCI and CUI are growing.  It started with the requirements of NIST 800-171 and has expanded to FAR 52.204-21 and FAR 4.7.  But the changes don’t stop there.  We’ll dive into the CMMC, the Cybersecurity Maturity Model Certification. This is a new certification that has eliminated the federal contractor self-assessments in favor of a 3rd Party Assessment to ensure your compliance.  Yes, you’re going to have to pass an assessment now!

Along with that we’ll discuss how to properly store your sensitive FCI and CUI. Storage isn’t a one-day thing.  You’ll need to manage the storage of your records through the entire information management lifecycle. Once you bring your records into the system, you’ll need to properly tag them and mark them so that only those people that should have access, does.  Yes, that’s a part of the regulatory requirements.

Do you know the difference between a single-tenant system and a multi-tenant system and just what does that mean to the access and security of your information?  We’ll delve into that as well.   By the end of the webinar you’ll be able to self-assess your ability to comply with the new regulations, the new certification, and decide whether it’s a challenge you want to accept on your own or engage with Feith Systems and Software to manage your FCI and CUI.

The SITCAR Model: Privacy in Content

Taking control of Enterprise Data Privacy for Documents, Records and Emails

One of the most critical repositories of PII (Personally Identifiable Information) at your organization are your content servers, email servers, and line of business systems.  However, these systems are often ignored by privacy professionals in exchange for data-specific systems like a Sales CRM, Marketing Database, or Cellphone App.   This doesn’t give the whole picture.

These systems absolutely contain private information, and lots of it.  Information like Name, Phone Number, Email address, Location, and more.  That information is GDPR and CCPA relevant and constitutes risk to your organization.


However, compared with your Content Repositories, that risk is small.  In our experience, the highest risk PII for most organization reside in Documents, Email, and other forms of Content.  It resides in unstructured data.

Consider, for example, the documents that your company stores in your HR document repository.  That repository contains very private health information, employment status, background investigation results, income, Social Security numbers, HR issues, citizenship status, Life insurance information, performance status, and more. 

And your HR system is not unique in this respect.  Consider the private information stored in your contracts system.  Consider the Intellectual Property and other forms of private information passed between your employees and clients by email.

It’s essential to take a quality, not quantity, approach when developing a Privacy Strategy at your organization. In our experience, when it comes to sensitivity for most organizations, content reigns supreme.

Secure, Identify, Tag, Control, Audit, Remove

When dealing with PII in Content, the strategy required is slightly different from dealing with PII in Data. 

Feith Systems developed The SITCAR Model for privacy control and compliance projects.  The model defines the six major steps and concerns when dealing with privacy in content systems, and clarifies how Feith Systems uses our software to help clients solve the privacy in content problem.

S: Secure
Security should always come first.  Other steps in privacy control mean very little absent adequate security.  This means the steps we’ve come to know, like Encryption in Motion and at Rest, and using Alerts to notify of unusual downloading or viewing behavior.  

It also means steps that not all organizations have adopted, like ensuring that your Content Repositories vendors undergo adequate code review, threat modeling, and can ensure Data Integrity. 

I: Identify
PII that you don’t know that you have, that you have not identified, can constitute a major risk.  If you don’t know that you have it, it will be hard to control.  Taking inventory of your systems and the PII therein is key. 

Data Discovery technologies, like Feith’s, can help you determine where to focus your energy, and can help you with Data minimization / ROT reduction before you begin tagging that data.

Feith uses our Auto-Categorizer engine for this step, helping us identify basic structured information like Phone Numbers, SSNs, as well as more complicated unstructured PII by identifying records by type (e.g. Background Investigations, Income Documents).

T: Tag
After you’ve identified the relevant content, the next step is to Tag it.  Tagging the PII with Metadata values allows us to deal with it programmatically.  Without tags, all PII would need to be dealt with manually. Those tags can include the sensitivity level of the information, the nationality of the data subject, or the category of information.

C: Control
Having tagged the content makes it possible to control and secure it.  Feith builds roles with access to only certain tags.  A kind of Security Keyword profile.  So, for example, you may want to limit documents tagged EU Data Subject to employees in the EU — by building a profile with access to that keyword, you can control that PII.

A: Audit
Auditing is made up of a few different parts:

  1. Provable data integrity and data accuracy
  2. Tracking employee access and actions
  3. The ability to respond to data requests
  4. The ability to document compliance
Feith is able to do this, because they audit every field in system — a requirement of the DoD 5015.02 standard.

R: Remove
Last but not least is the ability to remove the PII.  For Feith, this means being able to handle Data Retention and Records Management.  It also means being able to Securely and Automatically Redact information, which makes it possible to keep up with Data Subject Right to Forget requests.


Much of the information that you collect about your clients, partners and employees constitute PII.  Not only are there laws and regulations that define how you control and manage that information, but that PII can also constitute a legal risk to you. PII, or Private Identifiable Information, that is leaked in a breach or inappropriately maintained can come with large fines or damage to your brand.

Feith’s SITCAR model can help you take control of PII in your content.  If you’re interested in learning more about how Feith Systems has helped organizations like yours deal with Privacy in their Content, reach out today.

Social Media Records Management

Federally-compliant Records Management for Social Media

Since the first presidential tweet in January 2010, sent by then President Barack Obama, the medium has exploded as a way for government officials to make public announcements.  Since his inauguration in 2017, President Trump has made Social Media not just a means, but perhaps the means, for his office’s announcements.

This shift follows the trends at large, as Social Media overtakes print for the first time in global advertising revenue earlier this year. Traditional radio announcements, TV ads and print media, are still useful ways to reach out to the broader public, but many budgets simply can’t afford traditional media’s high-cost per impression, and its comparative effectiveness is increasingly up for debate.

Social media is now recognized as a powerful and inexpensive tool for engaging the public, to make announcements, and to educate, no matter what size the agency or their budget.  It’s no wonder that every agency and office up to the President has begun to leverage these effective tools for low-cost/high-impact outreach.   

But be forewarned — many agencies forget that Social Media posts constitute official government records and need to be managed according to the letter of the law. 

NARA Bulletin, ‘Guidance on Managing Social Media Records’
The Federal Records Act (44 U.S.C. 3301) defines Federal records as any material that is recorded, made or received in the course of Federal business, regardless of its form or characteristics, and is worthy of preservation. Social media content that meets this definition must be managed according to the applicable laws and regulations.” 

NARA makes the point very clearly, but it may underplay the concrete importance of Social Media as record.

As of March 2019, 73% of Americans interviewed by Pew Research Center report that they get some or all of their news from Social Media.  It’s clear that Social Media constitutes a strategically significant method for agencies to make announcements to the public, but if they’re going to use Social Media for official business they’ll have to align with NARA’s guidance.

Feith will ensure your social media presence remains compliant with all federal records regulations and guidelines.  Reach out today to learn more about our new Social Media archive solution, backed by our complete Government Records platform:

Are your Repositories ready for GDPR?

Protect Data With Feith’s GDPR-ready Platform

In May 2018, the EU’s General Data Protection Regulation (GDPR) went into effect. Even though the EU established this law, the regulation applies to nations at a global level because of how integrated markets are with the EU.

Data controllers need to make sure they’re collecting and managing an individual’s data in the right way using a technology that supports GDPR compliance. The system needs to provide complete life-cycle management over this information and allow for easy accessibility while also providing a high-level of security. 

There are Five Key Metrics To Ensuring A GDPR-ready Platform

    1. Data accessibility: It’s important that organizations can access and locate data across their entire enterprise
    2. Advanced search and analyses: System should provide full visibility across all data repositories, including email, files shares, SharePoint, social media, and more. It should search even the largest enterprise data environments using complex queries such as boolean, wildcard, proximity, and nested search. Advanced search and analyses functionalities help organizations better understand their structured and unstructured data.
    3. Data retention: All data needs to be retained in accordance with GDPR regulations. Companies must also know and recognize who they’re retaining information for; this knowledge is vital because individuals must consent to having their information collected.
    4. Centralized management: The solution should aggregate data in a single repository accessible by your enterprise data controllers.
    5. Lifecycle control: The technology should support complete lifecycle management and defensible disposition.

Feith’s GDPR-ready platform provides organizations with an accessible, secure, and manageable system for capturing, storing and cleansing PII and other GDPR-relevant data. Feith keeps track of when a user accesses, views, edits, or acts on a document or data record. Further, it gives executives and managers access to review audit logs, making it easy to obtain information as needed. Through a secure website, users may even deliver audit information to external auditors.

From development to post-launch support, the Feith remains highly secure and prevents outside parties from gaining entry. Personal data protection is essential for GDPR compliance, and Feith makes it easy to identify PII across the enterprise, automatically-categorize it, perform auto-redactions, and protect that data where it lives.

Feith also grants users with full control over managing their data system. The system automates complex processes which improve the entire workflow from document creation to record declaration, and through final disposition and removal. These management controls enable companies to track information about archived documents and view insights into their data with reporting dashboards. 

Avoiding GDPR violations starts with taking proactive measures to secure your enterprise repositories; Feith can help. To learn more about Feith’s GDPR-ready platform, contact our team of experts today!