NARA Survey: 50% of U.S. Federal Agencies still use PST Files

Have you read the latest Federal Agency Records Management Report? Each year, the National Archives and Records Administration (NARA) surveys senior IT staff at U.S. federal agencies, and the findings are published online.  

We eagerly anticipate the results as they offer great insight into the pace of digital transformation in the public sector, which traditionally lags the commercial space.  

Each page of the 2020 edition (published September 2021) makes for compelling reading, but as we specialize in the world of email archive migration and PST migration, we’re particularly drawn to the question on email storage. 

As you can see from the table above, 76% of respondents utilize email archiving systems. However, there’s no detail as to whether these are on-premises platforms. Page two of the report states most agencies run on Microsoft Office 365, which infers many are running both an email archive system and Microsoft Office 365. When it comes to eDiscovery, this means organizations must search both repositories and ‘stitch’ the scans together. 

While that’s not technically an issue – there’s no official directive to retire on-prem archiving and move data to the cloud – it does indicate the majority of federal agencies aren’t maximizing their cloud investment.  

Archive systems often require expensive infrastructure, so there’s an enormous cost savings opportunity by utilizing Microsoft 365’s in-built archiving. For example, the Indiana Office of Technology estimates it saves $500K per year since migrating Enterprise Vault archives to the cloud.  

However, what’s more remarkable is the report indicates 50% of agencies still use PST files to capture and store email data. This is despite the well-documented cybersecurity risks of PST files and the fact NARA regulations prohibit PST usage. 

Federal rules for PST files

NARA states federal organizations must comply with the Federal Records Act, 36 CFR Chapter XII Sub-chapter B, and the ‘Capstone Approach’. To summarize, all email records must be easily accessible, secure, and follow formal archiving and deletion processes.  

If you know anything about PST files, you’ll know their off-the-grid, under-the-radar nature means they don’t meet the above criteria, which is why NARA is cracking down. 

In recent years, the regulator has investigated records management practices at several agencies, and PSTs are frequently highlighted as a cause for concern. For example, a 2020 Inspection Report into the Defense Information Systems Agency (DISA) noted: 

Personnel can create as many PST files as they would like and keep them wherever they want, which increases the risk for potential loss, corruption of PST files that are not backed up, and unauthorized deletions.

Consequently, NARA asserted DISA must implement controls to ensure all data is available in accordance with regulations (essentially banning PST files), and recommended the Records Officer investigate whether any corruption, loss or unauthorized disposition of PSTs had occurred. 

Shocking but not surprising 

Naturally, the public sector has constraints on budget and technology, so although it may be alarming to see how prevalent PSTs remain despite regulations, it’s not entirely surprising when you think about it.  

Additionally, when you consider PSTs have been available as a storage solution for over 25 years, changing user behavior isn’t going to happen overnight. Many users – perhaps even the majority – will be blissfully unaware there are any issues with the way they manage their email content. That is until things break, and they frantically call the helpdesk to restore a corrupt PST. 

Microsoft MVPs and Quest colleagues, Paul Robichaux and Mike Weaver recently met to discuss the issue of PSTs in the public sector, and you can get their take in this short video: 

You can download the white paper Paul and Mike reference here:
PST File Security Risks for Federal Agencies 

The informative document covers the DISA investigation in more detail, while also examining PST problems at the Office of Inspector General (OIG) and the Defense Technical Information Center (DTIC).  

However, as Paul notes, whether you work in the federal space or not, the 4-page white paper is packed with practical advice for getting on top of your PST footprint and safeguarding your data, which should be useful for IT and compliance teams in every industry around the world. 

If you would like to learn more about our PST migration services, you can book a discovery call with our expert team. They’ll talk you through the ‘locate, migrate and eliminate’ process of our PST Flight Deck solution, and how we can upgrade your data with security, compliance and end-users in mind.  All this is done while users retain read-only access to their data during the migration process, ensuring zero disruption to business continuity.