PST Files in Federal Agencies: 19% Breach NARA Regulations

Personal Storage Table (PST) files were introduced to Microsoft Outlook in 1996, allowing users to download and retain email data on individual workstations, local networks and removable devices.

At the time, they were an effective means of saving information without exceeding server restrictions, but in today’s world of virtually limitless mailbox storage, easy access and formalized archiving, PSTs are hard to justify.

Furthermore, PST files expose government agencies to security and compliance risks, with sensitive data liable to roam local workstations, removable media and network shares with broad permissions. Falling beyond the scope of centralized data, they are highly vulnerable to attack and have led to several notorious breaches, such as the Sony Pictures hack in 2014.

However, despite strict regulations being in place, this antiquated format still threatens federal bodies with data loss events, whether through innocent error or targeted theft.

Federal regulations for email management

National Archives and Records Administration (NARA) rules state federal agencies must manage email records in accordance with the Federal Records Act and 36 CFR Chapter XII Sub-chapter B.

Additionally, the issuance of NARA Bulletin 2013-2 established the ‘Capstone Approach’ as an alternative means of managing email.

Either way, PST files do not meet the required standards, as noted in an Office of Inspector General (OIG) report from 2016:

According to NARA regulations, creating .pst files is not an approved method of preserving Federal records, because .pst files do not have the required controls of an electronic records system. 36 C.F.R. § 1236.10.

The OIG’s findings further outlined PST inadequacies, explaining:

When OIG requested specific .pst files, it encountered difficulties in obtaining and accessing those files. S/ES-IRM was unable to produce all of the .pst files OIG requested, and some of the requested files were corrupted and their recovery required considerable resources.

Some .pst files were password-protected, and staff did not know the passwords needed to open those files. Other files contained no data at all. Of the .pst files OIG was able to review, many were incomplete in that they did not span the particular employee’s entire term of service, were mislabeled, or were missing key files such as populated sent or inbox folders.

According to S/ES-IRM, as part of the inventory process currently underway, it is moving all .pst files in its possession onto servers and clearly labeling them.

The above example is in direct contravention of the records management principles defined in Subpart B 1220.32, which states:

Records are available when needed, where needed, and in a usable format to conduct agency business.  Records, regardless of format, are protected in a safe and secure environment and removal or destruction is carried out only as authorized in records schedules.

This echoes the Capstone regulations that state agencies must:

  • Prevent the unauthorized access, modification or deletion of declared records.
    Agencies must ensure the email repository has appropriate security measures in place to prevent unauthorized access and/or destruction of records. Records must retain authenticity, reliability and trustworthiness throughout capture, maintenance and transfer.
  • Ensure all records in the repository are retrievable and usable.
    Email records maintained in a repository must be accessible to appropriate staff for as long as needed to conduct agency business. Agencies should also consider retrievability and usability when migrating from one repository to another.

NARA recommendations

Records Management Inspection Reports are regularly conducted by NARA, and PST usage within federal agencies continues to be flagged.

2018 investigation into the Defense Technical Information Center (DTIC) noted:

While DTIC has historically stored email as PST files on individual hard drives or shared drives, the PST files of each staff person lack internal controls to properly manage risk of potential loss as each employee is responsible for managing these files.

The following recommendation was asserted:

DTIC should end its current practice of storing PST files on staff personal drives and shared drives, and migrate legacy email to an electronic records management system, so that DTIC can more effectively manage email consistent with their business needs and NARA regulations and policies.

Similarly, a 2020 review of the Defense Information Systems Agency (DISA) revealed:

Currently, implementing instructions or controls do not exist for personnel to properly manage temporary email. Personnel can create as many PST files as they would like and keep them wherever they want, which increases the risk for potential loss, corruption of PST files that are not backed up, and unauthorized deletions.

As a result, DISA was advised to:

Recommendation 4.1: The RO, with guidance from the CIO, must develop and implement the necessary policies, procedures, and controls to ensure temporary email is preserved and available in accordance with its Capstone records schedule. (36 CFR 1220.34(i))

Recommendation 4.2: The RO, working with the Deputy CIO, must determine whether the loss, corruption, or unauthorized dispositions of temporary emails in PST files have occurred and report the results to NARA. (36 CFR 1230.14)

Breaking the rules

Despite the dangers, regulations and recommendations, NARA’s 2019 Federal Agency Records Management Report (the most recent publication) revealed 19% of federal agency survey respondents still use PSTs to capture and manage email records:

Q71. What method(s) does your agency employ to capture and manage email records? (Choose all that apply)

Answer Options Number of responses Percent to total responses
Captured and stored in an email archiving system 198 37%
Captured and stored in an electronic records management system 69 13%
Captured and stored as personal storage table (.PST) files 98 19%
Captured and stored using cloud services with records management included 52 10%
Print and file 43 8%
Captured and stored using cloud services, but records management IS NOT included 42 8%
Not captured and email is managed by the end-user in the native system 2 0%
Other, please be specific 25 5%
Total responses to this question 529 100%
Total number of agencies responding to this question 247

Given how incompatible they are with modern IT practices and federal regulations, the continued prevalence of PSTs is shocking.

Understanding the risks

PST files present the following issues:

  • eDiscovery: PST data is effectively ‘off the grid’ (not searchable within centralized IT systems), so, if information is required, locating it in a timely manner is nearly impossible. Likely, compliance teams won’t even know the data exists, let alone be able to find it.
  • Retention and deletion policies: PSTs commonly circumvent message retention policies enforced by federal agencies, as they exist in the shadows and are difficult to detect. Similarly, end-users can easily delete the data with zero record or accountability.
  • Corruption: As PSTs grow in size, the risk of corrupted data grows exponentially, especially when stored on network shares. Additionally, as local PSTs are rarely backed-up, recovering these files is often not possible. Microsoft also recently announced it is limiting PST version history in OneDrive and SharePoint because the data is prone to failure and not supported.
  • Helpdesk demands: Frequent requests to repair corrupt data, locate missing files and recover passwords is a burden on IT teams. Backup maintenance is also a strain on time, and this old-school administrative effort is a drain on costs and resources.
  • Device dependency: PSTs are only accessible on the device they’re stored, meaning there’s no remote access. Recent global events have shed a light on this particular problem, as PST users have been unable to access data on office computers while working from home.

Safeguarding and upgrading your PST data

PST files can jeopardize the integrity of federal agencies’ IT departments. Therefore, NARA directives emphasize the need for stricter policies.

The general shift in government organizations has been to move PST data ‘back to where it belongs,’ i.e. user mailboxes or Exchange archives. In doing so, centralized IT can regain visibility and control to enhance security and bring organizations in line with compliance regulations.

This effort can be simplified with enterprise-scale software solutions like PST Flight Deck, which helps to locate and identify PST files on your network and connected devices. The application removes passwords, repairs corrupt files, performs de-duplication and identifies files belonging to terminated users.

Additionally, once all files have been found, fixed and assigned to an owner, they can then be migrated to a new environment (such as Office 365 Government GCC), which would allow you to delete the original, non-compliant data. This automated process also allows users to retain access to files while they’re being migrated.

If you are interested, you can learn more about Quadrotech by Quest’s PST migration service here. For further insight on the process of migrating PST files, reference this helpful article: How to migrate PST files to Office 365.

Related Articles