Dec 31 2009

IT's Critical Role in COOP: Here's What to Keep in Mind

Photo: John Welzenbach

As government information technology operations have become increasingly fundamental to agencies’ missions, IT managers have learned to work ever more closely with staff members beyond their own technology groups. That teamwork is never more important than when it comes to COOP.

Continuity of operations planning is the mechanism agencies use to ensure that essential government services don’t shut down during crises that disrupt operations. COOP has taken on newly critical importance in the post-9/11 era, and IT plays an important role in preventing federal shutdowns — an event viewed as unthinkable.

Rep. Tom Davis (R-Va.) is one person with such a mindset. Davis, chairman of the House Government Reform Committee, is a staunch advocate of COOP preparedness. Federal employees of all stripes keep the wheels of government running, Davis says. “However, what happens if the headquarters of a federal agency, or many federal agencies, is incapacitated in the aftermath of an attack or a major natural disaster?”

But what happens if a routine electrical outage occurs? About a year and a half ago, the Federal Emergency Management Agency lost its power grid when an electric company’s circuits went down. FEMA CIO Barry West knew the agency’s backup power would last only so long — and only served part of the building. So, briefly at least, FEMA relocated.

FEMA’s IT team had ensured in advance that notebook PCs used by agency staff were properly configured for remote use. West’s staff also had backed up the agency’s files and copied them to a remote COOP location — something FEMA does nightly. Key personnel in finance, procurement and other support groups were assured access to software such as spreadsheet and other administrative applications. Workers who FEMA knew needed access to other specific programs also were set up with privileges to remotely tap these applications.

“It went extremely well,” West says. “Everybody knew what their roles were, and they knew what they were doing.” It went well, he says, because of practice, a pillar of FEMA’s COOP strategy that the CIO stresses for his own team and advocates for IT groups in other agencies.

Do the Drill

By practice, West means actively carrying out drills, exercises and tabletop scenarios. Needless to say, the IT team holds an important seat at the table. FEMA has a COOP Working Group that includes a representative and alternate from each of the agency’s five business units, as well as members from the CIO and chief financial officer’s staffs and other major support groups.

How to Know
What’s Essential

An agency’s IT team and the stakeholders it serves must identify the functions essential to providing the agency’s mission before building COOP plans. GAO has set an eight-step agenda to get this done:

1. Build a COOP work group or committee to select essential functions.
2. Determine each function’s needed resources.
3. Determine each function’s necessary dependencies.
4. Build a COOP effort project schedule.
5. Identify and rank plausible threats.
6. Perform a risk and impact analysis for each function.
7. Build a strategy for validating

the COOP plan and its essential functions.
8. Alter the final list of essential functions as dictated by the validation process.

For the tabletop scenarios, FEMA’s IT officials do something akin to role-playing — explaining the actions IT would take both in advance of and in response to hypothetical events that could disrupt the agency. The exercises give the IT team a chance to gauge its effectiveness within the context of all FEMA groups’ actions as if they’re unfolding in a real-life situation.

The key to performing effectively, West says, is ongoing COOP planning and testing. In addition to regular data backups, his FEMA team has created a checklist of all the hardware and software necessary for smooth operations at its COOP facilities. For example, each FEMA staff member who uses a notebook has a second docking station preconfigured for his or her machine that’s ready to go at COOP locations.

But how does an IT manager know what’s necessary and what’s not? That’s a matter of first conforming to the specific mandate laid down by the COOP process and then going through a discovery phase to determine essential functions.

Linda Koontz, director for information management issues at the Government Accountability Office, notes that the baseline COOP requirements are found in FPC 65, the Federal Preparedness Guide for Continuity Planning. FPC 65 states that agencies have to resume operations within 12 hours of any disruption and be capable of continuing operations in a temporary arrangement for up to 30 days.

GAO has designed a set of sound practices that agency groups, including IT, can use to determine which of their services are essential (see chart). The eight steps, first and foremost, include forming a COOP work group to make the initial decision about what

an agency’s essential functions are, followed by identifying required resources, detailing potential threats, performing impact analyses and other tasks.

“Anyone will tell you that selecting your essential functions is the foundation of continuity planning,” Koontz says. “If you don’t do that, then you put all your planning at risk.”

To successfully carry out a COOP program, it is critical to understand that it involves more than just relocation. Another component of COOP — the ability to support teleworkers — depends intrinsically on IT.

“The war on terror makes the ability to work at offsite locations more than an attractive option for employees and employers,” Davis says. “It’s now an imperative.”

The Look and Feel

CIOs and IT directors have to ensure that staff members’ remote work locations — whether preset COOP locations or elsewhere — are as similar to their regular work environments as possible. In addition to ensuring that the agency’s data will be available remotely, the IT shop must train staff on how to access their networks remotely and securely.

IT also must anticipate the types of access methods to use remotely, says Tom Simmons, area vice president of government systems for Citrix, a maker of remote-access software. For example, for security reasons, some agencies don’t let employees use their own home PCs to gain access.

The systems team must take advance measures to create safe access to Web-enabled applications and other data. Like other elements of COOP, controlling access rights is something to manage in advance. Otherwise, when disaster strikes, operations continuity can become the disaster.