Board Report: 2014-IT-B-018 October 30, 2014
We found that the Board's continuity program currently lacks several critical components of a viable COOP. Specifically; the Board's continuity program lacks a comprehensive Test, Training, and Exercise program; a reconstitution plan; and a devolution plan. In addition, we noted weaknesses in the Board's Business Process Analysis. These components are necessary to ensure that Board employees are aware of their roles and responsibilities; that the COOP can be successfully implemented in an emergency; and that the Board can return to its normal day-to-day operations, with staff roles and responsibilities transferring to new personnel if necessary.
The Board has taken steps to prepare for emergencies and performs biannual contingency tests of its information systems in accordance with Federal Information Security Management Act of 2002 requirements. However, these biannual system tests do not fully meet the objectives of a Test, Training, and Exercise program as defined by FCD-1. These system tests do not involve all personnel with COOP roles and responsibilities, nor do they prepare personnel to execute the Board's COOP. These biannual tests focus on recovering information technology (IT) systems and do not assess the resumption of Board functions that must continue in an emergency. The Board has also engaged in government wide Eagle Horizon2 tests of continuity programs; however, ICCP staff members cited inadequate participation from Board divisions in these tests. Board division staff members noted that these Eagle Horizon tests are unrealistic and do not adequately reflect scenarios that the Board could experience in an emergency.
A Test, Training, and Exercise program prepares personnel with continuity responsibilities by training them in their roles and responsibilities and testing their procedural knowledge through exercises and simulations that are meant to reflect scenarios that these personnel are likely to encounter in an emergency. Through a Test, Training, and Exercise program, leadership and staff learn the necessary skills for the procedures and tasks they must perform in executing continuity plans. Likewise, tests of continuity programs assess and validate all the components of continuity plans, policies, procedures, systems, and facilities to ensure that operations can be resumed in an emergency.
The ICCP noted that because it has not been able to ensure that divisions participated in Test, Training, and Exercise activities, it has been unable to fully implement a Test, Training, and Exercise program. ICCP staff members further noted that without voluntary participation and cooperation from the divisions, the ICCP is unable to conduct Boardwide training, tests, and exercises of the continuity program. ICCP staff members stated that they would like to perform quarterly tabletop exercises of the Board's COOP; however, the historical lack of participation from Board divisions in COOP-related activities has been an obstacle to implementing these tests. Without a COOP Test, Training, and Exercise program and the proper level of participation in associated activities, the Board does not have assurance that the COOP can be executed successfully in a real emergency.
After our review of the enterprise COOP and further inquiry, ICCP staff members reported that they have a high-level concept of how a reconstitution plan for the Board would be carried out; however, the ICCP needs to take additional steps to develop and implement the necessary plan. Without a reconstitution plan in place, the Board may not be able to resume normal agency operations during or after a disaster in a timely manner.
Reconstitution plans outline the steps an organization will take to return to its normal operating environment and location. For example, a reconstitution plan will be activated after a disaster is over and the Board needs to resume day-to-day operations at a replacement facility indefinitely. Currently, the Board does not have a reconstitution plan in place.
According to FCD-1, reconstitution is the process by which surviving or replacement agency personnel resume normal agency operations from the original or replacement primary operating facility. Reconstitution embodies the ability of an agency to recover from an event that disrupts normal operations and consolidates the necessary resources so that the agency can resume its operations as a fully functional entity of the federal government. In some cases, if an agency suffers the complete loss of a facility or if collateral damage from a disaster renders a facility structure unsafe for reoccupation, extensive coordination may be necessary to procure a new operating facility. Agencies must identify and outline a plan to return to normal operations once agency heads or their successors determine that reconstitution operations for resuming normal business operations can be initiated.
After we reviewed the enterprise COOP and further inquired, ICCP staff members reported that they have a high-level concept of how a devolution plan for the Board would be carried out; however, the ICCP needs to take additional steps to develop and implement the necessary plan. Without a devolution plan in place, the Board may not be able to resume normal agency operations during or after a disaster in a timely manner.
Devolution plans outline the steps an organization will take should its personnel become incapacitated and are unable to continue to perform the organization's essential functions at the alternate work site. A devolution plan could be activated in the event Board personnel are completely incapacitated and responsibilities for Board functions must be transferred to alternate personnel. Currently, the Board does not have a devolution plan in place.
FCD-1 states that devolution planning supports overall continuity planning and addresses catastrophes that render an agency's leadership and key staff unavailable to or incapable of performing their essential functions from either the agency's primary or alternate facilities. A continuity plan should have a devolution option to address how an agency will identify and transfer its essential functions or leadership authorities away from the primary facility or facilities to a location that offers a safe and secure environment in which essential functions can continue to be performed. The devolution option may be used when the agency's alternate facility is not available, or the option can be activated as a continuity measure.
We noted inconsistencies in what are deemed to be critical IT applications. We identified several instances in which systems are identified as essential contingency systems on the Board's Federal Information Security Management Act of 2002 system inventory but are not listed on the divisions' Volume II COOPs. Similarly, some critical systems that are identified on divisions' Volume II COOPs are not listed on the Division of IT's Volume II COOP list of critical applications. The Board divisions rely on the Division of IT to restore their systems during a COOP event, and the Division of IT will only restore systems that are listed on its Volume II COOP. Failure of the Division of IT to restore systems that divisions have identified as critical could delay the resumption of the Board's Mission-essential Functions.
We also noted instances in which recovery time objectives, which designate how quickly systems need to be restored, are not consistent between the divisions' Volume II COOPs and the Division of IT's Volume II COOP. This inconsistency in required recovery times could result in systems not being appropriately prioritized for recovery by the Division of IT as well as delays in the resumption of Mission-essential Functions.
We found that the Board identified its primary Mission-essential Functions in Volume I COOP. In addition to the Board's Mission-essential Functions, each division has identified its own essential functions in its Volume II COOP. Through a review of documentation, we found that although Mission-essential Functions are identified in Volume I and Volume II, the ICCP did not perform a Business Process Analysis of the Board divisions' functions nor did it identify the specific inputs and outputs to Mission-essential Functions.
A Business Process Analysis is a thorough analysis of an organization to identify the inputs and outputs needed to perform the organization's Mission-essential Functions and to ensure that the organization's COOP addresses the continuation of all the organization's necessary activities. The specific inputs and outputs, including lower-level organizational functions and systems, that support Mission-essential Functions are to be identified and planned for in a COOP.
The Board has identified the following as its primary functions in its COOP:
The Board must continue to perform these Mission-essential Functions during an emergency or disaster to fulfill its mission.
FCD-1 notes that all agencies are to identify and prioritize their essential functions as the foundation for continuity planning. As such, the agency should carefully review all of its missions and functions before determining those that are essential. Improperly identifying functions as essential or not identifying as essential those functions that are can impair the effectiveness of the entire continuity program, because other aspects of the plan are designed around supporting these functions. If an agency fails to identify a function as essential, that agency will not identify the requirements and resources needed to support that function in an emergency and will not make the necessary arrangements and coordination to perform that function. If an agency identifies too many functions as essential, the agency risks being unable to adequately address all of them.
As the first business process analysis step, FCD-1 further instructs agencies to outline each Mission-essential Function in a business process mapping format (i.e., inputs, outputs, resources, systems, facilities, expertise, and authorities) to identify elements that impact the ability to complete the Mission-essential Functions. A successful Business Process Analysis will identify gaps within a department or agency and areas in which more than one department or agency has responsibilities. This gap identification provides departments and agencies an opportunity to fill the gap and ensure successful execution of essential functions and preparation for incident management.
The Board's lack of a comprehensive Business Process Analysis is a direct result of the decentralized governance in the Board's continuity program, where each division has independently developed and approved its own COOP. Because business process mapping of division functions has not been done, the enterprise-level Mission-essential Functions are not directly tied to specific division critical functions and inputs and outputs or to interdependencies within divisions. This fragmented approach has resulted in inconsistencies in the prioritization of resources and gaps in the Board's continuity program.
Without a comprehensive Business Process Analysis and an enterprise-wide, integrated approach that addresses the identification and prioritization of inputs and outputs to Mission-essential Functions throughout the Board, the Board cannot be assured that the Volume I and II COOPs fully support the execution of all the Board's primary Mission-essential Functions. Further, the Board cannot be assured that the divisions' COOPs appropriately prioritize the essential functions, activities, and systems that are required to keep the Board functioning in an emergency. Without proper prioritization, the Board's limited emergency resources may not be optimally allocated, resulting in inefficiencies in the COOP and delays in the resumption and performance of the Board's Mission-essential Functions during an emergency.
We recommend that the Director of the Management Division
In response to recommendation 2, the Director of the Management Division stated that the Intelligence & Resiliency Programs personnel is currently in the process of completing a contract for the development of a continuity Test, Training, and Exercise program; and plans to begin development of both a reconstitution plan and a devolution plan in 2015.
In response to recommendation 3, the Director of the Management Division stated that the Intelligence & Resiliency Programs personnel has already begun the process to conduct a Business Process Analysis and Business Impact Analysis, and plan to complete the process in September 2015.
In response to recommendation 4, the Director of the Management Division stated that completing this recommendation is linked to the Management Division's response to recommendations 2 and 3, and this process is already underway.
In our opinion, the actions described by the Director are responsive to our recommendation. We plan to follow up on the actions to ensure that the recommendation is fully addressed.