Agencies take notice of continuity planning

IT is important, FEMA CIO Barry West says, 'but people also have to know where to go and what to do when they get there.'

Henrik G. de Gyor

As FEMA readies governmentwide test, GAO questions agencies' disaster readiness

More than 2,500 federal employees from 45 agencies next week will test how prepared the government is to stay open if disaster strikes.

The Homeland Security Department's Emergency Preparedness and Response Directorate, which still uses the acronym FEMA, will run Exercise Forward Challenge to see how far along agencies are in developing and implementing continuity of operations plans, or COOPs.

Agencies are realizing the importance of COOPs just as cybersecurity has become a priority in recent years, and FEMA is keeping a close eye on agency progress.

During the exercise, employees will go to alternate work sites outside Washington and then try to hook up to their networks, access e-mail and data files, communicate with other federal officials and perform their usual tasks.

'This is a full-scale operation designed to test interdependencies and essential functions,' FEMA undersecretary Michael Brown said. 'Agencies will find out if their plans work, and it will give them a wake-up call to fix any problems.'

Brown last month told lawmakers he is confident that agencies are prepared.

'We are getting there,' Brown said at a hearing of the House Government Reform Committee. 'All major departments have continuity of operations plans in place, and we have looked at them. They need to be fine-tuned and improved, but all of the agencies have them.'

Linda Koontz, director for information management issues for the General Accounting Office, expressed less optimism. She told the committee that she would not guarantee that agencies would continue to operate at full capacity if a catastrophe hit the Washington area.

Koontz said no agency has fully implemented Federal Preparedness Circular 65. The 1999 directive set basic guidelines for continuity of operations plans.

'There are a couple of different things going on,' she said. 'The guidance from FEMA is not clear, which made for inconsistent plans, and FEMA has not provided regular oversight on agency plans.'

Koontz said no agency met all of the directive's requirements, which include identifying and making readily available vital records and providing interoperable voice and data communications.

Examiners found that 15 out of 34 agencies' plans that GAO reviewed did not identify critical systems or the data necessary to conduct essential functions. GAO also said 14 agencies had failed to set up plans for interoperable communications with other federal employees and the public if necessary.

'We had some very detailed conversations with agencies when we didn't see a particular element in a plan,' she said in an interview. 'We gave agencies other opportunities to provide us with other documentation if they had the missing element somewhere different.'

More guidance

Brown said FEMA is revising the circular to include more specific guidance, such as examples of high-impact programs that would be considered essential and how to identify must-have records and databases.

FEMA also has begun developing a classified system called the COOP Readiness Reporting System to centralize and monitor information on governmentwide capabilities.

Although agencies failed to note some of these technology issues in their plans, FEMA CIO Barry West and private-sector experts said business processes and personnel training are bigger problems.

West took part in FEMA's December COOP exercise with 300 employees and said the technology and comm systems performed well.

'We did a lot of planning with FEMA's help desk and making sure employees routinely put their data in the COOP folder on the server, which synchronizes it with the server at the alternate location,' West said. 'But people also have to know where to go, what to do when they get there and be able to communicate with others, and that is where the planning comes in.'

West said FEMA uses remote-access software from iPass Inc. of Mountain View, Calif., which lets employees use the same user names and passwords to access their computers at headquarters and at the alternate locations. This makes the process much less complicated, West said.

Craig Janus, corporate vice president for Mitretek Systems Inc., a nonprofit research organization in Falls Church, Va., said agencies need to train essential employees to bring home their notebook PCs and chargers, and how to deploy and maintain some basic technologies.

Dave Jerome, a principal with the global resilience team for Booz Allen Hamilton Inc. of McLean, Va., said most agencies are in good shape from a data perspective but need to run exercises of their plans more often.

'We must do everything possible to address COOP inconsistencies across the board,' said Rep. Tom Davis (R-Va.), Government Reform's chairman. 'Continuity of operations means more than keeping your Web site up and running.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above