The Critical Importance of COOP

From the Editors of CIOSC

From the days of royal rules of succession until today, governments have recognized that one of their essential obligations was to be prepared for the unexpected. While preparedness is recognized as a critical responsibility by federal, state, and local agencies, events of the past few years have brought into sharp focus both the importance of thorough continuity of operations planning (COOP) and the complexity of achieving it in a networked, data-driven environment.

Until relatively recently, continuity planning was generally the responsibility of individual agencies. In October 1998, Presidential Decision Directive (PDD) 67 identified The Federal Emergency Management Agency (FEMA) -- which is responsible for responding to, planning for, recovering from, and mitigating disasters -- as the executive agent for federal COOP planning across the federal executive branch.

FEMA Federal Preparedness Circular FPC 65 (July 1999) detailed the key elements of a viable COOP capability. It states that, at a minimum, every such plan should:

1. Delineate essential functions and activities
2. Outline a decision process for determining appropriate actions in implementing COOP plans and procedures
3. Establish a roster of fully equipped and trained emergency personnel with the authority to perform essential functions and activities
4. Include procedures for employee advisories, alerts, and COOP plan activation, with instructions for relocation to pre-designated facilities, with and without warning, during duty and non-duty hours
5. Provide for personnel accountability throughout the duration of the emergency
6. Provide for attaining operational capability within 12 hours, and
7. Establish reliable processes and procedures to acquire resources necessary to continue essential functions and sustain operations for up to 30 days.

Significantly, FEMA deemed data security and network availability to be so important that it devoted a separate section to addressing it. The agency declared "the protection and ready availability (emphasis added) of electronic ... documents, references, records, and information systems needed to support essential functions under the full spectrum of emergencies" to be a critical element of a successful COOP plan. It also stressed the importance of identifying and protecting vital records "critical to carrying out an organization's essential legal and financial functions and activities," at the same time cautioning that regular backup of information was also essential.

Some of these points are ingrained into every modern organization, but having them explicitly called out by the government has raised the awareness of their critical nature.

Extending the challenge to state and local agencies

Subsequent federal directives have underlined the responsibilities of state and local agencies to develop comprehensive COOP plans: "State and local governments are responsible for ensuring the continuation of critical infrastructure service operations to communities impacted by natural, technological, and WMD terrorist disasters. Protection of critical infrastructures helps to reduce negative impacts on rescue operations, communications, health and medical services, and the economy, among others." (FEMA, Introduction to State and Local EOP Planning Guidance, August 2002)

Each of the critical infrastructures it mentions depend to some degree on the integrity and availability of networks and information, again underscoring the critical role that data integrity and storage play in enabling public sector agencies to remain responsive at all times.

Measuring against COOP guidelines

Unfortunately, the COOP directives and advisories have not fully achieved their goals at most agencies. In February 2004, the General Accountability Office (GAO) released a report to Congress in which it observed that meeting COOP goals had been spotty throughout the federal level. There were two main reasons for this, according to the GAO. First, many of the COOP plans they reviewed did not address previously identified essential functions or interdependence with other entities. Second, many of the plans did not utilize FEMA's guidance on how to effectively address specific areas. The GAO cautioned that

"Unless agencies' essential functions are correctly and completely identified, their COOP plans may not effectively ensure that the most vital government services can be maintained in an emergency."

Among the report's central conclusions is that the federal government, and FEMA in particular, needs to improve its guidance on how to identify truly critical facilities, systems, equipment, and records. As the nation has seen throughout recent challenges from terrorist attacks to natural disasters, maintaining communications and access to networks and essential information -- from medical records to entire agency databases -- must be a priority.

Access to critical information is essential

The ability to quickly and easily access critical information is a major function of COOP. At the federal level, the Office of Management and Budget requires COOP planning for every information system, which must include both contingency planning for short-term impacts on operations and continuity planning for longer-term impacts in order to rapidly and effectively handle potential disruption of mission-critical functions. Because virtually all mission-critical information is processed by computers, an agency's COOP plan must outline an overall risk management program to respond to unplanned and adverse situations that may destroy, damage, degrade, or compromise information systems data or computer processing capabilities so that essential operations may continue. The COOP plan should address operational recovery issues, ranging from arrangements for a limited backup capability to relocation to a different facility in the event of a total failure.

While this is an admirable and essential goal, it has been increasingly difficult to attain as networks rapidly expand and the amount of data handled increases exponentially. New privacy requirements add further levels of complication. The task is how to fully comply with COOP requirements while ensuring that the end result of COOP's intent -- operational continuity and the swiftest possible return to pre-disaster functionality -- is also achieved. Only when both parts of this formula are successful will an agency have a viable COOP.

Advanced backup is key to COOP success

Backup, recovery, clustering, and replication technologies can assist in successful COOP planning by

• Expertly identifying mission-critical functions within and across agencies. That includes the sometimes-overlooked but essential interaction among federal, state, and local agencies.
• Protecting vital records and databases through a combination of advanced backup and replication technologies.
• Ensuring the operations of critical functions at alternative facilities, including both "hot" and "cold" sites

Preparing to be prepared

Government organizations have a special responsibility to safeguard their assets and to perform their operations in spite of obstacles. Of course, it is impossible to predict the next emergency or natural disaster. However, solutions to maintain continuity of operations, combined with tested policies, plans, and procedures, can go to great lengths to ensure minimal interruption of services and to help federal, state, and local agencies prepare themselves for the challenges of being fully prepared for emergencies and disasters.