Presentation on theme: "Department of Homeland Security Continuity of Operations (COOP)"— Presentation transcript:
1Department of Homeland Security Continuity of Operations (COOP) US-CERTContinuity of Operations (COOP)Program OverviewFor Official Use Only
2Continuity of Operations (COOP) Defined “An uninterrupted ability to provide services and support, while maintaining organizational viability, before, during, and after an event.”
3What is not COOP?Not designed to reproduce an entire function or section 100%COOP is not an exercise!Exercises are scheduled eventsCOOP is in reaction to a zero-day event3
4COOP ERG Members Must Be Prepared To “COOP” At Any Time For A Variety of Hazards SEVERE WEATHER/POWER OUTAGEPANDEMIC/BIOLOGICALTERRORISM OR WARBUILDING DAMAGE/EARTHQUAKESFIRE DANGERSHURRICANES/TYPHOONS/TSUNAMIS
5Federal Continuity: The Linkage Between ECG, COG and COOP Enduring Constitutional Government (ECG) – A cooperative effort among the executive, legislative, and judicial branches of the Federal Government, coordinated by the President…to preserve the constitutional framework under which the Nation is governed and the capability of all three branches of Government, during a catastrophic emergency, to execute their constitutional responsibilities and to provide for orderly successions, appropriate transitions of leadership, inter-operability, and support of National Essential Functions (NEFs) – FCD-1Continuity of Government (COG) – A coordinated effort within each branch of government (e.g., the Federal Government’s executive branch) to ensure that NEFs continue to be performed during a catastrophic emergency – FCD-1Continuity of Operations (COOP) – An effort within individual agencies to ensure they can continue to perform their Mission Essential Functions (MEFs) and Primary Mission Essential Functions (PMEFs) during a wide range of emergencies, including localized acts of nature, accidents, and technological or attack-related emergencies – FCD-1
6Mission Essential Functions A COOP program is an effort to ensure organizational MEFs can be performed at all times.National Essential Functions (NEF): Are those overarching functions of the Federal Government required to lead and sustain the Nation, and will be the primary focus of the Federal Government’s leadership during, and in the aftermath of, an emergency.Primary Essential Functions (PMEF): Are those agency (usually departmental level) MEFs that must be performed to support or implement the performance of the Nation’s NEFs before, during, and in the aftermath of an emergency.Mission Essential Functions (MEF): Are business functions that do not rise to the level of being PMEFs themselves, but must be continued or resumed rapidly after a disruption to enable the organization to provide vital services, and support the continued delivery service and access to customers.
7Mission Essential Functions Drive COOP Planning Particularly, MEFs drive:The number of personnel on the COOP roster (including members of an Advance Relocation Team).The number of workstations (IT Support) required at your Emergency Relocation Site (ERS).The number of COOP ERG members who may be able to support continuity of MEFs by teleworking at home.The types of information technology, critical systems, equipment, supplies, and other services required to support deployed COOP ERG members.Define essential functions as those functions that enable an organization to:Provide vital services.Exercise civil authority.Maintain the safety of the general public.Sustain the industrial and economic base.Point out that essential functions are the foundation for COOP programs and plans. For an agency that is at the beginning stage of COOP planning, determining essential functions must be completed before moving onto any other area.
8COOP Planning Requirements An Organization Must:Be capable of implementing a COOP plan with or without warning.Maintain the ability to continue MEFs at an Emergency Relocation Site as soon as possible after an event, but usually not later than 12 hours after COOP plan activation, and be ready to sustain performance of COOP for up to 30 days.Ensure succession orders and emergency delegations of authority are planned and documented.Ensure the availability of, and access to, vital records and resources.Ensure the availability and redundancy of critical communications capabilities to support connectivity between and among key leadership, internal elements, critical partners and the public.Provide for reconstitution capabilities that allow for recovery from a catastrophic emergency and resumption of normal operations.Identify, train and prepare personnel capable of relocating to a COOP location to perform MEFs and assign them to a COOP Emergency Relocation Group (ERG), as either an A, B, C, D or E Team member).Point out that COOP plans must:Be capable of implementation anytime, with and without warning. Agencies must have implementation plans and procedures in place for emergencies that occur with or without warning, during duty and nonduty hours.Provide full operational capability for essential functions not later than 12 hours after activation in all circumstances.Be capable of sustaining operations for up to 30 days. Agencies must develop operating procedures and acquire resources necessary to sustain operations for up to 30 days.Include regularly scheduled tests, training, and exercises to ensure that COOP plans are viable. Agencies must train members of their emergency staff and practice COOP procedures to ensure that their skills and knowledge stay current. Equipment and communications should be tested periodically to ensure that they are operable.
9Key Elements of any COOP Plan 10 elements of a basic, viable continuity capability:Mission Essential FunctionsOrders of SuccessionDelegations of AuthorityContinuity FacilitiesContinuity CommunicationsVital Records ManagementHuman CapitalTest, Training, & Exercise (TT&E)Devolution of Control and DirectionReconstitutionEssential functions: Essential functions are those functions that enable organizations and agencies to provide vital services, maintain the safety and well-being of personnel. and sustain the industrial/economic base in an emergency.Order of Succession: Orders of Succession are an essential part of a COOP Plan, for they include provisions for the assumption of authority and responsibility in the event leadership is incapacitated or unavailable to execute their legal duties in an emergency situation.Delegation of Authority: It is important to ensure that leadership is able to rapidly respond to any emergency situation, even when members of its leadership are absent. Delegations of Authority ensure formal documentation of those with the authority for making policy, legal, and/or monetary determinations when normal channels of direction have been disrupted.Continuity Facilities: Continuity Facilities are locations, other than the primary facility, used to carry out essential functions in a continuity situation. Continuity facilities, also known as alternate facilities, refer to not only other locations, but also nontraditional options such as working at home (teleworking), telecommuting, and mobile-office concepts.Interoperable Communications: Interoperable communications provide the capability to perform essential functions, in conjunction with other organizations, until normal operations can be resumed.Vital Records: The protection and ready availability of electronic and hardcopy documents, references, records, and information systems needed to support essential functions under the full spectrum of emergencies is another critical element of a successful COOP plan. Access to and the availability of these records and systems is necessary for conducting essential functions during a continuity event.Human Capital: Human capital refers to information and guidance provided to personnel regarding pay, leave, work scheduling, benefits, telework, hiring, authorities and flexibilities prior to and during a continuity event.Test, Training and Exercises: Test, Training and Exercises (TT&E) refers to a comprehensive program to plan, conduct and document periodic tests, training, and exercises to prepare for emergencies by demonstrating the viability of the organization’s continuity plans and procedures.Devolution: Devolution is the capability to transfer statutory authority and responsibility for continuation of essential functions from an organization’s primary operating staff and facilities to other employees and facilities, and to sustain that operational capability for an extended period.Reconstitution: The process by which surviving and/or replacement personnel within an organization resume normal operations from the original or replacement primary operating facility.
10COOP and ERG Member Responsibilities All COOP and ERG Members are responsible for:Being familiar with the organizational COOP Plan and the specific MEFs they support;Being trained and capable of performing their MEF roles from the designated ERS;Being prepared to deploy immediately upon activation and able to perform their organization’s MEFs within 12 hours of COOP Plan activation, or as directed for up to 30 days or until normal operations can be resumed;Being able to access the vital records, databases, and equipment required to execute their MEFs;Traveling, at least quarterly, to their designated location to test their work station;Ensure personal contact information is current at all times;Having a personal Drive-Away Kit ready (in their vehicle) and a Family Readiness Plan in place (see andNotifying their manager/supervisor and their component’s COOP POC immediately if they are unable to support the COOP mission.
11Readiness – Don’t Take It Lightly Drive-Away KitsDo you have a Business Drive-Away Kit prepared?Do you have a Personal Drive-Away Kit prepared?Personal Drive-Away kits should include important papers (I.D., Passports, Banking, etc)Family ReadinessDo you have a Family Readiness Plan in place?Family Readiness should include contact information, medical records, medications.(For information on family readiness planning go to:Any COOP plan that your organization develops can only be functional if the personnel can be assured that their families are safe and sound during an emergency situation.A business drive away kit should contain what you need to perform your function at an alternate work location. Essential files, documents,A family readiness plan should include what your family needs to be functional at a location other than your normal residence. Where will they go, how long will it take, the safest route.
12COOP Organizational Chart Director/President/CFODeputy DirectorOperationsCustomer OperationsIT SecurityPhysical SecurityCoordinationCommunicationFuture OperationsRecommendations and PreventionPlansReadinessTechnologySolutionsResource ManagementProgram ManagementCompliance and Classification12
13Priority Information Requirements PIR 1Successful compromise of account or network.PIR 2Successful exfiltration of data.PIR 3Successful SQL injection.PIR 4Successful root compromise of network.PIR 5Successful compromise of any Executive Office of the President website or account..PIR 6Successful denial-of-service (natural or manmade) of any Department, Agency, or critical asset, to include major infrastructure of any foreign government.PIR 7Newly discovered malware affecting three or more Departments or Agencies.PIR 8Confirmed 0-day exploit.PIR 9A 100% or significant increase in incident reports from a Department or agency when compared to the average number of reported incidents.PIR 10Web defacement of Department, Agency, or major public sector company.PIR 11Malware impacting at least 100 workstations.PIR 12Confirmed loss of cyber PII data for at least 10,000 individuals. PIR 13Loss of power in US-CERT, NCCIC, DHS NOC, or DHS SOCPIR 14Nuclear, biological, chemical, or any other attack to any Department or Agency asset.These are examples of priority information requirements that most federal government organizations follow. Some of them will be an exact cross over and some of them you may need to modify to suit your individual organizations needs and priorities.
14Director’s Critical Infrastructure Requirements DCIR 1Activation of all or a portion of the National Response Framework (NRF)DCIR 2Activation of USNORTHCOM Homeland Defense plans or other National Security Plans.DCIR 3Emergency requirements to support CIKR owners and operators, Federal Agency, or State government response to a cyber attack.DCIR 4Issuance of a National Terrorism Advisory System (NTAS) alert.DCIR 5Increase in Continuity of Government Condition (COGCON) levels from level 4 to level 3 or higher (1 or 2).DCIR 6Any major domestic or international terrorist attack against citizens or facilities with a potential cyber component (this includes all major terrorist attacks).DCIR 7Any major cyber incident or attack involving a well known corporation or service providing entity that could generate public panic or escalate as a result of significant media coverage or service interruption.DCIR 8Any major cyber attack targeting a National Security Special Event (NSSE) or international event sponsored by the or with significant representation.DCIR 9When a Federal agency (including the Department of Defense declaring INFOCON 2, or 1), undertakes emergency action to defend itself from a cyber attack such as isolating its networks from the Internet.DCIR 10A 50% or more reduction in US-CERT’s EINSTEIN sensor network.DCIR 11Activation of the DHS COOP Plan or Component COOP Plan.DCIR 12Significant disruption, degradation or threat to DHS networks and systems.DCIR 13Any cyber or non-cyber events affecting, or that could affect US-CERT mission, operations and/or leadership, to include leadership or US-CERT personnel on travel.DCIR 14A cyber or non-cyber event that affects a critical infrastructure asset(s) or facility or newsworthy reports that do not meet a PIR threshold (e.g., unconfirmed zero-day, political upheaval/unrest). Cyber impact is not immediate, but the event could pose a cyber impact and/or threat.Directors critical infrastructure requirements are what is important to your organizations leadership. What does the bank president, manager, and his staff see as the most critical elements to protect in their organization.
15Support Equipment (Tested Quarterly) COOP EquipmentOperational SeatsOperational seats should consist of a standard computer buildOperating SystemProcessorMemorySupport Equipment (Tested Quarterly)Printers (Color & BW)CopiersFax MachinesScannersShreddersNote:Store everyday files on shared drives and not on your C Drive.Safes (secure storageTVSVTC.Today's organizations are IT heavy, meaning we all rely heavily on information technology to perform our tasks and fulfill responsibilities to the organization and customers.
16COOP Equipment Connectivity Match your COOP connectivity as close as possible to your normal connectivity.Firewalls configured the same as your normal configuration.COOP networks should duplicate operational networks.SwitchesHubsNetwork StorageFirewalls (configured as closely as possible)Use telework where possible (remote login)Today's organizations are IT heavy, meaning we all rely heavily on information technology to perform our tasks and fulfill responsibilities to the organization and customers. If you are constrained by budget, facilities, distance, think about having a viable telework process in place. You can develop a COOP location for upper management and have a majority of your personnel working from dispersed locations (satellite offices, branched) and some from home.And as the note stresses, train personnel to save files on networked drives that reside on the more secure central servers, and not on their individual workstation drives. Remote secure login will allow workers to retrieve files from a central storage location/
17Types of Relocation Sites COOP EquipmentTypes of Relocation SitesHot Site – Fully operational site with as close as possible reproduction of your normal operational facility. In a hot site, the equipment is on and operational at all time waiting for personnel to log on.Warm Site – Operational site with as close as possible reproduction of your normal operational facility. In a warm site, the equipment is in place, tested, and in a standby mode. It may take a short period of time to get all the equipmentup and running once personnel arrive (4 to 8 hours).Cold Site – Equipment is in place and it may take up to 12 hoursto become fully operational.Today's organizations are IT heavy, meaning we all rely heavily on information technology to perform our tasks and fulfill responsibilities to the organization and customers. If you are constrained by budget, facilities, distance, think about having a viable telework process in place. You can develop a COOP location for upper management and have a majority of your personnel working from dispersed locations (satellite offices, branched) and some from home.And as the note stresses, train personnel to save files on networked drives that reside on the more secure central servers, and not on their individual workstation drives. Remote secure login will allow workers to retrieve files from a central storage location/
18DirectivesExecutive Order (EO) 12656, Assignment of Emergency Preparedness ResponsibilitiesNational Security Presidential Directive – 51 Homeland SecurityPresidential Directive, National Continuity PolicyNational Continuity Policy Implementation Plan (NCPIP)Federal Continuity Directive (FCD)Federal Executive Branch National Continuity Program and Requirements, February 2008Other related directives and guidance.These are national directives that govern federal offices. You should be familiar with the federal banking directives and have them available electronically.
19Operational Security and Prohibited Items/Activities Operational Security (OPSEC)Unclassified – Location of your Emergency Operations Center (EOC).Unclassified – Route to your company EOC.Prohibited Items/ActivitiesWeapons/Firearms (LEOs authorized)Knives (blades longer then 2 ½ inches)ExplosivesIllegal DrugsAlcoholic BeveragesNo PhotographyVideo RecordersNo personal IT
20US-CERT COOP Overview24x7x365 Operations Center to management activities that coordinate response and share information about cybersecurity incidents.Production and reporting of threat, vulnerability information and mitigation strategies to include situational updates.Collaboration and coordination with partners and customers across the federal government, state and local, private sector and the international community.As part of the federal infrastructure, US-CERT has to maintain the three main MEF listed above, no matter what.US-CERT is fortunate or should I say unfortunate, depending how you look at it, of having one of the worst power grids. The Arlington Virginia area is part of the metropolitan are power grid which is overtaxed due to the expansion of government, new construction, and all the contractors and other civilian organizations that are located in the area for obvious reasons. The power in the rented building we occupy is constantly being shut down for upgrades and repairs and the last time we tried to use a generator it caught fire. So we get to practice our relocation to our primary alternate at Mt. Weather. The national capital region power grid is also susceptible to storms. In the past week alone we have 4 power events where we had to switch over to the local backup UPS located at each position and in the server rooms. This gives us about 30 minutes of operational power and then we have to make the call to deploy to the alternate location.
21US-CERT Responsibilities Responsible for daily incident handling and operations on a 24x7x365 basis. Creation of products and publications for the dissemination of information to US-CERT’s constituents. Coordination of meetings and teleconferences for the dissemination of information to the federal civilian government. COOP planning and coordination.Responsible for the collaboration and coordination with mission partners and customers to support situational awareness, daily operations, crisis operations and product development with:Federal Department and AgenciesCyber Centers and NCSCLaw Enforcement and Intelligence CommunityPrivate SectorInternationalState and LocalSupport a consistent communication processes to promote the flow of cybersecurity information into and out of US-CERT is an important part of the US-CERT mission.
2224X7 Integrated Operations Center As Part of the 24/7/265 Operations Center, US-CERT maintains an operational presence on the floor of the National Cyber Collaboration and Integration Center (NCCIC).
23Traffic Light Protocol When should it be used?TLP ColorSources may use TLP: RED when information cannot be effectively acted upon by additional parties and could lead to impacts on a party's privacy, reputation, or operations if misused.Sources may use TLP: AMBER when information requires support to be effectively acted upon but carries risks to privacy, reputation, or operations if shared outside of the organizations involved.Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.Sources may use TLP: WHITE when information carries minimal or no risk of misuse, in accordance with applicable rules and procedures for public release.How may it be shared?Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.Recipients may only share TLP: AMBER information with members of their own organization, and only as widely as necessary to act on that information.Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.TLP: WHITE information may be distributed without restriction, subject to copyright controls.REDWHITEAMBERGREEN
24US-CERT COOP Contact Technical comments or questions: US-CERT Security Operations Center Phone:General questions or suggestions:US-CERT Information Request Phone:US-CERT COOPPhone:Information is also available at
25NPPD COOP Program Points of Contact: FS-ISAC 24/7 Ops Center,NPPD: Mick Mulligan,NCS: Mike Lastrina,
27Overview of the COOP Continuity of Government Readiness Condition (COGCON) System and Related ActivitiesThe COOP COGCON System was implemented to decrease the amount of time for Federal D/As to be fully operational at their ERS.Changing COOP COGCON levels enable COOP activities to be implemented over a period of time, allowing for a systematic escalation of COOP readiness and increase in activation of resources.Precipitous threat changes may require a non-sequential escalation in COOP COGCON levels, compressing time to activate and implement COOP plans.Designated members of the NPPD COOP ERG will be notified of COGCON changes via ENS or other means, in accordance with the NPPD COOP Plan.The COOP COGCON system applies only to threats or incidents in the National Capital RegionCOGCON 4 (Steady State): The ERS must be maintained ready for full activation and assumption of NPPD MEFs within 12 hours. Quarterly audits of capabilities are conducted. NPPD continues to perform functions from its normal every day operating locations.COGCON 3 (ERS Warm-Up Initiated) The ERS must be prepared and ready for full activation and assumption of NPPD MEFs within 8 hours of activation. Designated members of the NPPD COOP ERG deploy as directed. NPPD continues to perform its functions from normal locations.Busy, font too small, especially in the explanatory boxesFont in the yellow COGCON 4 hard to readCOGCON 1 (ERS Warm-Up Is Escalated) The ERS must be ready for full activation and assumption of NPPD MEFs immediately upon activation. Designated members of the NPPD COOP ERG deploy as directed. Daily status meetings are conducted. Capabilities are tested. NPPD continues to perform its functions from normal locations.COGCON 2 (ERS Warm-Up Is Escalated) The ERS must be prepared and ready for full activation and assumption of NPPD MEFs within 4 hours of activation. Designated members of the NPPD COOP ERG deploy as directed. Capabilities are tested. NPPD continues to perform its functions from normal locations.27
28NPPD COOP ERG Alert & Notification Process EXECUTIVE BRANCHExecutive BranchDepartments and AgenciesWithin DHS this includesOPS/NOCNational Continuity CoordinatorBCEPWhite HouseFEMA Operations Center (FOC) (“Bluegrass”)DHSAlert and Notification Process – Executive BranchWhen the President directs a COGCON change, all Executive Branch Departments and Agencies (D/As) are notified in the following manner:Presidential Emergency Operations Center (PEOC) notifies the FOC.The FOC notifies: Designated Departments and Agencies (D/A) COOP Points of Contact (POCs) with a blast message; and D/A operations centers with an Alert Notification (A/N) conference call. This process remains the same for any change in the COOP COGCON level.NPPD BCEP Staff notifies NPPD ART and ERGMembers Via ENS28