Presentation on theme: "Homeland Security FOUO / UNCLASSIFIED 1 Department of Homeland Security US-CERT Continuity of Operations (COOP) Program Overview For Official Use Only."— Presentation transcript:
Homeland Security FOUO / UNCLASSIFIED 1 Department of Homeland Security US-CERT Continuity of Operations (COOP) Program Overview For Official Use Only
Homeland Security FOUO / UNCLASSIFIED 2 Continuity of Operations (COOP) Defined “An uninterrupted ability to provide services and support, while maintaining organizational viability, before, during, and after an event.”
Homeland Security FOUO / UNCLASSIFIED 3 What is not COOP? Not designed to reproduce an entire function or section 100% COOP is not an exercise! Exercises are scheduled events COOP is in reaction to a zero-day event
Homeland Security FOUO / UNCLASSIFIED 4 BUILDING DAMAGE/EARTHQUAKES COOP ERG Members Must Be Prepared To “COOP” At Any Time For A Variety of Hazards PANDEMIC/BIOLOGICAL SEVERE WEATHER/POWER OUTAGE FIRE DANGERS HURRICANES/TYPHOONS/TSUNAMIS TERRORISM OR WAR
Homeland Security FOUO / UNCLASSIFIED 5 Federal Continuity: The Linkage Between ECG, COG and COOP Enduring Constitutional Government (ECG) – A cooperative effort among the executive, legislative, and judicial branches of the Federal Government, coordinated by the President…to preserve the constitutional framework under which the Nation is governed and the capability of all three branches of Government, during a catastrophic emergency, to execute their constitutional responsibilities and to provide for orderly successions, appropriate transitions of leadership, inter-operability, and support of National Essential Functions (NEFs) – FCD-1 Continuity of Government (COG) – A coordinated effort within each branch of government (e.g., the Federal Government’s executive branch) to ensure that NEFs continue to be performed during a catastrophic emergency – FCD-1 Continuity of Operations (COOP) – An effort within individual agencies to ensure they can continue to perform their Mission Essential Functions (MEFs) and Primary Mission Essential Functions (PMEFs) during a wide range of emergencies, including localized acts of nature, accidents, and technological or attack-related emergencies – FCD-1
Homeland Security FOUO / UNCLASSIFIED 6 Mission Essential Functions A COOP program is an effort to ensure organizational MEFs can be performed at all times. National Essential Functions (NEF): Are those overarching functions of the Federal Government required to lead and sustain the Nation, and will be the primary focus of the Federal Government’s leadership during, and in the aftermath of, an emergency. Primary Essential Functions (PMEF): Are those agency (usually departmental level) MEFs that must be performed to support or implement the performance of the Nation’s NEFs before, during, and in the aftermath of an emergency. Mission Essential Functions (MEF): Are business functions that do not rise to the level of being PMEFs themselves, but must be continued or resumed rapidly after a disruption to enable the organization to provide vital services, and support the continued delivery service and access to customers.
Homeland Security FOUO / UNCLASSIFIED 7 Mission Essential Functions Drive COOP Planning Particularly, MEFs drive: The number of personnel on the COOP roster (including members of an Advance Relocation Team). The number of workstations (IT Support) required at your Emergency Relocation Site (ERS). The number of COOP ERG members who may be able to support continuity of MEFs by teleworking at home. The types of information technology, critical systems, equipment, supplies, and other services required to support deployed COOP ERG members.
Homeland Security FOUO / UNCLASSIFIED 8 COOP Planning Requirements An Organization Must: Be capable of implementing a COOP plan with or without warning. Maintain the ability to continue MEFs at an Emergency Relocation Site as soon as possible after an event, but usually not later than 12 hours after COOP plan activation, and be ready to sustain performance of COOP for up to 30 days. Ensure succession orders and emergency delegations of authority are planned and documented. Ensure the availability of, and access to, vital records and resources. Ensure the availability and redundancy of critical communications capabilities to support connectivity between and among key leadership, internal elements, critical partners and the public. Provide for reconstitution capabilities that allow for recovery from a catastrophic emergency and resumption of normal operations. Identify, train and prepare personnel capable of relocating to a COOP location to perform MEFs and assign them to a COOP Emergency Relocation Group (ERG), as either an A, B, C, D or E Team member).
Homeland Security FOUO / UNCLASSIFIED 9 Key Elements of any COOP Plan 10 elements of a basic, viable continuity capability: Mission Essential Functions Orders of Succession Delegations of Authority Continuity Facilities Continuity Communications Vital Records Management Human Capital Test, Training, & Exercise (TT&E) Devolution of Control and Direction Reconstitution
Homeland Security FOUO / UNCLASSIFIED 10 COOP and ERG Member Responsibilities All COOP and ERG Members are responsible for: Being familiar with the organizational COOP Plan and the specific MEFs they support; Being trained and capable of performing their MEF roles from the designated ERS; Being prepared to deploy immediately upon activation and able to perform their organization’s MEFs within 12 hours of COOP Plan activation, or as directed for up to 30 days or until normal operations can be resumed; Being able to access the vital records, databases, and equipment required to execute their MEFs; Traveling, at least quarterly, to their designated location to test their work station; Ensure personal contact information is current at all times; Having a personal Drive-Away Kit ready (in their vehicle) and a Family Readiness Plan in place (see andwww.ready.gov Notifying their manager/supervisor and their component’s COOP POC immediately if they are unable to support the COOP mission.
Homeland Security FOUO / UNCLASSIFIED 11 Readiness – Don’t Take It Lightly Drive-Away Kits Do you have a Business Drive-Away Kit prepared? Do you have a Personal Drive-Away Kit prepared? Personal Drive-Away kits should include important papers (I.D., Passports, Banking, etc) Family Readiness Do you have a Family Readiness Plan in place? Family Readiness should include contact information, medical records, medications. (For information on family readiness planning go to:
Homeland Security FOUO / UNCLASSIFIED 12 COOP Organizational Chart Director/President/CFO Deputy Director Operations Customer Operations IT Security Physical Security Coordination Communication Future Operations Recommendations and Prevention Plans Readiness Technology Solutions Resource Management Program Management Compliance and Classification
Homeland Security FOUO / UNCLASSIFIED 13 PIR 1 Successful compromise of account or network. PIR 2 Successful exfiltration of data. PIR 3 Successful SQL injection. PIR 4 Successful root compromise of network. PIR 5 Successful compromise of any Executive Office of the President website or account.. PIR 6 Successful denial-of-service (natural or manmade) of any Department, Agency, or critical asset, to include major infrastructure of any foreign government. PIR 7 Newly discovered malware affecting three or more Departments or Agencies. PIR 8 Confirmed 0-day exploit. PIR 9 A 100% or significant increase in incident reports from a Department or agency when compared to the average number of reported incidents. PIR 10 Web defacement of Department, Agency, or major public sector company. PIR 11 Malware impacting at least 100 workstations. PIR 12 Confirmed loss of cyber PII data for at least 10,000 individuals. PIR 13 Loss of power in US-CERT, NCCIC, DHS NOC, or DHS SOC PIR 14 Nuclear, biological, chemical, or any other attack to any Department or Agency asset. Priority Information Requirements
Homeland Security FOUO / UNCLASSIFIED Director’s Critical Infrastructure Requirements 14 DCIR 1Activation of all or a portion of the National Response Framework (NRF) DCIR 2Activation of USNORTHCOM Homeland Defense plans or other National Security Plans. DCIR 3 Emergency requirements to support CIKR owners and operators, Federal Agency, or State government response to a cyber attack. DCIR 4Issuance of a National Terrorism Advisory System (NTAS) alert. DCIR 5 Increase in Continuity of Government Condition (COGCON) levels from level 4 to level 3 or higher (1 or 2). DCIR 6 Any major domestic or international terrorist attack against citizens or facilities with a potential cyber component (this includes all major terrorist attacks). DCIR 7 Any major cyber incident or attack involving a well known corporation or service providing entity that could generate public panic or escalate as a result of significant media coverage or service interruption. DCIR 8 Any major cyber attack targeting a National Security Special Event (NSSE) or international event sponsored by the or with significant representation. DCIR 9 When a Federal agency (including the Department of Defense declaring INFOCON 2, or 1), undertakes emergency action to defend itself from a cyber attack such as isolating its networks from the Internet. DCIR 10A 50% or more reduction in US-CERT’s EINSTEIN sensor network. DCIR 11Activation of the DHS COOP Plan or Component COOP Plan. DCIR 12Significant disruption, degradation or threat to DHS networks and systems. DCIR 13 Any cyber or non-cyber events affecting, or that could affect US-CERT mission, operations and/or leadership, to include leadership or US-CERT personnel on travel. DCIR 14 A cyber or non-cyber event that affects a critical infrastructure asset(s) or facility or newsworthy reports that do not meet a PIR threshold (e.g., unconfirmed zero-day, political upheaval/unrest). Cyber impact is not immediate, but the event could pose a cyber impact and/or threat.
Homeland Security FOUO / UNCLASSIFIED 15 Operational Seats Operational seats should consist of a standard computer build Operating System Processor Memory Support Equipment (Tested Quarterly) Printers (Color & BW) Copiers Fax Machines Scanners Shredders Note: Store everyday files on shared drives and not on your C Drive. COOP Equipment Safes (secure storage TV SVTC.
Homeland Security FOUO / UNCLASSIFIED 16 Connectivity Match your COOP connectivity as close as possible to your normal connectivity. Firewalls configured the same as your normal configuration. COOP networks should duplicate operational networks. Switches Hubs Network Storage Firewalls (configured as closely as possible) Use telework where possible (remote login) COOP Equipment
Homeland Security FOUO / UNCLASSIFIED 17 Types of Relocation Sites Hot Site – Fully operational site with as close as possible reproduction of your normal operational facility. In a hot site, the equipment is on and operational at all time waiting for personnel to log on. Warm Site – Operational site with as close as possible reproduction of your normal operational facility. In a warm site, the equipment is in place, tested, and in a standby mode. It may take a short period of time to get all the equipment up and running once personnel arrive (4 to 8 hours). Cold Site – Equipment is in place and it may take up to 12 hours to become fully operational. COOP Equipment
Homeland Security FOUO / UNCLASSIFIED 18 Executive Order (EO) 12656, Assignment of Emergency Preparedness Responsibilities National Security Presidential Directive – 51 Homeland Security Presidential Directive, National Continuity Policy National Continuity Policy Implementation Plan (NCPIP) Federal Continuity Directive (FCD) Federal Executive Branch National Continuity Program and Requirements, February 2008 Other related directives and guidance. Directives
Homeland Security FOUO / UNCLASSIFIED 19 Operational Security and Prohibited Items/Activities Unclassified – Location of your Emergency Operations Center (EOC). Unclassified – Route to your company EOC. Weapons/Firearms (LEOs authorized) Knives (blades longer then 2 ½ inches) Explosives Illegal Drugs Alcoholic Beverages No Photography Video Recorders No personal IT Operational Security (OPSEC) Prohibited Items/Activities
Homeland Security FOUO / UNCLASSIFIED 20 US-CERT COOP Overview 24x7x365 Operations Center to management activities that coordinate response and share information about cybersecurity incidents. Production and reporting of threat, vulnerability information and mitigation strategies to include situational updates. Collaboration and coordination with partners and customers across the federal government, state and local, private sector and the international community.
Homeland Security FOUO / UNCLASSIFIED 21 US-CERT Responsibilities Responsible for daily incident handling and operations on a 24x7x365 basis. Creation of products and publications for the dissemination of information to US-CERT’s constituents. Coordination of meetings and teleconferences for the dissemination of information to the federal civilian government. COOP planning and coordination. Responsible for the collaboration and coordination with mission partners and customers to support situational awareness, daily operations, crisis operations and product development with: –Federal Department and Agencies –Cyber Centers and NCSC –Law Enforcement and Intelligence Community –Private Sector –International –State and Local Support a consistent communication processes to promote the flow of cybersecurity information into and out of US-CERT is an important part of the US-CERT mission.
Homeland Security FOUO / UNCLASSIFIED 22 As Part of the 24/7/265 Operations Center, US-CERT maintains an operational presence on the floor of the National Cyber Collaboration and Integration Center (NCCIC). 24X7 Integrated Operations Center
Homeland Security FOUO / UNCLASSIFIED Traffic Light Protocol 23 When should it be used?TLP Color Sources may use TLP: RED when information cannot be effectively acted upon by additional parties and could lead to impacts on a party's privacy, reputation, or operations if misused. Sources may use TLP: AMBER when information requires support to be effectively acted upon but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Sources may use TLP: WHITE when information carries minimal or no risk of misuse, in accordance with applicable rules and procedures for public release. How may it be shared? Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed. Recipients may only share TLP: AMBER information with members of their own organization, and only as widely as necessary to act on that information. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. TLP: WHITE information may be distributed without restriction, subject to copyright controls. RED AMBER GREEN WHITE
Homeland Security FOUO / UNCLASSIFIED 24 US-CERT COOP Contact Technical comments or questions: US-CERT Security Operations Center Phone: General questions or suggestions: US-CERT Information Request Phone: US-CERT COOP Phone: Information is also available at
Homeland Security FOUO / UNCLASSIFIED 25 NPPD COOP Program Points of Contact: FS-ISAC 24/7 Ops Center, NPPD: Mick Mulligan, NCS: Mike Lastrina,
Homeland Security FOUO / UNCLASSIFIED 26
Homeland Security FOUO / UNCLASSIFIED 27 Overview of the COOP Continuity of Government Readiness Condition (COGCON) System and Related Activities Changing COOP COGCON levels enable COOP activities to be implemented over a period of time, allowing for a systematic escalation of COOP readiness and increase in activation of resources. Precipitous threat changes may require a non-sequential escalation in COOP COGCON levels, compressing time to activate and implement COOP plans. Designated members of the NPPD COOP ERG will be notified of COGCON changes via ENS or other means, in accordance with the NPPD COOP Plan. The COOP COGCON system applies only to threats or incidents in the National Capital Region The COOP COGCON System was implemented to decrease the amount of time for Federal D/As to be fully operational at their ERS. COGCON 2 (ERS Warm-Up Is Escalated) The ERS must be prepared and ready for full activation and assumption of NPPD MEFs within 4 hours of activation. Designated members of the NPPD COOP ERG deploy as directed. Capabilities are tested. NPPD continues to perform its functions from normal locations. COGCON 3 (ERS Warm-Up Initiated) The ERS must be prepared and ready for full activation and assumption of NPPD MEFs within 8 hours of activation. Designated members of the NPPD COOP ERG deploy as directed. NPPD continues to perform its functions from normal locations. COGCON 4 (Steady State): The ERS must be maintained ready for full activation and assumption of NPPD MEFs within 12 hours. Quarterly audits of capabilities are conducted. NPPD continues to perform functions from its normal every day operating locations. COGCON 1 (ERS Warm-Up Is Escalated) The ERS must be ready for full activation and assumption of NPPD MEFs immediately upon activation. Designated members of the NPPD COOP ERG deploy as directed. Daily status meetings are conducted. Capabilities are tested. NPPD continues to perform its functions from normal locations.
Homeland Security FOUO / UNCLASSIFIED 28 NPPD COOP ERG Alert & Notification Process White House FEMA Operations Center (FOC) (“Bluegrass”) Executive Branch Departments and Agencies Within DHS this includes OPS/NOC National Continuity Coordinator BCEP EXECUTIVE BRANCH DHS NPPD BCEP Staff notifies NPPD ART and ERG Members Via ENS