Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Federal Continuity Directive - How Your Organization Can Benefit From It

There are quite a few frameworks now available for continuity professionals to promote the discipline of BC/DR within an organization. Using a framework is always a good starting point, just because it is time tested, refined, and has broad applicability. Secondly, following a proven methodology increases the chance of success in a reasonable time period. Some of the well-known frameworks for continuity professionals are the NFPA 1600, BS25999, NIST SP 800-34, CERT® Resiliency Engineering Framework, and the recently added Federal Continuity Directive (FCD). Even though much of what is outlined in the FCD framework is geared toward federal agencies, the core concepts are universal. This article outlines at a high level the salient areas covered under the FCD that may be useful for every organization and how it can add to your wealth of knowledge as you develop and mature your BC/DR program, irrespective of whether you are a federal agency or a non-federal entity.

Why use a Framework?

Any matured discipline or profession will have a set of well established frameworks the industry can rely on to use as a bench mark. The first and foremost reason to rely on a framework is that most are time-tested and refined. In other words, a framework would have looked into all aspects to stand up that discipline and would have worked out all the kinks, ensuring a broader applicability. Secondly, following the process outlined in the framework assures a known outcome in a reasonable time period. Why is that important? We all know when it comes to standing a new discipline, senior management tend to be risk averse and would always like to rely on a proven methodology. They also would like to know beforehand how long it would take to build and mature a program. A framework would come in handy to not only get the program stood up quickly but also get management’s support.

Some of the known frameworks available for BC/DR professionals:
  • National Fire Protection Association’s NFPA 1600 was introduced in 1995. The first version focused more on emergency management, which lead to more business continuity elements to the last update in 2007.
  • British Standard 25999 (BS 25999) was Europe’s first standard for business continuity management and was been developed to help organizations around the world to reduce risks and continue operations in the event of a disruption.
  • NIST SP 800-34 is a contingency planning guide specifically for federal information systems. The National Institutes of Standards and Technology (NIST), in partnership with a consulting firm, developed this framework for information technology DR programs in the federal government. Since it has broader applicability it is also widely used by many non-federal agencies.
  • The CERT® Resiliency Engineering Framework is a product of Carnegie Mellon University, released in summer of 2008. This is one of the more recent and comprehensive frameworks that bridge the gap between security and continuity disciplines, again focusing more on the IT side of the house.
  • The Federal Continuity Directive framework is truly the first framework that exclusively focuses on the continuity discipline for federal agencies. In May of 2007, directives from President George W. Bush and the Department of Homeland Security helped push several federal agencies to begin drafting a framework to guide a consistent continuity of operations (COOP) program across all federal agencies. President Bush signed this national continuity policy in August 2007 and released it for use in February of 2008. Before this policy, most federal agencies had their own tailored COOP programs that were not funded to adequate levels. With the introduction of FCD, the agencies could now begin establishing a formal program with a defined budget and funding.
Unlike other frameworks mentioned above, the FCD is not well known outside the federal government. This article attempts to highlight some of its key features that have broad applicability beyond the federal government and introduce a different perspective that may be useful to our profession as we stand up or grow our BC/DR programs.

Overview of the FCD

At a very high level, the objective of FCD is to provide a consistent approach to continuity planning across all federal agencies, ensuring continued performance of agencies’ mission-essential functions during all-hazard emergencies – which means plans are situation neutral and can cover any situation that disrupts normal operations (not just limited to natural hazards). So in essence the FCD focuses on building a strong, unified COOP discipline by integrating it into the fabric of all federal functions’ day-to-day operations. It also helps identify those functions within a federal agency that are deemed national essential functions, primary mission essential functions, and mission essential functions.

The FCD is separated into two parts. FCD1 primarily focuses on establishing the framework and providing details on the various aspects of the framework. FCD2 provides specific tools, guidelines and methodologies to implement the program, and identifying functions that are mission essential. Both FCD1 and FCD2 are available free at the below links:
  • www.fema.gov/pdf/about/offices/fcd1.pdf
  • www.fema.gov/pdf/about/offices/fcd2.pdf
Core Concepts

Think of standing up the continuity program as building structure. Every basic structure needs to have a solid foundation on which to stand. It needs pillars to hold the structure in place, and it needs a roof to cover the top. Lastly, we need building materials to build the structure. According to the FCD, having a good program management office in place establishes a solid foundation required for the continuity program. In addition, FCD identifies four essential pillars: leadership, staff, facilities, and communications and technology. The directive suggests a solid governance process in place to oversee the establishment of the program, acting as the roof. The framework also outlines eight key continuity concepts which are the building materials required to establish the program.

Four Essential Pillars
  • Leadership: Every ship needs to have a captain to navigate its course. Similarly, having solid senior leadership in command is required for any organization to handle crisis situations. Strong leadership provides direction, sets priorities, and keeps the team focused on mission-essential functions during an emergency.
  • Staff: Cross-trained staff should be able and ready to assume responsibilities for mission-essential functions when called for during an emergency. Having adequate levels of cross-trained staff is required for any organization to withstand and survive an emergency situation.
  • Facility: Every federal agency should have an alternate site identified, built, and equipped to relocate leadership and staff during a crisis to execute the mission-essential functions. It goes without saying, but every organization should have a viable alternate place of business to resume operations when the primary facility is in distress.
  • Communications and technology: Every organization should have resiliency built into its communication and technology backbone to facilitate the seamless transition of business to the alternate site. This involves redundant network infrastructure and data center for computing capabilities.
According to the FCD, to be prepared to handle emergencies, an organization should focus on having enough leadership, staff, facilities, and communications to support just the mission-essential functions and not necessarily its entire set of processes handled during normal operations. It is OK for a federal agency to operate in a diminished capacity when it comes to non-mission essential functions or even shutdown certain segments of its operation that are not essential during an emergency.

Eight Key Continuity Concepts

In addition to the four essential pillars, the directive outlines eight key concepts that are required in every continuity program:
  • Geographic dispersion is the first key concept outlined within the FCD. This one is straight forward and easy to relate to any organization. By having its operations geographically dispersed, an organization stands to have a better chance of recovering from a catastrophic event. FCD calls for every federal agency to geographically disperse its leadership, staff, facilities, and data storage. This reduces the risk level to mission-essential functions and increases operational resiliency.
  • Risk management is the second key concept outlined in the FCD. Risk is a function of threat, vulnerability, and consequence. Each of these elements needs to be present for a risk to exist. Absence of any of these makes the risk go away. In other words, if there are no threats, or if no vulnerabilities are inherent in the asset to be exploited, then there is no risk. The FCD suggests federal agencies follow the risk management cycle introduced by the government accountability office to manage the inherent risks to any organization. Such risk management should be part of the overall continuity program and continuity planning. Organizations should assess the risks using a proven framework, evaluate alternatives for addressing these risks, and implement the alternatives, monitoring progress made and results achieved.
The framework also directs federal agencies to first identify all of its mission-essential functions through a business process analysis exercise. According to the directive, mission-essential functions are those limited set of agency functions that must be continued at all costs after a disruption of normal activities. Within the mission-essential functions, there are two further categories: primary mission-essential functions and national essential functions. These are the eight functions the president and national leadership will focus on to lead and sustain the nation during a catastrophic emergency. Primary mission-essential functions are the agencies’ mission essential functions that directly support the national essential functions. These functions need to be continuous or be resumed within 12 hours of disruption and be maintained up to 30 days or until normal operations can be resumed.
  • Orders of succession are the next key concept to be considered. Every organization head should have a designated official to succeed her or him during an emergency. The organization should make efforts to identify and train successors for all its key leadership positions and not just the CEO function. Such succession planning should also include specific rules and conditions when it can be invoked. This information should be well documented and be part of the organization’s vital records.
  • Delegation of authority is another key concept outlined in the FCD. In addition to the orders of succession every organization should also have delegation of authority procedures clearly laid out before an emergency.
What the difference is between orders of succession and delegation of authority? Orders of succession are provisions for the assumption of senior leadership positions during an emergency, basically when the incumbents are unable or unavailable to execute their duties. An order of succession allows for an orderly and predefined transition of leadership. Delegations of authority, on the other hand, are specific and limited authority procedures that can be invoked on a temporary basis. For example, they may take effect during periods when those in charge are unavailable due to travel. Successors are vested with most of the authorities and powers of the incumbent.
  • Vital records management is the fifth key concept outlined in the directive. According to FCD, every agency must have a program to identify, protect, and be able to produce its vital records that support its primary mission-essential functions and mission-essential functions. In this context, vital records also include information systems and applications, electronic or hard copy documents, and any references and records needed to continue mission essential functions during a crisis. The agency should be able to produce such records at the alternate site within 12 hours of COOP activation. Management of vital records is a prudent business practice for any organization and not just the federal government.
  • Test, training, and exercise (TT&E) is an important concept laid out in the FCD. This process provides assurance to the senior leadership that equipment and procedures are kept in a constant state of readiness. Every organization should conduct TT&E of its mission-essential functions at least once a year, if not more frequently. For a federal agency, the directive mandates that it follow the guidelines outlined in the Homeland Security Exercise and Evaluation Program and conduct a hot wash after each exercise. The federal agency should also prepare an after actions review report after the conclusion of every exercise and review it with all the participants as part of the corrective actions program.
  • Devolution of control is simply the ability of a federal agency to transfer its statutory authority and responsibility to another agency, wherein that other agency can step in and continue its mission-essential functions. To ensure a smooth devolution of authority, an agency should identify through prior planning which other federal agency can perform its job, build a roster of key trained personnel who can work for the new agency during the transition, and outline likely situations/scenarios where devolution options would have to be activated. This concept may not necessarily be applicable to a non-federal organization.
  • Reconstitution gives an organization the ability to reassemble and restore all its functions to normal levels after having recovered from a disruption. An agency should outline in specific detail as to how it will begin the process of reconstruction and restore normal levels of operations after having recovered from a catastrophic event. The FCD asks for every federal agency to document the reconstitution steps in detail and store that information as part of its vital records management.

Like many of the other frameworks in business continuity, the FCD is a very thorough framework that has universal applicability – outside the federal arena. As you’ve likely noticed by now, most of these key concepts can be part of any organization’s BC/DR program. Whether you are starting a program from the ground up or identifying gaps to mature and grow your existing program, FCD can act as a checklist and a sounding board to make sure your program is headed in the right direction. As with any framework, there may be some areas that may not be applicable to your specific organization. I would recommend that every organization weigh in these key concepts for business value and then implement them where benefits outweigh the costs.

Shankar Swaroop CISSP, CISM, CSSLP, PMP, ITIL(V3), OCP, is currently the director of business continuity and disaster recovery at the Navy Exchange Service Command, a retail operation within the Department of Defense. He holds an MBA from the University of Texas at Austin and is a CPA from India. He has more than 15 years of experience in the IT industry in the areas of enterprise architecture, information security, and business continuity. He is a published author and speaker in areas of enterprise risk management and business continuity. The author would welcome questions and feedback and can be reached at itswaroop@gmail.com.