Eric KretzDirector

Continuity of Operations DivisionNational Continuity Programs (NCP)

Federal Emergency Management Agency (FEMA)

CI-2 Continuity Planning: Considerations for Government Buildings and Cyber Incidents

2

Steve Jobs

Innovator, Entrepreneur, Visionary

Revolutionized personal computing, mobile phones, the music industry, and the way people read, play and work

Uncanny ability to plan and prepare his businesses for future success

By developing continuously evolving technology combined with innovative marketing, they created powerful brand and product following

3

Agenda

Continuity Policies and Directives

Continuity Training

Continuity Webinar Series

Continuity Workshops

Eagle Horizon 2012

Resilient Accord

4

NSPD-51/HSPD-20 (Oct 2008)

Establishes a national policy on the Continuity of Federal government structures and operations

Mandates incorporation of continuity requirements into department and agency daily operations

Requires that all planning be based on the assumption that NO warning will be given

Requires coordination of Federal plans with State, local, territorial, tribal, and private sector plans

5

Federal Continuity Directives 1 & 2

Issued by the Secretary, DHS, on February 8, 2008

Provides direction for the development of continuity plans and programs for the FEB

Provides guidance for Identifying Mission Essential Functions (MEFs) and Primary Mission Essential Functions (PMEFs)

Sets criteria for what a “continuity facility”

must provide

Establishes minimum continuity communications requirements

Emphasizes the management of vital records as an essential element of continuity planning

6

Continuity Guidance Circulars (CGC) 1 & 2

CGC 1 Issued by the Administrator, FEMA, on January 21, 2009

CGC 1 provides Continuity guidance on:

Continuity Program Management information for non-federal agencies

Elements and components of a viable continuity capability

Coordination of interdependencies

Continuity plan operational phases and implementation

CGC 2 Issued by the Assistant Administrator, FEMA, NCP on July 22, 2010

CGC 2 provides Continuity guidance on:

Identifying Mission Essential Functions

Conducting a Business Process Analysis and a Business Impact Analysis

7

Design and conduct annual, integrated full-scale and tabletop interagency Continuity of Operations (COOP) workshops for Federal D/A HQ and regional components

116 COOP workshops (tabletop to full-scale) completed in Fiscal Year (FY) 2009 and 2010

Eagle Horizon 2010 held May 17-18, 2010, featured 64 D/A, 225 controllers, and more than 10,000 participants

Provide Continuity training to Federal, state, territorial, tribal, and local government entities

98 continuity-specific resident instructional courses through 12 classroom and independent study courses in FY 2011

Develop and maintain the Continuity Excellence Series, Levels I and II

Mary Weindorf

8

Continuity Training

Develop and present resident classroom and online training

Training courses address the full spectrum of COOP preparedness,

from Continuity awareness (introductory material) and exercise design (targeted to continuity program managers) to planning documentation and alternate site preparedness and activities

Train-the-Trainer courses are used to facilitate dissemination of material to government and other organizations Nationwide

Conducted 161 resident Train-the-Trainer courses reaching more than 3,000 Continuity professionals, and trained an additional 58,229

professionals through online classes in FY 2010

Trained over a 150,000 Continuity professionals in FY 2011

Mary Weindorf

9

Continuity Excellence Series

Established in April 2008

Designed for continuity professionals throughout the Federal Government, and among our partners at the State, territorial, tribal, and local governments

Dedicated to enhancing the excellence in the development and implementation of Continuity programs

Level I, Professional Continuity Practitioner

Level II, Master Continuity Practitioner

NCP Course Manager, Willie York at

willie.york@dhs.gov

10

Continuity Practitioner Level I

Fundamentals of Emergency Management

IS 700.a: Introduction to National Incident Management System (NIMS) or IS 700

IS 800.b: A National Response Framework (NRF), An Introduction

E 136 or IS 139: Exercise Development Course/Exercise Design Course/or COOP Exercise Design/Development T-t-T Course

Complete attendance in Pandemic Influenza (PI), Determined Accord Workshop, or IS 520: Introduction to Continuity of Operations Planning for Pandemic Influenza, and IS 522: Exercising Continuity Plans for Pandemic Course (both Independent Study courses are required) or Resilient Accord: Cyber Security Workshop or Guardian Accord: Terrorism Awareness Workshop

** NARA/CoSA Vital Records Training (optional, recommended)

IS 546.a: COOP Awareness

IS 547.a: Introduction to COOP

IS 242 or equivalent E/L/G course: Effective Communication

E/L/G 548 or IS 548: COOP Manager’s T-t-T Course or E/G/L 549: Continuity of Operations (COOP) Program Manager Course or MGT 331 University of Maryland: Preparing the States

E/L/G 550: COOP Planner’s T-t-T Workshop, or IS 550 Continuity Planner’s Workshop or L552: Continuity of Operations for Tribal Governments

IS 100 or IS 100.b:

Introduction to Incident Command System (ICS), or ICS 200:

Incident Command System (ICS) for Single Resources and Initial Action Incidents

IS 230 or equivalent E/L course:

Principles of Emergency Management or IS 230.a:

11

Continuity Practitioner Level II

Attain Continuity Excellence Series –

Level I

IS 130:

Exercise Evaluation and Improvement Planning, or E132 (limited to EMI Resident MEPP candidates), or G130: Exercise Evaluation

IS 240 or equivalent E/L/G course:

Leadership and Influence

E/L/G 551 or IS 551: Devolution Planning Workshop

E/L 156 or IS 156: Building Design for Homeland Security T-t-T Course for Continuity of Operations, or E/L 155: Building Design for Homeland Security

E/L 262: Instructional Delivery for Subject Matter Experts or G265: Instructional Delivery Skills (formerly G261: Instructional Presentation Skills), or E 605: Instructional Delivery, or E/L 141: Instructional Presentation and Evaluation Skills course.

Instruct E/L/G or IS 548 COOP Managers T-t-

T Course

Facilitate E/L 550 or IS 550 COOP Planner’s T-t-T Workshop or E/L/G or IS 551: Devolution Planning Workshop, or Determined Accord Pandemic Preparedness Workshop for Continuity Managers, or facilitate Resilient Accord, Guardian Accord, or the Reconstitution Planning Workshop

Written Comprehensive Exam (150 questions) –

Applicants are eligible to take the comprehensive exam once they have met all other Level II requirements

Continuity Practitioner Certificates

FEMA Emergency Management Institute issues all certificates

Certificate requests to:FEMA-CONTINUITY-PRACTITIONER@DHS.GOV

12

Certificates AwardedCertificates FY08 FY09 FY10 FY11 Total To Date

Professional Continuity Practitioner –

Level I 9 81 190 292 572*Master Professional Continuity Practitioner –

Level II

0 9 21 49 79*

*As of October 2011

13

TrainingCertificates Inception -

FY08 FY09 FY10 FY 11 Total To Date

IS 139: Exercise Design 45,108 10,232 11,535 11,968 78,843

IS 520: Pandemic Influenza (PI) Planning 0 5,158 8,353 2,835 16,346

IS 522: Pandemic Influenza (PI) Exercises 0 0 732 2,086 2,818

IS 546: COOP Awareness Course 40,219 14,177 85 3 54,484

IS 546a: COOP Awareness Course 273 2,343 24,750 159,458 186,824

IS 547: Introduction to COOP 26,727 8,284 2,055 30 37,096

IS 547a:Introduction to COOP 0 0 7,217 8,628 15,845

IS 548: COOP Managers T-t-T Course 0 1,681 3,498 3,030 8,209

IS 551: Devolution Planning Workshop 0 0 0 1,902 1,902

E/L 156: Building Design for Continuity of Operations Train-the-Trainer (Risk Management Series)

278 163 201 59 701

14

TrainingCertificates Inception -

FY08 FY09 FY10 FY 11 Total To Date

E/L 548: COOP Manager’s Train-the-

Trainer 3,858 787 831 495 5,971

E/L 550: Continuity Planners Workshop Train-the-Trainer 357 568 575 528 2,028

E/L 551: Devolution Planning Workshop Course T-t-T 0 46 433 369 848

L 552: Continuity of Operations for Tribal Govt. 0 14 68 21 103

Determined Accord 4,691 1,477 696 253 7,117

Resilient Accord 0 0 418 613 1,031

Reconstitution 0 0 0 398 398

Guardian Accord 0 0 0 147 147

Webinar Participants 0 0 0 567 567

TOTALS 12,1511 44,930 61,447 193,483 421,371

*As of October 2011

15

Continuity Webinar Series

Conducted monthly and address continuity-

related topics presented by Continuity and Emergency Managers from varied backgrounds and experiences

Provide a forum for discussing the roles and resources necessary to establish and implement effective continuity programs and plans

Free to the public

Use current technology to reach out to the Continuity community

Recorded for future playback and placed on the official Continuity Webinar Series homepage (includes schedule): http://www.fema.gov/about/org/ncp/coop/

webinars.shtm

Can also be viewed on a mobile device by downloading and Apple (iPhone or iPad) or Android application

FEMA External Affairs announces webinars via distribution lists, Facebook, and Twitter

16

Continuity Workshops

Conduct full scale, functional, and table top interagency Continuity workshops in the National Capital Region (Washington, DC Metropolitan Area) and within the 10 FEMA regions

Plan and conduct Regional Continuity Workshops for Federal, State, territorial, tribal, and local agencies through the 28 Federal Executive Boards (FEBs)

Plan and conduct annual, integrated Continuity exercise for the FEB Departments/Agencies (D/As) (Eagle Horizon)

Conduct biennial assessments of 64 Department and Agency continuity capabilities based upon criteria established in FCDs and provide

report to the National Continuity Coordinator

Plan and conduct annual, integrated FEMA Headquarters Continuity

workshops

Assess all FEMA regional offices and provide regional quarterly metrics

Plan and conduct FEMA Telework Workshops

17

NLE 2012 Exercise Elements

Four main exercise elements within March –

June 2012 timeframe and with common scenario and governance structure

Information Exchange (Intel/ Law enforcement)

Cyber Effects/Cyber Storm

Cyber Event with Physical Effects (Capstone Exercise)

Continuity Exercise/Eagle Horizon 2012o An operations based Continuity exercise that provides the

opportunity to evaluate the continuity capability of the Federal

Executive Branch departments and agencies

Some D/As will play in all exercises, all D/As must play in the last 2 exercises

18

NLE 12 Overarching Objectives

Examine the National Cyber Incident Response Plan in guiding the

Nation to prepare for, respond to and recover from a significant

cyber event

Review and evaluate existing cyber related authorities and/or policies

Evaluate government roles and responsibilities in coordinating national cyber response efforts and their nexus with physical response efforts, including allocation of resources

Examine the ability to share information across all levels of government and with the private sector (classified and unclassified) as well as the general public to create and maintain cyber incident situational awareness, and coordinate response and short�term recovery efforts

Assess key decision points and decision making in a significant cyber event

19

Eagle Horizon 2012 Objectives

Evaluate the continuity capability of D/As including communications and the performance of essential functions through the implementation of

continuity, devolution and reconstitution plans from activation, until the resumption of normal operations in accordance with Federal continuity directives, during a significant cyber event

Examine broader national continuity capabilities, specifically communications, with State, territorial, tribal, local, and private sector partners

Implement devolution and reconstitution plans and evaluate the capability of Federal D/As to transfer statutory authority and responsibility for essential functions from the primary operating staff and facilities to alternate facilities

D/As may assess additional capabilities based on agency-specific requirements, as long as they can be accomplished within the common scenario

20

NLE/EH 2012 Integration

EH 2012 is fully integrated into NLE 2012 planning and provides

the opportunity for Federal, Regional, State, territorial, tribal, and local organizations to exercise continuity planning responses within the overarching cybersecurity scenarios

EH 2012 will be a Full-Scale Exercise (FSE) scheduled for June 2012 with required participation by Federal Executive Branch D/As

EH 2012 is a mandatory annual exercise directed by National Security Presidential Directive –

51/Homeland Security Presidential Directive –

20 (NSPD-51/HSPD-20)

21

EH 2012 Overview

The EH 2012 linkage with NLE 2012 requires departments and agencies to exercise objectives related to alert and notification, continuity communications, devolution, and reconstitution

EH 2012 will incorporate implementation of Continuity, Devolution, and Reconstitution Plans and capabilities to test implementation

against significant Critical Infrastructure and Key Resources degradation in the communication, energy, and information technology sectors

All D/As will receive an evaluation of their continuity programs

with the results submitted through the Readiness Reporting System

22

NLE/EH 2012 Concept

3-day concept

Day 1: PMEF/MEF at Alternate Facilities –

Scenario Play

Day 2: PMEF/MEF from Devolution Facilities –

Scenario Play

Day 2: Alt ERG member training, Reconstitution Exercise at Continuity Facility

Day 3: Evaluation Coordination/Submissions

23

EH 2012 Evaluation

Continuity portion will be externally evaluated

Devolution will be externally evaluated

D/As Continuity plans will be evaluated 30-60 days prior to the actual exercise

External Continuity evaluation will have Category I,II and III agencies externally evaluated by a FEMA NCP lead evaluator

Cat IV’s agencies will partner together and exchange evaluators for both evaluations

24

EH 2012 Evaluation Process

Evaluators will assess continuity capabilities at exercise locations

Evaluation process uses the Readiness Reporting System (RRS), Participant Questionnaires, General Observation Forms, and the NLE 2012 Exercise Evaluation Guides

FEMA NCP will prepare an assessment and After Action Report/Improvement Plan (AAR/IP) for the National Continuity Coordinator

25

EH 2012 Training Activities

FEMA NCP supports NLE 2012 and EH 2012 with Building Block training activities that includes seminars, tabletop exercises and support to D/A internal exercises

Controller and Evaluator Training

Continuity Program Manager Course

Continuity Planning Workshop

Devolution, Reconstitution and Resilient Accord Workshops

26

The Relationship between Cyber and Continuity

Cyber threats will cause COOP and Devolution Plans to be activated due to:

Rolling power blackouts will cause traffic signal outages, resulting in commuter challenges

Power blackouts will cause communication outages when servers and telephone switchboards lose power

Generators may go down when diesel fuel is not delivered due to the traffic problems, and immediate demand diverts orders to other agencies

Power outages may disable some physical security systems

Door locks may be inoperative

27

FEMA worked in Collaboration with DHS to develop Resilient Accord

The Resilient Accord Workshop is 6-hour tabletop workshop with the following objectives:

Increase organizational awareness about the importance of including cybersecurity considerations into continuity planning

Discuss how cyber disruptions may impact the performance of essential functions and identify solutions to address vulnerabilities in existing continuity plans

Establish or enhance relationships between information technology professionals, emergency managers, and continuity planners

28

Collaboration with DHS NCSD

DHS National Cyber Security Division (NCSD) is a partner in the creation of this continuity workshop that is designed for continuity managers to refine continuity plans and programs to include cybersecurity planning

The mission of NCSD is to work collaboratively with public, private and international entities to secure cyberspace and America’s cyber assets

For organizations working to develop a comprehensive Business Continuity Plan, which incorporates Business Impact Analysis and Threat Analysis, DHS NCSD can serve as the subject matter experts for defining cyber risks and vulnerabilities

29

Cyber Attacks Continue to Affect Continuity Planning

U.S. is the most targeted country for cyber attacks

Essential Functions are becoming ever more dependent on IT systems that are vulnerable to various threats

Continuity Managers should include cyber threats as part of the Business Process Analysis and Business Impact Analysis

Cyber threats were not always identified in many Business Impact Analysis reviewed

National Planning Scenario #15: Cyber Attack

National Level Exercise (2012) will be based on a cyber incident

Better coordination between information technology professionals and continuity planners bridges the gap and enhances successful performance of mission essential functions

30

Things to Consider…

The continuity manager understands the organization’s mission essential functions and the impact of losing this capability

IT personnel, with input from subject matter experts, understand the technical requirements to support performance of mission essential functions

Mission essential functions cannot be successfully accomplished without the cooperative and collaborative input from both the continuity and IT personnel

31

Understand Cyber-linkages

Cyber-linkages between sectors raise the risk of cascading failures throughout the Nation

During an incident, the private sector is often first to detect a problem.

A successful cyber attack on a power plant’s control system could impact several critical sectors, as detailed below:

Electric  

Power Sector

Communications  

Sector

Financial Sector

Emergency 

Response

32

Public/Private Sector Partnership

Your organization cannot succeed in planning for cybersecurity if it works in isolation

Governmental organizations should enhance their partnership with the private sector

Public and private sector’s interests are intertwined with a shared responsibility for ensuring a secure and reliable infrastructure

The success of your continuity planning for cyber threats will be largely dependent on coordination with partners, customers, and stakeholders

The goal of this partnership is to identify continuity interdependencies associated with essential functions

33

Continuity Elements

Essential Functions

Orders of Succession

Delegations of Authority

Continuity Facilities

Continuity Communications

The following are the ten essential elements of a viable continuity of operations program. The ones in bold are the ones that would likely be impacted by a cyber incident.

Vital Records Management

Human Capital

Test, Training, and Exercise

Devolution

Reconstitution

34

Improving Continuity Planning

As organizations work to improve their continuity plans and programs, to include cybersecurity, continuity managers should:

Communicate to senior leadership the importance and value in establishing continuity plans that address cyber risk

Understand the challenges and incorporate methods used to enhance the organization’s ability to perform Mission Essential Functions

Collaborate with IT staff to identify a program’s risk and requirements to support essential functions

35

Contact InformationNational Continuity ProgramsDamon Penn, Assistant Administrator

(202) 646-4145

Ann Buckingham, Deputy Assistant Administrator

(202) 646-4516

Continuity of Operations DivisionEric Kretz, Director

(202) 646-3754

Tracy Queen, Deputy Director

(202) 646-4282

Continuity of Operations Division BranchesJames Opaczewski, Chief, STTL Branch

(202) 646-4128

David Webb, Chief, Federal Branch (202) 646-4303

Tracy Queen, Chief, FEMA Branch

(202) 646-4282

36

Regional Continuity ManagersRegion Name States Contact Info

I George Callahan Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, Vermont 617‐832‐4799 

george.callahan@dhs.gov

II Russell Fox  New Jersey, New York, Puerto Rico, U.S. Virgin Islands 212‐680‐8504 

Russell.Fox@dhs.gov

III Barry Breslin Delaware, District of Columbia, Maryland, Pennsylvania, Virginia, West Virginia 215‐931‐5584 

Barry.Breslin@dhs.gov

IV Joseph Canoles Alabama, Florida, Georgia, Kentucky, Mississippi, North Carolina, South Carolina, 

Tennessee770‐220‐5453  

Joseph.Canoles@dhs.gov

V Rolando Rivero Illinois, Indiana, Michigan, Minnesota, Ohio, Wisconsin 312‐408‐5590  

Rolando.Rivero@dhs.gov

VI Brad McDannald Arkansas, Louisiana, New Mexico, Oklahoma, Texas 940‐898‐5131  

Bradr.Mcdanald@dhs.gov

VII David Teska Iowa, Kansas, Missouri, Nebraska 816‐283‐7082   

David.Teska@dhs.gov

VIII Ken Hudson Colorado, Montana, North Dakota, South Dakota, Utah, Wyoming 303‐235‐4658 –

Ken.Hudson@dhs.gov

IX James Macaulay American Samoa, Arizona, California, Hawaii, Guam, Nevada, Commonwealth of the 

North Mariana Islands, Federated States of Micronesia, Republic of the Marshall Islands510‐627‐7009  

James.Macaulay@dhs.gov

X Erin Ward Alaska, Idaho, Oregon, Washington 425‐487‐4567erin.ward@dhs.gov

37

Rick Rescorla

Security Chief for Morgan Stanley, World Trade Center

Implemented evacuation procedures that are credited with saving many lives

He died in the attacks of September 11, 2001, while leading the evacuation efforts

As a result of Rescorla's planning and exercise efforts, all but 13 of Morgan Stanley's 2,700 WTC employees survived

38

Q&A

39