[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





   CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS 
       REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 22, 2004

                               __________

                           Serial No. 108-184

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
95-423                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 22, 2004...................................     1
Statement of:
    Brown, Michael, Under Secretary for Emergency Preparedness 
      and Response Directorate, U.S. Department of Homeland 
      Security...................................................    35
    Kern, John, director, network continuity, AT&T Corp..........    47
    Koontz, Linda D., Director, Information Management Issues, 
      U.S. General Accounting Office.............................     8
Letters, statements, etc., submitted for the record by:
    Brown, Michael, Under Secretary for Emergency Preparedness 
      and Response Directorate, U.S. Department of Homeland 
      Security, prepared statement of............................    38
    Cummings, Hon. Elijah E., a Representative in Congress from 
      the State of Maryland, prepared statement of...............    64
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     4
    Kern, John, director, network continuity, AT&T Corp., 
      prepared statement of......................................    49
    Koontz, Linda D., Director, Information Management Issues, 
      U.S. General Accounting Office, prepared statement of......    10

 
   CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS 
       REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS

                              ----------                              


                        THURSDAY, APRIL 22, 2004

                          House of Representatives,
                            Committee on Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:07 a.m., in 
room 2154, Rayburn House Office Building, Hon. Tom Davis 
(chairman of the committee) presiding.
    Present: Representatives Tom Davis, Ose, Jo Ann Davis, 
Blackburn, Maloney, Cummings, Tierney, Watson, Van Hollen, 
Ruppersberger and Norton.
    Staff present: David Marin, deputy staff director/director 
of communications; Anne Marie Turner and John Hunter, counsels; 
Robert Borden, counsel/parliamentarian; Drew Crockett, deputy 
director of communications; John Cuaderes, senior professional 
staff member; Teresa Austin, chief clerk; Brien Beattie, deputy 
clerk; Corinne Zaccagnini, chief information officer; Robert 
White, press secretary; Michael Yeager, minority deputy chief 
counsel; Earley Green, minority chief clerk; and Jean Gosa, 
minority assistant clerk.
    Chairman Tom Davis. Good morning. A quorum being present, 
the Committee on Government Reform will come to order. I would 
like to welcome everyone to today's hearing on the status of 
the Federal Government's continuity of operations plans.
    Today on the House floor we are considering legislation 
laying out the framework for how Congress would continue 
operating in the event of a catastrophe. That's important. But 
let's be honest. The real, tangible, day-to-day work of the 
Federal Government doesn't happen here. It happens at agencies 
spread across the Nation, and ensuring their continued 
operation in the wake of a devastating tragedy should be 
considered every bit as important.
    Continuity of Federal Government operations planning became 
essential during the cold war, to protect the continuity of 
government in the event of a nuclear attack. COOP planning has 
attracted renewed significance after the terrorist attacks of 
September 11. Through a Presidential Decision Directive and a 
Federal Preparedness Circular, Federal agencies are required to 
develop viable continuity of operations plans for ensuring the 
continuity of essential operations in emergency situations. 
Although it is a classified document, PDD 67 reportedly also 
designates the Federal Emergency Management Association [FEMA], 
as the executive agency for formulating guidance on executive 
departments' COOP plans, and coordinating and assessing their 
capabilities. In July 1999, FEMA issued Federal Preparedness 
Circular 65, FPC 65, which confirms its coordinating agency 
role, contains criteria for agencies to develop their plans, 
and designates the timelines for submission of agency plans.
    Because of the critical nature of the ongoing threat of 
emergencies, including terrorist attacks, severe weather, and 
individual building emergencies, this committee requested the 
GAO to evaluate contingency plans of several Federal agencies 
and review FEMA's oversight of those agency COOP plans. And in 
February 2004, GAO issued a report that found a wide variance 
of essential functions identified by individual agencies. GAO 
attributed this lack of uniformity to several factors: lack of 
specificity about criteria to identify essential functions in 
FPC 65; lack of review by FEMA of essential functions during 
assessment of COOP planning; lack of testing or exercises by 
FEMA to confirm the identification of essential functions by 
agencies.
    To remedy these shortcomings, GAO recommends that the 
Secretary of the Department of Homeland Security direct the 
Under Secretary for Emergency Preparedness and Response to 
ensure that agencies develop COOP plans by May 1, 2004 and 
correct deficiencies in individual plans. In addition, GAO 
recommends that the Under Secretary be directed to conduct 
assessments of COOP plans that include independent verification 
of agency information, agencies' essential functions and their 
interdependencies with other activities.
    The committee is concerned about the seeming lack of 
progress we have made in the area of Federal continuity of 
operations. If September 11 was a wakeup call, then we haven't 
fully heeded the message when it comes to our planning. 
Although some progress has been made, and I commend Under 
Secretary Brown for his leadership on this, we still have a 
ways to go. We must do everything possible to address the COOP 
inconsistencies that exist across the board. Identifying and 
prioritizing essential functions with 100 percent compliance 
and accuracy is a must. Even if agencies can accomplish this, 
they still must be able to identify their key staffing 
requirements, lines of succession, resources needed, and what 
mission-critical systems and data must be protected and, in 
many cases, be redundant.
    Continuity of operations means more than keeping your Web 
site up and running. What's really called for is a wholistic 
approach, one that factors in people, places and things. What 
is really needed is agility, because FEMA's role in COOP 
oversight is key for agency success.
    The committee will hear FEMA's assessment of the individual 
agency plans. The committee will also assess FEMA's efforts to 
ensure that the COOP directives are carried out by each agency. 
This will include steps FEMA is taking to assess each of the 
executive agencies' COOP plans, what interaction FEMA has had 
and plans to have with those agencies about deficiencies in 
those plans, what steps FEMA will take to ensure agency 
compliance, and FEMA's assessment of the adequacy of Federal 
Preparedness Circular 65, and steps it has taken to overcome 
any deficiencies.
    The committee will also hear from GAO about its assessment 
of COOP planning and its recommendations for improvement and 
will also hear how the private sector deals with this issue.
    Finally, the committee has asked GAO to continue to monitor 
Federal COOP planning to ensure that agencies are in compliance 
with the latest executive and congressional guidance. The 
committee expects to get an annual scorecard from GAO outlining 
how agencies are performing with regard to the many facets of 
COOP. This is an important issue and we'll be very aggressive 
on our oversight.
    We have three impressive witnesses before us to help us 
understand the current and future state of Federal continuity 
of operations planning, the expected problems and what we can 
look forward to in ways of improvement. First we will hear from 
the General Accounting Office, followed by the Department of 
Homeland Security, and finally we will hear from AT&T which has 
a mature COOP plan in place.
    I want to thank all of our witnesses for appearing before 
the committee and I look forward to hearing their testimony.
    [The prepared statement of Chairman Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T5423.001
    
    [GRAPHIC] [TIFF OMITTED] T5423.002
    
    [GRAPHIC] [TIFF OMITTED] T5423.003
    
    Chairman Tom Davis. Are there any other Members who wish to 
make opening statements at this point?
    Ms. Watson.
    Ms. Watson. Thank you very much Mr. Chairman.
    In the event of a crisis, the American people immediately 
turn to the Federal Government to provide basic services, 
stability and direction. But we now have learned from the GAO 
that many Federal agencies are woefully unprepared to continue 
functioning in the wake of a catastrophe. It is distressing to 
know that in the wake of an attack on America, the horror of 
the initial attack might be compounded by the mayhem of a 
government that cannot coordinate basic services. We need to 
fix this.
    And I think all of us have it indelible in our minds where 
we were and what we were doing on September 11, myself 
included, right here in this Capitol. And we knew not where to 
go. We were running around like ants all over the place. We 
knew not where to gather. I had to seek out directions. And we 
have to be sure that we have these plans in place.
    But this is only the tip of the iceberg. Even beyond this, 
what is not addressed in this report or in this hearing is 
continuity of operations at the State or at the local level. I 
bring this issue up, Mr. Chairman, not to confuse the issue in 
this hearing, which I understand focuses solely on the 
continuity of operations and planning in the Federal executive 
branch, but rather simply to illustrate the scope of the 
problem that we face. Even once we get this problem sorted out 
at the Federal level, we must ensure our States and our local 
governments that they are prepared. Here we sit, 2\1/2\ years 
after facing the mortal threat of September 11, and we still 
cannot be assured that we are prepared to provide essential 
government services in the wake of a disaster.
    My colleagues and I want some answers. And I ask the 
witnesses from FEMA, please tell us what you need to tell us, 
and we will do our best to see that you get it. But we need to 
hear from you, and we need to know what your plans are for real 
progress and real answers, and on how you prepare to fix it. 
And I'm sure you will find this Congress very supportive.
    Thank you, Mr. Chairman.
    Chairman Tom Davis. Thank you.
    Any other Members wish to make opening statements? If not, 
we will move to our first witness, Linda Koontz, the Director 
of Information Management Issues of the General Accounting 
Office, no stranger to this committee. As you know it's the 
policy of the committee that all witnesses be sworn in before 
they testify. So, Linda, if you'd rise with me and raise your 
right hand.
    [Witness sworn.]
    Chairman Tom Davis. For the record, note we have--two of 
your aides behind you also sworn in. Please proceed with your 
testimony. You know the rules. We have the buttons, the lights 
out here, 5 minutes and try to sum up. And thank you for being 
with us again.

STATEMENT OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT 
             ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Ms. Koontz. Thank you, Mr. Chairman and members of the 
committee. I appreciate the opportunity to participate in the 
committee's hearing on Federal continuity of operations 
planning. As you know, events such as terrorist attacks, severe 
weather, or building-level emergencies can disrupt the delivery 
of essential government services. To minimize the risk of 
disruption, Federal agencies are required to develop plans for 
ensuring the continuity of essential services in emergency 
situations.
    The Federal Emergency Management Agency, now part of the 
Department of Homeland Security, was designated executive agent 
for continuity of operations planning and issued guidance in 
July 1999. This guidance states that in order to have a viable 
continuity of operations capability, agencies should identify 
their essential functions. Identifying essential functions is 
the first of eight elements of a viable capability and provides 
the basis for subsequent planning steps.
    Mr. Chairman, at your request, we assessed department and 
agency-level continuity of operations plans at 23 major Federal 
agencies and reported the results to you in February. In 
summary, we found that, first, three departments did not have 
plans in place as of October 1, 2002. Second, our assessment 
raised serious questions about the adequacy of the essential 
functions identified. Specifically, we found that 29 of the 34 
plans that we reviewed identified at least one essential 
function. However, these functions varied widely in number from 
3 to 399, and included many that appeared to be of secondary 
importance.
    At the same time, the plans omitted many programs that OMB 
had previously identified as having a high impact on the 
public. Agencies did not list among their essential functions 
20 of the 38 high-impact programs that have been previously 
identified. For example, one department included, ``provided 
speeches and articles for the Secretary and Deputy Secretary,'' 
among its essential functions, but did not include 9 of 10 
high-impact programs. In addition, although many agency 
functions rely on the availability of resources or functions 
controlled by another organization, more than three-fourths of 
the plans did not fully identify such dependencies.
    Third, none of the agencies provided documentation 
sufficient to show that they were complying with all aspects of 
FEMA's guidance.
    In our view, a number of factors contributed to these 
government-wide shortcomings. FEMA's planning guidance does not 
provide specific criteria for identifying essential functions, 
nor does it address interdependencies. In addition, while FEMA 
conducted an assessment of agency compliance with the guidance 
in 1999, it has not conducted oversight that is sufficiently 
regular and extensive to ensure that agencies correct 
deficiencies identified. Further, in its assessment, FEMA did 
not include a review of essential functions. Finally, FEMA did 
not conduct tests or exercises to confirm that the identified 
essential functions were correct.
    In discussing our report, FEMA officials, while maintaining 
that the government is prepared for an emergency, acknowledged 
that improvements could be made. These officials told us that 
they plan to conduct a government-wide exercise next month, 
improve oversight by providing more detailed planning guidance, 
and develop a system to collect data from agencies on their 
readiness. However, these officials have not yet determined how 
they will verify the agency-reported data, assess the essential 
function and interdependencies identified, or use the data to 
conduct regular oversight. In our report, we made several 
recommendations to address these shortcomings.
    In summary, Mr. Chairman, while most of the agencies 
reviewed had continuity of operation plans in place, those 
plans exhibited weaknesses in the form of widely varying 
determinations about what functions are essential, and 
inconsistent compliance with guidance that defines a viable 
continuity of operations capability. Until these weaknesses are 
addressed, agencies are likely to continue to base their plans 
on ill-defined assumptions that may limit the utility of the 
resulting plans, and, as a result, risk experiencing 
difficulties in delivering key services to citizens in the 
aftermath of an emergency.
    Mr. Chairman, that concludes my statement. I would be happy 
to answer any questions that you might have.
    Chairman Tom Davis. Thank you.
    [The prepared statement of Ms. Koontz follows:]

    [GRAPHIC] [TIFF OMITTED] T5423.004
    
    [GRAPHIC] [TIFF OMITTED] T5423.005
    
    [GRAPHIC] [TIFF OMITTED] T5423.006
    
    [GRAPHIC] [TIFF OMITTED] T5423.007
    
    [GRAPHIC] [TIFF OMITTED] T5423.008
    
    [GRAPHIC] [TIFF OMITTED] T5423.009
    
    [GRAPHIC] [TIFF OMITTED] T5423.010
    
    [GRAPHIC] [TIFF OMITTED] T5423.011
    
    [GRAPHIC] [TIFF OMITTED] T5423.012
    
    [GRAPHIC] [TIFF OMITTED] T5423.013
    
    [GRAPHIC] [TIFF OMITTED] T5423.014
    
    [GRAPHIC] [TIFF OMITTED] T5423.015
    
    [GRAPHIC] [TIFF OMITTED] T5423.016
    
    [GRAPHIC] [TIFF OMITTED] T5423.017
    
    [GRAPHIC] [TIFF OMITTED] T5423.018
    
    [GRAPHIC] [TIFF OMITTED] T5423.019
    
    [GRAPHIC] [TIFF OMITTED] T5423.020
    
    [GRAPHIC] [TIFF OMITTED] T5423.021
    
    [GRAPHIC] [TIFF OMITTED] T5423.022
    
    [GRAPHIC] [TIFF OMITTED] T5423.023
    
    Chairman Tom Davis. Linda, let me just start. The bottom 
line is, are agencies really prepared for the worst?
    Ms. Koontz. Agencies do not have plans at this point that 
are fully compliant with the requirements of FPC 65 and 
therefore I'd have to conclude that there is no assurance that 
they are prepared for an emergency.
    Chairman Tom Davis. In fact, some of them are fairly 
woefully prepared.
    Ms. Koontz. That is correct.
    Chairman Tom Davis. You report that 19 agencies failed to 
identify their interdependence with other agencies and how 
these interdependencies affect their essential functions. Was 
GAO provided with an explanation as to why these agencies 
didn't identify their interdependency in COOP plans?
    Ms. Koontz. I don't--excuse me. I think part of the issue 
that my staff is telling me that the requirement to identify 
interdependencies, we think, would be a good practice. But that 
requirement is not specifically outlined in FPC 65. So that is 
most likely the reason.
    Chairman Tom Davis. All right. Do you get the feeling some 
of these agencies are just checking the box? This is just 
another requirement that they have to do? This isn't really--
this isn't part of their mission, but it's paperwork they have 
to turn in so it's kind of--they're not utilizing the 
resources; they're putting them toward other missions in the 
department?
    Ms. Koontz. It's hard for me to comment on a specific 
agency's motivation for what they do. But we have to say that 
in some cases we saw what we thought looked like sort of a rote 
or a template approach to the development of plans.
    Chairman Tom Davis. Yes. I think one of the difficulties 
is, both from the executive branch and from the legislative 
branch, we put all of these different requirements on agencies, 
and it's hard for them to sort out what their priorities are. 
If they do them all, they'd never be able to get anything done. 
And so as a result of that, sometimes nothing gets done.
    One of the rules of this committee is to kind of highlight 
shortcomings in some of these areas. This area, cybersecurity 
area, again, another one similar, where agencies check boxes 
but don't really make this mission-critical. And they may be 
able to escape with this. This is one of those issues that, you 
know, hopefully we will never see that kind of disaster and it 
will never happen. But if it does, and we are not prepared, of 
course the results then are worse by an exponential amount.
    Ms. Koontz. And if I could add to that, the fact that FEMA 
hasn't done the regular checking and oversight of the plans, I 
think that created part of the situation that you see today. If 
agencies realize that someone's going to be routinely looking 
at these plans, I think that would provide greater incentive 
for providing resources for this activity.
    Chairman Tom Davis. And there is no requirement, is there, 
that they send the plans to Congress? They send them up through 
FEMA, right?
    Ms. Koontz. No, sir.
    Chairman Tom Davis. That might be something we can get 
access to, that we look at to try to underscore the importance 
of this. I mean, hopefully again, this is something if you 
don't do it, it'll never happen, nobody will know the 
difference. But if you have a disaster, there we are.
    The report states that FEMA attributed its lack of 
oversight of these plans in part to its limited number of 
personnel responsible for guidance. Now, as a result of your 
investigation, can GAO concur with FEMA the inadequate 
personnel numbers significantly affected FEMA's ability to 
conduct oversight?
    Ms. Koontz. We didn't specifically evaluate the numbers of 
staff that would be necessary for FEMA to conduct this 
oversight activity. However, we do know that FEMA has, since we 
completed our work, undertaken a rather large effort to get 
many more people involved. So this should not be a problem 
going forward.
    Chairman Tom Davis. OK. Thank you very much.
    Ms. Watson.
    Ms. Watson. The Chair asked a question about if there was a 
requirement to report to us, and I'd like you to describe what 
you think we should know in advance so that as we go about 
budgeting for whatever, there could be appropriate resources 
there to address what might occur. We really need to start 
looking ahead. We've had the shock of an experience that we 
will never forget now. How do we--we're new at this, and I 
understand that. We were caught in a blind spot. Unready. But 
what is it going to mean in terms of resources to be ready? Do 
you have a comment?
    Ms. Koontz. A couple of parts to that question. I think in 
terms of resources that, according to the report we saw from 
OMB on combating terrorism that was published in September 
2003, apparently it's not unusual for agencies to spend several 
million dollars working on continuity of operations planning. 
And indeed the President asked for over $100 million for this 
purpose in 2004. I would have to followup to tell you what was 
actually devoted, however.
    In terms of reporting to Congress, I think that one of the 
things that Mr. Davis has asked us to do is to set a baseline 
of continuity of operations planning efforts, which we have 
done with our first report. And in following up on that, 
hopefully you'll be able to see the changes that take place 
over time and to be able to influence those changes further.
    Ms. Watson. Thank you.
    Chairman Tom Davis. Thank you very much. Gentlelady from 
Tennessee.
    Mrs. Blackburn. Thank you, Mr. Chairman.
    And thank you for taking the time to be here and visit with 
us today. You mention in your report the Y2K efforts, and my 
assumption--which I would like to know if it's correct or not--
is that where you have drawn your baseline, as working from the 
efforts that were made there in preparation for Y2K, that helps 
with your baseline?
    Ms. Koontz. What we drew from the Y2K effort was the 
previously identified list of 38 essential functions that were 
identified specifically for that purpose. And we use this as an 
example against which to evaluate plans to see if these 
essential functions were present or not. We don't mean to imply 
that this is the definitive list of essential functions, but we 
felt it was one strong example of where the government had 
already identified programs that had a high impact on the 
public.
    Mrs. Blackburn. OK. Now, have you required the different 
agencies and departments to--going into those and looking at 
that Y2K planning and into those agencies and programs, have 
you required them to go on and give you the coordination with 
State and local agencies for implementation of continuing 
services as it affects those departments?
    Ms. Koontz. We haven't yet looked at the issue of 
coordination between the Federal and the State and local 
governments.
    Mrs. Blackburn. OK. What is the status of the agency's 
information technology that is needed to oversee these 
essential functions?
    Ms. Koontz. Well, one of the aspects of any kind of 
continuity planning would be to assure that your critical 
infrastructure and your systems would be available in an 
emergency, and this would also extend to what we call vital 
records as well. In order to operate in an emergency situation, 
one has to have access to the information that is needed for 
decisionmaking. So these are all aspects of continuity of 
operations planning. What we saw among the agencies was, 
frankly, mixed preparedness in all these areas.
    Mrs. Blackburn. Thank you.
    Chairman Tom Davis. Thank you very much.
    Ms. Norton.
    Ms. Norton. Thank you very much, Mr. Chairman. Thank you 
for calling this hearing. It is an interesting hearing coming 
up today, especially since we have on the floor a continuity of 
operations bill.
    I'm confused even by the GAO report, because all the dates 
I see goes back to 1999. You speak on the first page about 
assessments of agency compliance conducted in 1999 and none 
conducted since then. And again, at page 5, a reference to July 
1999, and the assessments conducted to address any emergency or 
situation that could disrupt normal operations, including 
localized emergencies.
    Well, I'm really wondering whether anything that goes back 
to 1999 is relevant at all. That is to say, with the 
intervention of September 11th, I'm not sure what FEMA would be 
reviewing, if FEMA is reviewing plans that were set in motion 
in 1999, when on page 5 of your own report you say it relates 
to any emergency, including localized emergencies. I just 
wonder whether they don't need to start all over again, whether 
any plan that was prepared before September 11th is worth the 
paper it's written on, whether or not we don't need fresh eyes 
when we look at what a local emergency is when we look at 
infrastructure. So I would like some sense from you whether you 
think we can actually pick up from 1999 or whether we ought not 
step back and essentially begin again.
    Ms. Koontz. I can clarify a little bit. The requirements 
first came into being in 1999, and agencies were required to 
have a continuity of operations plan in place at this point for 
that same year. It was also the same year that FEMA did an 
assessment of plans and gave agencies feedback as to strengths 
and weaknesses.
    Ms. Norton. I think Oklahoma may have occurred by that 
time, so I'm sure there was some sense that you could get, you 
know, a large emergency. But go ahead.
    Ms. Koontz. So that was the first round of plans. But I 
wouldn't want to lead you to believe that none of those plans 
have been updated since 1999. Some agencies have taken steps to 
review their plans once or twice since then, but it varies 
quite a bit across the board. Certainly anything that went back 
to 1999 would need a significant reassessment before it could 
be brought up to date, and indeed we found that regardless of 
when the plan had been prepared, that most of them did not hit 
the majority of the requirements. In fact, we found not a 
single one that met all the requirements in their entirety. So 
all of them need a significant relook at this point. But I just 
wouldn't want you to believe that nothing has happened since 
then.
    Ms. Norton. Well, obviously, at the agency level one would 
need to particularize what the emergency planning was. I have 
no confidence that you begin by saying, hey, agencies, figure 
out what to do. I don't understand why there shouldn't be some 
overall--you talk in your report about the great disparities 
among these agencies. Much of that is to be expected. But 
without FEMA's guidance as to what constitutes a plan, what 
else could you expect? So I don't see how we can go back and 
criticize the agencies or even criticize FEMA for not going 
back agency by agency.
    My question is, why isn't there some general guidance as to 
what minimally an agency should be doing, its plan should be, 
with the agencies filling in the particulars, rather than this 
kind of ground-up approach and then us criticizing the 
agencies? Because somehow they are very different from agency 
to agency, as if that isn't exactly what you should expect if 
you haven't given agencies some idea of what continuity of 
operation should be all about.
    So, Mr. Chairman, I must say that I appreciate your calling 
this hearing, but I think we are just going at it the entirely 
wrong way to say to agencies out there, hey, you all come up 
with what you should be doing to continue operations. Without 
some general guidance as to ``these are the basics, now fill 
in'' does not give me confidence, particularly here in the 
National Capital Region, that if there were an emergency it 
could be handled.
    Chairman Tom Davis. Well, doesn't FPC 65 give out the basic 
guidance?
    Ms. Koontz. Yes. FPC 65 provides basic guidance on the 
eight elements of a viable COOP capability.
    Ms. Norton. And isn't that also from 1999?
    Ms. Koontz. Yes, that is from 1999.
    Ms. Norton. Well, that is my problem. I think the world has 
changed since September 11, 2001, and that was before 1999. 
That was after 1999.
    Chairman Tom Davis. Ms. Koontz, any response?
    Ms. Norton. I think that is a more radical critique than 
the GAO report is what I'm trying to say.
    Chairman Tom Davis. OK. Ms. Koontz.
    Ms. Koontz. I would just say that one of the things that we 
point out I think quite strongly in our report is that the 
identification of essential functions is a very critical first 
step in doing effective continuity planning. If you don't do 
that right, it probably doesn't matter what do you after that 
because you haven't figured out what it is you need to deliver 
in an emergency.
    But we also point out that the guidance to agencies, 
although they have issued general guidance, it was not specific 
enough to agencies for them to identify really what an 
essential function was and get any consistency across agencies; 
and that was compounded by the fact that FEMA was not doing the 
regular kind of checking and oversight to provide their 
expertise, to lend their expertise to the development of these 
plans and provide their broad view of what was going on 
government-wide. So I think our report does address some of the 
issues that you're identifying here.
    Ms. Norton. Well, thank you very much; and thank you Mr. 
Chairman.
    Chairman Tom Davis. Thank you very much.
    Mrs. Davis.
    Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman; and 
thank you, Ms. Koontz, for being here.
    You know, it seems to me that if we had the technology in 
place for telecommuting that in the event of an attack here in 
Washington, for instance, people could work at home. So I guess 
my question is, have any of the agencies--when you reviewed 
their plans, had they considered or included telecommuting in 
their continuity of operations plans? Because that's been the 
hardest thing. We've been--I mean, we have tried to get 
agencies to allow telecommuting, and it seems as hard as 
pulling teeth sometimes.
    Ms. Koontz. Uh-huh. And using both the use of alternatives 
facilities and the use of telecommuting could be a reasonable 
strategy to use in continuity of operations planning, depending 
on the kind of emergencies that we're talking about.
    Mrs. Jo Ann Davis of Virginia. Well, if we had the agency 
allowing the telecommuting now, it would be in place; and then 
there would be an answer to some of the problems for some of 
these agencies.
    My other question--you know, I heard you say that if FEMA 
or someone were doing reviews or what have you, then these 
agencies might get off the stick, I guess, is what you meant. 
And it bothers me a little bit, because are you saying then 
that our agencies don't do what we tell them to do unless they 
know we are going to check on them?
    But my real question to you--I mean, that was just a side 
note. It bothers me to hear that. But did agency personnel 
responsible for developing the continuity of operation plans 
indicate why they have not followed the guidelines that FEMA 
gave them? I mean, the person in each agency who is 
responsible, did they give you any feedback?
    Ms. Koontz. Well, there are a couple of different classes 
of things going on here.
    I think, first, in some cases the guidance isn't very 
clear; and so agencies maybe tried to implement it the best 
they could, but it was predictably then inconsistent across the 
government. So you have some of that going on.
    In other cases, I think agencies told us that they had 
prepared their plan. It had been reviewed by FEMA in 1999. They 
thought the feedback they received was that plan was all right; 
and, frankly, I think they were surprised in some instances 
when we said, well, we don't think this meets the requirements 
or the guidance of FPC 65.
    So there was a couple of different kinds of things going on 
there.
    Mrs. Jo Ann Davis of Virginia. Sounds like a communication 
problem, Mr. Chairman. It seems like we have that a lot in the 
Federal Government. I don't know how we can fix that.
    But thank you so much, and I would strongly suggest that we 
push the telecommuting if we can.
    Chairman Tom Davis. Great. I think Mrs. Davis' idea on the 
telecommuting is something that for agencies here we need to do 
more of. I mean, this committee will hold followup hearings on 
that. Obviously, if an office gets devastated, people don't 
need to be in the office in many cases to carry out their 
duties.
    Mr. Van Hollen.
    Mr. Van Hollen. Nothing.
    Chairman Tom Davis. No questions.
    Mrs. Maloney.
    No questions.
    Thank you very much. This has been very helpful for us. We 
may have some followup pending some of the others, but we 
appreciate your oversight on this and your analysis.
    Ms. Koontz. Thank you.
    Chairman Tom Davis. Thank you very much.
    We will proceed now to our second panel. I am going to 
thank Under Secretary Michael Brown, the Honorable Michael 
Brown, the Under Secretary for Emergency Preparedness and 
Response Directorate from the U.S. Department of Homeland 
Security, for being with us today. Why don't we take a minute 
recess, but I'll wait for him to come in.
    There he is. Mr. Secretary, thank you for being with us. 
Why don't you stay--and I'll swear you in, our policy.
    [Witness sworn.]
    Chairman Tom Davis. Thank you very much for being with us 
today.
    We'll have some lights in front of you, the panel. After 4 
minutes, an orange light will come up, giving you a minute to 
make it 5. If you feel you need to go over it, we're not 
pressed for time. We'll do that. But your entire testimony is 
part of the record, and our questions have been based on that.
    But thank you very much for being with us today, and thank 
you for the job you're doing.

   STATEMENT OF MICHAEL BROWN, UNDER SECRETARY FOR EMERGENCY 
   PREPAREDNESS AND RESPONSE DIRECTORATE, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Brown. Thank you, Mr. Chairman.
    Chairman Tom Davis. You have to make sure the mic is on. 
That's the toughest part of the whole thing.
    Mr. Brown. I'm not used to coming in second. I guess you're 
just ready. Go ahead and start then, right? OK.
    Good morning, Chairman Davis and members of the committee. 
My name is Michael D. Brown, and I am the Under Secretary for 
Emergency Preparedness and Response.
    Chairman Tom Davis. Mr. Brown the reason we have you second 
is we have GAO first and we give you the last word.
    Mr. Brown. Sure. Right.
    Chairman Tom Davis. So it's really to your advantage to be 
in that position.
    Mr. Brown. Great.
    Thank you for the opportunity to appear before you today to 
discuss the Federal Emergency Management Agency's role in 
supporting the Nation's Continuity of Operations and its 
program.
    FEMA was designated the lead agency for Continuity of 
Operations for the Federal executive branch by Presidential 
guidance on October 21, 1998. Among other things, this guidance 
requires Federal agencies to develop Continuity of Operations 
plans to support their essential functions. FEMA's leadership 
role is to provide guidance and assistance to the other Federal 
departments and agencies in this important area. We have taken 
this responsibility very seriously and have worked hard to 
provide this guidance.
    As the program expert for the Federal executive branch COOP 
activities, FEMA and the Department of Homeland Security have 
made significant strides toward ensuring that COOP plans exist 
at all levels of departments and agencies. This effort entails 
our involvement with hundreds, if not thousands, of various 
COOP plans and close coordination with the General Services 
Administration.
    We have aggressively developed working relationships across 
the government--to include the legislative and judicial 
branches--to expend our efforts at providing advice and 
assistance to other Federal departments and agencies in the 
COOP arena. We have established numerous interagency COOP 
working groups at the headquarters and at the regional levels. 
These working groups have opened communication channels across 
the government regarding COOP plans and programs and have 
helped organizations develop more detailed COOP planning in 
order to leverage capabilities and to improve interoperability. 
Moreover, we have developed new COOP testing, training and 
exercise programs to help ensure that all departments and 
agencies are prepared to implement their COOP plans.
    Significantly in fact--FEMA tested its own COOP plan and 
capabilities in December 2003 by conducting Exercise Quiet 
Strength. This headquarters COOP activation involved the 
notification and relocation of nearly 300 FEMA personnel on our 
emergency relocation group, and it successfully demonstrated 
our ability to perform FEMA's essential functions from an 
alternate site under emergency conditions.
    We are now leading the interagency Exercise Forward 
Challenge scheduled for next month. This full-scale COOP 
exercise will require departments and agencies in the National 
Capital Region to relocate and operate from their alternate 
facilities. Some 45 departments and agencies plan to 
participate in Forward Challenge. A prerequisite for their 
participation is for each department and agency to develop 
their own internal Forward Challenge COOP exercise. As a 
result, there will be approximately 45 separate but linked COOP 
exercises conducted concurrently with the main Forward 
Challenge event. Because of these internal exercises, Forward 
Challenge preparation has cascaded across the country, with 
departments and agencies as far away as Fort Worth and Seattle 
participating.
    Our support for COOP exercises and training is not limited 
to the Washington, DC, area. Working with the Federal executive 
boards, FEMA has conducted interagency COOP exercises in Denver 
and Chicago; and additional exercises are scheduled in Kansas 
City on April 29 and in Houston on June 14. To help facilitate 
this effort, FEMA has developed a generic interagency COOP 
exercise template that can be easily adapted for use in the 
field.
    Mr. Chairman, you have specifically asked me to address 
what steps FEMA is taking to address each of the executive 
agencies' COOP plans and what steps we are taking to address 
deficiencies in those plans. Through our strong working 
relationships and through new and ongoing COOP initiatives, we 
are leading the government's COOP program to ensure improved 
coordination and provide enhanced planning guidance. FEMA 
established the Interagency COOP Working Group in the National 
Capital Region comprised of 67 separate departments and 
agencies. This working group includes the Library of Congress, 
the GAO, U.S. Senate, the D.C. Department of Transportation, 
the U.S. court systems and the Metropolitan Washington Council 
of Governments. At the regional level, FEMA has used a phased 
approach to establish COOP working groups with many of the 
Federal executive boards and Federal executive associations 
across the country.
    In addition, we are revising the Federal preparedness 
circular for COOP. The goal is to have a single-source document 
that all departments and agencies can refer to for their COOP 
programs. The new Federal preparedness circular incorporates 
many of the GAO's recent recommendations for improvements. It 
includes detailed information on how to identify essential 
functions and discusses the importance of interdependencies 
between departments and agencies.
    Mr. Chairman, the ability of the Federal Government to 
deliver essential government services in an emergency is of 
critical importance. In June, we agreed that improved planning 
was needed to ensure the delivery of essential services. 
However, I unwaveringly believe the Federal Government is 
currently poised to deliver those services in an emergency that 
requires the activation of COOP plans.
    Mr. Chairman, thank you for you time; and I'll be happy to 
answer any questions you may have.
    Chairman Tom Davis. Thank you very much.
    [The prepared statement of Mr. Brown follows:]

    [GRAPHIC] [TIFF OMITTED] T5423.024
    
    [GRAPHIC] [TIFF OMITTED] T5423.025
    
    [GRAPHIC] [TIFF OMITTED] T5423.026
    
    [GRAPHIC] [TIFF OMITTED] T5423.027
    
    [GRAPHIC] [TIFF OMITTED] T5423.028
    
    Chairman Tom Davis. Just to start off, I was pronouncing it 
COOP plans. You're pronouncing it the COOP plans. And the 
reason I called it COOP is because chickens are in charge of 
the COOP, and I didn't want anyone in the administration to cry 
foul of what I was doing, which is eggsactly what they do. I 
mean, obviously, we don't want any agency----
    Mr. Brown. I can't compete with this humor.
    Chairman Tom Davis [continuing]. We don't want the agencies 
winging it on their COOP plans. So we will risk ruffling some 
feathers here today. But I think it's fair to say the 
administration's proposal so far are nothing to crow about.
    But let me ask a few questions.
    Mr. Brown. OK. Because I'm ready to fly the coop, so----
    Chairman Tom Davis. Everybody acknowledges that the first 
and most critical element of any COOP planning is the 
identification of every essential function that an agency 
performs and will attempt to maintain in case of an emergency. 
But GAO reports that individual agencies' identification of 
essential functions really vary widely. Can you just kind of 
review in brief for us what steps FEMA has taken to assure that 
these critical functions are accurately carried out by every 
Federal agency?
    Mr. Brown. Absolutely, Mr. Chairman. FEMA has a 
coordination role and provides guidance and assistance, but it 
is really up to the departments and the agencies themselves to 
determine what's essential for their COOP plans.
    We do such things as having a monthly forum through the 
Interagency COOP Working Group for departments and agencies to 
address those issues and insure best practices.
    I also believe that the revised preparedness circular that 
is soon to be released at the end of the fourth quarter will 
provide better decisionmaking guidance to the departments and 
agencies that will also ensure consistency across the Federal 
Government.
    Moreover, through a readiness reporting system that FEMA is 
now implementing, we will be in a better position to provide 
more accurate and timely information regarding each department 
and agency's COOP activities.
    But I believe it's important to note--particularly 
important to note that, for the first time ever, as I said in 
my oral statement, FEMA exercised its headquarters COOP plan. 
It involved the actual notification and actual deployment of 
our emergency relocation group to our alternate facility. This 
is the first time ever that FEMA has done that. And that we 
will now oversee for the first time ever a Federal Government-
wide COOP exercise that will allow us to establish a baseline 
for future exercises that we want to have now on an annual 
basis.
    Chairman Tom Davis. I asked this question of the previous 
panel. Are agencies prepared for the worst today? Or are we 
getting there?
    Mr. Brown. We are certainly getting there. And my 
hesitation is not about preparedness. My hesitation, Mr. 
Chairman, is about what is the worst--because the worst, in my 
world, unfortunately, is, you know, the detonation, for 
example, of a nuclear device or a dirty bomb or a bioterrorist 
event which will result in catastrophic casualties and a 
catastrophic disaster of proportions that will overwhelm all of 
us. So that is the reason for my hesitation. I believe that 
every department and agency has a very good, robust COOP plan 
in place that we just now need to fine-tune.
    Chairman Tom Davis. I mean, the experience of this 
committee as we go through little emergencies that come across 
the city--for example, recently we had tractor man. We had a 
guy on a tractor hold up traffic and tie up this city for three 
rush hours. And there was--the planning that took--there was no 
planning. There was a division over really what the priorities 
were to make sure that the person escaped--I mean, that he 
wasn't injured and was apprehended, that no one was injured. 
Nobody looked out for--and so some of this stuff gets very 
contradictory as you start to have to go down the path and 
decide what the priorities. You can't anticipate any and all 
bad things that can happen.
    Mr. Brown. No, but I think, based on the template that we 
have put together or the revision of the Federal preparedness 
circular, that we will be able to provide them with a template 
that allows them to respond to any--almost any kind of 
disaster.
    Chairman Tom Davis. Ms. Norton's concern in the previous 
panel was that we were dealing with a circular from the 
executive that came--was a 1999 circular, before September 11. 
On September 11 I can tell you we certainly weren't prepared on 
Capitol Hill. I mean, we didn't know who to call. We were kind 
of irrelevant to the process, though, basically. I mean, we 
don't like to think of this that way, but the government went 
on fine. Everybody--the military did their job. The police did 
their job. Other agencies kicked in. It is a lot more important 
than what happens here.
    I guess my question is, as we look at different agencies we 
see different levels of planning for this. That's not unusual. 
What you usually find is we put so many requirements on these 
different agencies and secretariats and the like that they have 
to sort it out in some, take it more seriously than others. In 
fact, some of them, how they plan is going to be more important 
to the American people than others.
    So as you look over this in terms of your planning and the 
checklists and everything else, what are we doing to check on 
this?
    There was an allegation at GAO that maybe you didn't have 
enough people to really implement this job. This is a 
contingency planning, so it may never happen, and some agency 
leaders, I think, think, well, I don't have to do this because 
it'll never happen, and then I can put my resources somewhere 
else and accomplish something that everybody--that I know will 
happen. What's your reaction to that?
    Mr. Brown. Let me--three things I want to respond to, Mr. 
Chairman.
    First of all, your comment about the ability of the Federal 
Government--the ability of executive branch to be able to 
actually COOP and respond in terms of an emergency. The good 
news I believe out of this hearing should be that all of the 
major departments and agencies--in fact, all the departments 
and agencies have a COOP plan in place that we have reviewed 
and we have looked at.
    Do these need to be fine-tuned? Absolutely. Do we need to 
continue to improve those? Absolutely. But there is no place in 
the executive branch of the departments and agencies where 
there is a lack of a COOP plan. So that's the good news.
    GAO is correct in that we have been concerned about the 
staffing levels. But one of the priorities that I have put in 
since I have become the Under Secretary was to increase the 
staffing in our national security office, coordination office 
and we have increased the staff levels. Additionally, we have 
received incredible support from President Bush and the 
administration and in the 2005 budget there is a $12 million 
increase, specifically for COOP activities.
    Chairman Tom Davis. The other criticisms--one other 
criticism that came out of the GAO report--I wouldn't call it 
criticism, but one of their observations was that some of the 
COOP reports that came in really didn't talk about how they 
interact with other agencies, that they simply look at what 
they did. And it was almost like a checklist, which, by the 
way, is not uncommon. I'm not trying to be overly critical 
here. I'm just trying to make sure that as we look forward we 
can continue to improve.
    Mr. Brown. And that is exactly one of the things that we 
want to test in Exercise Forward Challenge. It's not just their 
ability to pick up and move and go to their alternate sites, 
but how do they interact, how are the interdependencies, how is 
the interoperability of communications among the different 
Departments and Agencies and where can we improve on that. So 
you have identified exactly one of the areas that we intend to 
push in the exercise.
    I would just take this opportunity also to caution everyone 
about the exercise, because it is my philosophy, and it is one 
that I'm trying to push all the way through FEMA and the entire 
departments, that we don't do exercises to make things look 
good. We do exercises to push the envelope, to find out where 
the vulnerabilities are, to find out where the weaknesses are 
so that we can come back and improve upon them. So I fully 
expect after Exercise Forward Challenge for us, the Interagency 
Working Group to get back together and find places where 
interdependencies didn't exist, and we need to improve those. 
That's the purpose of the exercise.
    Chairman Tom Davis. And you did provide information about 
Exercise Quiet Strength, which was FEMA's December 2003, 
exercise to test its headquarters COOP plan. But that is an 
isolated exercise of one agency; and in reality, of course, 
particularly with you all, an actual emergency would involve 
government-wide functions. Is there an effort to test some of 
that later on in the interaction of some of the agencies?
    Mr. Brown. There absolutely is. But before we can go out 
and be a good leader and convince all the other departments and 
agencies to do this we have to show that we are willing to do 
it, too. And since FEMA had never done this exercise I was very 
pleased that we were able to pull it off and be as successful 
as we were.
    Chairman Tom Davis. Thank you very much.
    Ms. Watson.
    Ms. Watson. Thank you for being here and helping us get 
our--wrap our minds around how comprehensive this emergency 
preparedness and the planning might be.
    I was just given a printout from the L.A. Times that this 
is the third loss of power at the Los Angeles Airport in 10 
days. When you think about Los Angeles Airport under the FAA 
being one of the major ports on the west coast, it's very 
troubling to know that a bird can stand on a wire, spread its 
wings, make the connection and out the whole airport and all 
the flights all the way, nationally and internationally--the 
third time in 10 days.
    My question is, in your interagency efforts, is it the FAA, 
then, that would be able to take a look at all of our airports? 
It seems to me that, you know, I can't really understand how a 
bird could do this three times in 10 days and where our backup 
systems are.
    Mr. Brown. I assume it wasn't the same bird.
    Ms. Watson. No. I think that bird has been--is toast. But, 
you know, it just seems like this is a weak spot, a soft target 
for terrorists. They can send a bird up, you know, and knock 
out the whole system.
    This is one of our major international ports. We are 
Pacific rim, and I am very concerned about whether it reaches 
over to the FAA and if the FAA will look at all of our 
airports. Because it seems to me on September 11 it was--the 
airport was the scene--the launching of a terrible disaster 
that we've never had before and we were not prepared for. So in 
looking at how we prepare I think something like this should be 
a function of the FAA, and I would hope that Homeland Security 
would certainly raise these issues and see if we can motivate 
and activate FAA to take a look.
    Mr. Brown. Yes, ma'am. I'll certainly pass that information 
and the story along.
    Ms. Watson. I'll give you a copy of this, if you would 
like.
    Mr. Brown. Right. I'll pass that on to Under Secretary 
Libutti of the Information Analysis and Infrastructure 
Protection Directorate in the Department, because they are 
taking a significant review of all the critical infrastructure 
in this country and how we can better protect those 
vulnerabilities.
    Ms. Watson. Sure. Thank you very much.
    Chairman Tom Davis. Ms. Watson, thank you very much.
    Mrs. Maloney, any questions?
    Mrs. Maloney. No.
    Chairman Tom Davis. Mr. Brown, thank you very much for 
being here today. We look forward to continuing to work for you 
as we develop these COOP plans. I will get my pronunciations 
right, and we'll get you armed with some funds when you come 
back here. But we could use--you know, we will look forward to 
working with you as we continue to develop these.
    I'd just ask one last question. There is some concern among 
Members that maybe we ought to have these plans given to this 
committee where we could oversee them when they come in as 
well. Do you have any objection to that? We don't have to do 
that legislatively necessarily, but, as you get the plan, share 
them with us so we can stay abreast with what's going on.
    Mr. Brown. We will certainly continue those discussions, 
Mr. Chairman, and see if there isn't some way that we can have 
you more attuned to what we're doing in terms of planning and 
the processes.
    Chairman Thomas. Again, this may--hopefully, this will be--
we're talking about events that never happen. We are talking 
about plans that never need to be implemented. But should they 
do that, all eyes will be on what we were doing in Congress.
    Mr. Brown. I would be remiss if I didn't remind ourselves 
that these COOP plans really go beyond just terrorist events. 
We also prepared to COOP the executive branch during Hurricane 
Isabel. There are many natural hazards which will cause us to 
COOP also, not just a terrorist event.
    Chairman Tom Davis. Plus the tractor man. Isolated 
incidents.
    Mr. Brown. Right.
    Chairman Tom Davis. And we had another guy on the bridge--
just so I can get this off my chest--who was having a bad day 
and held up traffic on the Woodrow Wilson bridge and clogged 
traffic on the east coast for 5 hours. It took them 5 hours to 
figure out--they talked him down, instead of shooting him off 
with a bean bag, which is what they should have done right 
away, I mean, because you have to look at the greater good of 
some of this. It wouldn't have killed him, you know. He would 
have gotten wet.
    But these kinds of plans sometimes we don't think about 
till they occur, and now that we have this agency we are 
expecting all knowledge to rest with you all and solutions to 
rest with you.
    Mr. Brown. We take this very seriously, and we will do 
everything we can to move it.
    Chairman Tom Davis. We think you're doing great. Thanks for 
being here.
    Mr. Brown. Thank you, Mr. Chairman.
    Chairman Tom Davis. We'll take a second and move to our 
third witness, and we have John Kern from AT&T. He's the 
Network Continuity Director for AT&T. This is a real-life 
company that has to deal with these kind of issues every day. 
This is part of their business, is dealing with emergency 
contingencies and service.
    Mr. Kern, if you'd rise with me. It's the policy of this 
committee. We swear in.
    [Witness sworn.]
    Chairman Tom Davis. Please have a seat.
    Your total testimony is in the record. We try to keep the 
opening statements to 5 minutes, but if you need to take a 
little longer, we are not in a hurry here. After 4 minutes, an 
orange light will go on. That gives you a minute. And when the 
red light goes on, that is it. Take what you need.
    Thank you for being with us. I think you can add a lot to 
our testimony today.

  STATEMENT OF JOHN KERN, DIRECTOR, NETWORK CONTINUITY, AT&T 
                             CORP.

    Mr. Kern. My pleasure. Thank you.
    Good morning, Mr. Chairman and members of the committee. My 
name is John Kern. I am the Network Continuity Director for 
AT&T. My team and I are responsible for business continuity, 
disaster recovery and continuity of operation for our worldwide 
network infrastructure.
    Thank you for the opportunity to discuss with you today how 
AT&T has implemented our continuity of operations plan. I will 
suggest recommendations of how Federal agencies can implement 
continuity, plans of their own that kind of fall in line with 
some of the processes that we use.
    The chart that is being displayed right now is an example 
of our network continuity and business continuity program, 
which is very similar to the COOP. We understand how important 
the services that we provide to our customers, both the private 
sector and the Federal Government services, like the government 
emergency telecommunications services; and we spend a great 
deal of energy and commitment to making sure that they can 
operate under any circumstances. This is both for our physical 
network and for cyber issues like security.
    For example, we have basic level fire walls, intrusion 
detection at a higher level, cyber security where things are 
detected automatically and there is basic patterns that are 
looked for in the network so we can protect our services for 
our customers.
    At a physical level, we have a dedicated team of people and 
we have invested over $300 million in equipment to be able to 
operate our network and continue our network under any 
circumstances. It is unique in our industry. We have had 12 
years of experience and expertise in developing this as part of 
our continuity of operations plan.
    The next one. One of the important things that was 
discussed today is exercising. I agree with the former witness 
that any plan that isn't tested really isn't a viable plan, and 
the whole point of an exercise is to find areas to improve the 
plan, to understand what can be done better the next time and 
how to make the continuity operations plan a viable, executable 
plan.
    We realize it is a long process to do continuity of 
operations and business continuity. It took a substantial 
effort and discipline on our part to get this far in our plans 
and commitment. We have been working with the GSA to provide 
agencies with multiple suites of security services, and we look 
forward to continuing to work with the GSA and your committee 
to bring continuity of operations planning across the Federal 
Government.
    It is obvious that continuity of operations planning is 
hard work. It requires investment. There is a cost to do it. In 
some cases, though, there is a larger cost in not doing it. Not 
having a continuity of operation plan that you could execute 
could mean that for several days your agency or enterprise 
isn't able to provide the basic service to your customers or 
your constituents.
    The government should consider leveraging capabilities that 
have already been implemented in the industry, leveraging off 
the expertise of AT&T. The government business is very 
important, both to our customers, to the constituents of the 
government, and we are basically here to help with your 
continuity of operations plans. We have had a lot of benefit 
from our relationship with the Federal Government, various 
agencies, Department of Defense, FEMA, National Institute of 
Science and Technology for standards. We are now kind of 
offering what we have leveraged into those continuity of 
operations plans to offer assistance to you, Mr. Chairman, and 
to the committee and to the Federal Government.
    Chairman Tom Davis. Thank you very much.
    [The prepared statement of Mr. Kern follows:]

    [GRAPHIC] [TIFF OMITTED] T5423.029
    
    [GRAPHIC] [TIFF OMITTED] T5423.030
    
    [GRAPHIC] [TIFF OMITTED] T5423.031
    
    [GRAPHIC] [TIFF OMITTED] T5423.032
    
    [GRAPHIC] [TIFF OMITTED] T5423.037
    
    [GRAPHIC] [TIFF OMITTED] T5423.038
    
    [GRAPHIC] [TIFF OMITTED] T5423.039
    
    [GRAPHIC] [TIFF OMITTED] T5423.040
    
    Chairman Tom Davis. You get a lot of real-world experience 
in this. Every time there is a storm or something like that, 
you have to deal with that.
    Mr. Kern. Yes, sir.
    I'm an operational level person. If there is a disaster on 
my team, I go out in the field and do whatever we need to do to 
make sure our network continues to operate under any 
circumstances. We were heavily involved with our network 
recovery efforts after the World Trade Center.
    One thing I mentioned a little bit earlier was having that 
discipline of a plan, the commitment to execute the plan and 
even having the resiliency and reliability built in. But you 
also need some flexibility in your plans. A good example, we 
had never and I don't know of anybody envisioning somebody 
crashing planes into a building the size of the World Trade 
Center or the subsequent shutdown of the nationwide air traffic 
control system. Our plans didn't call for that or didn't 
counter that. But the flexibility we built into our disaster 
recovery plans basically assumed that we would have regional 
disruptions.
    A hurricane going through south Florida might shut down 
several airports. An earthquake in the West might shut down a 
few airports. So we have our people and our equipment 
regionally deployed so we can respond from anyplace. After the 
World Trade Center, when the air traffic system shut down, 
basically was a small inconvenience. We had people driving east 
to New York versus normally getting on a plane.
    Chairman Tom Davis. You have a lot of redundancy in your 
system, don't you?
    Mr. Kern. One of the things we do is we believe there is 
that kind of continuity by design, not just assuming what is 
going to happen in a disaster but how do you build that 
reliability and resiliency into your network or the service or 
infrastructure you need to provide your services for your 
customers or constituents.
    For example, just in providing power, I know I mentioned 
the power outage at LAX. As far AT&T's offices were, we create 
the communications that basically hub the transport for our 
customers. We have three or four different levels of 
reliability around power. We have separate power feeds from 
separate substations. So, hopefully, the bird spreading its 
wings across one power line wouldn't impact the other power 
line.
    We have dedicated generators in each building. We have 
battery backup, and we have the ability to bring in portable 
generators, kind of multiple layers of reliability and 
resiliency. I would say that a power outage would never be 
noticed by our customers because it is something we have built 
into the system. We wouldn't have to recover from it. We have 
planned for it and have built it into the network itself.
    Chairman Tom Davis. One of the reasons we got you here 
today is because you know how to do this business. You do it on 
a practical basis. You are culturally a lot different than 
government. You have a lot of real-world experience in this at 
AT&T. Every time there is a massive storm, who knows, whatever 
disaster. So government is dealing with theoretical exercises. 
You are dealing with real-world experience; and nothing beats 
experience, as you know.
    They used to say the difference between education and 
experience is education is when you read the fine print and 
experience is when you don't. In this particular case, you get 
your mistakes out already because you have a lot of experience 
with that. The government doesn't.
    So, second, you are in a competitive atmosphere. These are 
not theoretical occurrences to you. These are occurrences that 
if they happen and you can't satisfy your customers, they can 
go to a competitor. In government's case, they have nowhere 
else to go. It makes you respond differently.
    If government would try to take some of those competitive 
spirits you have--and try and tell the government and say this 
is why you operate it differently or this is why you make it 
more of a priority than government does. We try to do it in 
government sometimes, but these agency heads, they have a lot 
of pressure on them to perform under a lot of different 
regulatory obligations and this is when it probably won't 
happen, at least on their watch. You tend to push it aside, to 
put your resources toward something that is a little more 
current and a little more mission critical.
    Mr. Kern. One of the things we had done to get past that--
because in the early days of our program we had similar issues 
where the different organizational heads said I have more 
important things to do. This type of disaster will never impact 
us. One thing that we have set up as part of the process was 
kind of the governance structure. What's the set of standards 
and rules around what every organization in the government, 
what every agency has to do?
    Probably most importantly and one of the functions that we 
perform that definitely would be a good idea for the government 
is in our case it would be a business impact analysis. In the 
case of the government, it might be an operations impact 
analysis. Understand that across the entire enterprise and 
government, what agencies are responsible working together to 
provide certain key services and functions to the constituents 
and then how do you address continuity of operations based on 
those critical services, not just on an agency level.
    The other piece we have introduced over the 12 years that 
we've been doing this is the idea that this is part of a 
person's function, this is part of their job. For us in private 
enterprise, it goes to--the future funding they receive goes to 
their pay, future promotions; and it is in a sense of how they 
are graded. It's another important piece as a common report 
card.
    If you have checklists, it is one thing. The next layer 
down is to look at what is the report card so that you know 
that a level A from one agency means the same as grade A for 
another agency and you do the exercises that the gentleman from 
FEMA mentioned that are across multiple agencies, kind of 
driven to a specific service.
    Chairman Tom Davis. That is an excellent point.
    Kind of mystifies me when you have an intelligence failure 
in the government, nobody gets fired. You have it at AT&T. You 
have a lot of people losing their jobs.
    I am not arguing one is necessarily better than the other, 
but we could use a little more of the AT&T culture sometimes in 
government in staying ahead of the curve. But because we are 
not in a competitive mode, we tend to be more reactive than 
proactive.
    You talk about incentives for your managers. There is no 
incentive for getting this plan down and having a great 
contingency plan. They are going to care more about current 
operations and what are you doing currently. I think that is 
the point you are making.
    You also have to deal with a lot of changing technologies 
in telecommunication at this point, the move to wireless. 
Instead of interagencies, you have to work with your 
competitors in some cases, your line-sharing. How does that 
work?
    Mr. Kern. The one issue is changes in technology, in some 
cases, changes in technology presents a challenge and some 
cases it presents a new opportunity. If you look at the 
increase in wireless technology, in the past, if you had to go 
to a physical place to connect into the network to get your job 
done or to get your business accomplished, now you can 
accomplish it wirelessly. In some cases, technology presents a 
challenge, but in a lot of our cases, it just presents more of 
an opportunity.
    In the case of government, there is just more opportunity 
to leverage what is already being developed in the private 
industry to do a good COOP plan. If you imagine the wireless 
lands and wireless cellular voice technology, it allows you to 
set up your continuity of operations sites in places where you 
would not be able to get land lines to.
    As far as the question around the cooperation, one of the 
things that we do through the Department of Homeland Security 
there is a National Coordinating Center, and that is one place 
in the industry where we can work together in the event of a 
real disaster or an event that would impact the network, like 
the power outage last summer, where we can get together to 
coordinate our activities to make sure if there is any mutual 
aid that makes sense where can we offer assistance where 
another carrier might not have enough generators or enough 
manpower to get a certain task done.
    What places in the Federal Government offer that place of 
coordination and command and control that the 
telecommunications carriers get through the National 
Coordinating Center is another question that kind of brings to 
FEMA's role or not.
    Chairman Tom Davis. Has anybody from the government come 
and asked you, what do you do for your COOP planning? Anybody 
consult with you and say you guys have to go through this? You 
have been through a lot of natural disasters and the like.
    Mr. Kern. Personally, I have had dealings with several 
different agencies about their COOP plans, either reviewing 
them, offering suggestions on things that could be done or, in 
some cases, we will receive requests from government agencies 
to understand how the services that we provide, something like 
an ultra available, which is a way we can distribute technology 
across a given metropolitan area to make sure you don't have a 
point-to-point facility that is going to impact your ability to 
operate your enterprises, this kind of gives you a ring of 
capability, a place where you can operate your different 
services. So we will have requests from agencies to provide 
technology or to provide capability that they can use in their 
COOP.
    We have had all different flavors. I think the agency we 
have dealt with the most has been the GSA where, again, part 
FTS 2001, there was a whole level of specific security 
applications that ranged for different levels of security that 
agencies could use to implement security needs.
    We are also working with the GSA on FTS Networx, which is 
the next evolution of how do we not build in just the security 
but the resiliency and reliability. Each agency does not have 
the same need for the robustness, reliability, resiliency. How 
do you have a four, five-tiered structure so that agencies can 
get the reliability that they need to buy the resiliency to 
allow them to operate their business without agencies that 
don't need that same level of resiliency having in a sense pay 
for a service they are not going to use.
    Chairman Tom Davis. Thank you very much.
    Ms. Watson.
    Ms. Watson. I want to sincerely thank you for being here, 
Mr. Kern.
    I would hope that your researchers can look toward the 
future. Everyone is saying, who would have ever thought an 
airplane would hit a building? We heard it rumored around 
before September 11. Now we know it is a reality. We need to 
look toward the future with our technology. We just put an 
apparatus on Mars, and they plan for it to go over rough 
surfaces and pick things up and photograph things.
    What I am hearing that frustrates me is that we are not 
thinking progressively enough. I am very frustrated that we 
have had our third outage, as I mentioned, in 10 days. Why are 
we still depending on wires that go above the ground if a bird 
can light on them and knock out the whole airport? Are we 
thinking about the possibilities? We don't want a play on 
words, as was raised with the last panel. We want to really get 
people out ahead of these occurrences.
    I think you could be very helpful, AT&T, in saying to our 
agencies, look, we have a design here that might work so you 
won't have to have this happen again; and then it is their 
responsibility to take a look and investigate. I would hope 
that you--and I know the competition is high, but come out 
ahead of all the others with a way to avoid--and I think that 
power outage can be avoided if we think more progressively and 
more scientifically. Maybe we ought to contact NASA, because 
apparently they have plans for all contingencies when they put 
a spacecraft up. But I want to encourage you to impact on us in 
government.
    And I think the chairman was absolutely right. You know, we 
don't have the experience, and we don't get into the business 
of detecting things before they happen. We have not been in the 
business of doing that. We can make policy afterwards.
    But I do think we are going to have to go out to the 
utilities, go out to private industry and say help and present 
to us, to FEMA, to the COOP or COOP or whatever you want to 
call it, you know, these are some things that government ought 
to invest in.
    So I want to thank you for coming, Mr. Kern. I really don't 
have a question. It is more or less a recommendation to you to 
come back to us.
    Chairman Tom Davis. Ms. Watson, let me just say, to stick 
with the puns and keep them on subject with the birds and the 
wires, you can't do this on the cheep.
    Mr. Kern. My opening remarks mentioned my extra kind of 
capacity--I have seven acres in New Jersey. I have about nine 
hens and a rooster, so I am familiar with coops both at a 
business level and a personal level. But now that you throw 
cheep into the bargain--we are definitely linked to assist the 
government wherever we can. We have--over the 100 years that we 
have been around as an enterprise, AT&T has developed a very 
comprehensive set of standards around things like physical 
infrastructure. How do you power an enterprise that is 
important to you? How do you back that power up? What do you do 
around cyber security, physical security? How do you have 
continuity of operation plans that really take into effect 
where you can bring your people to--impacts to things like 
telecommuting, all the things we have great expertise at and 
definitely willing to help the government wherever we can 
either through our technology, our standards, our expertise or 
the experience that we have really developed over, in some 
cases, the last 12 years for business continuity but, in other 
cases, 100 years in operating a rather large, a rather critical 
infrastructure that provides the network service that everybody 
relies on.
    Ms. Watson. Mr. Chairman, if I could just take 1 more 
minute. We are going to have a bill on the floor, the 
Sensenbrenner bill. Reading the fine print--and this is where 
policymakers comes in. We read the fine print. We don't go on 
our experiences. It says that if there is an extraordinary 
circumstance and the Speaker of the House of Representatives 
announces vacancies, well, if the plane has succeeded in 
hitting the Capitol, it might have wiped everyone out, 
including the Speaker. If we are going to put law in the books, 
we are going to have to think beyond the words here. So it 
should be designated--someone who does the designating. Because 
the Speaker and all the rest of us will probably perish if that 
were to occur.
    My point is we have to think differently than we have in 
the past; and, as a policymaker, this becomes the law. You 
know, it can be adjudicated in the courts. So how do we think 
in a way that will address these unusual circumstances?
    Those of you out in the field in terms of the way agencies 
work and operations work and utilities work and so on have to 
benefit--we have to benefit from your experience, and you have 
to suggest to us. Now whether we make policy based on the input 
is left up to us, but I really invite your recommendations.
    With that, I want to thank you, Mr. Chairman.
    Chairman Tom Davis. Ms. Watson, thank you very much.
    Mr. Ruppersberger, do you have any questions.
    Mr. Ruppersberger. I didn't hear your testimony. Thank you 
for being here.
    Just generally, though, in the event that there is a 
catastrophe, it seems to me that in your field in 
communications it is an essential function during an event, 
after an event and then the months after the actual event. Do 
you communicate or work closely with anyone in Homeland 
Security as far as developing----
    Mr. Kern. Yes.
    Mr. Ruppersberger. As much you can, what is that 
communication? Are they giving you the lead or are you helping 
them as consultants? How would you describe where that is now?
    Again, we know Homeland Security is new. What would you 
like to see to make that function even better?
    Mr. Kern. We have many roles with the Department of 
Homeland Security. One of them and probably important to me is 
the National Coordinating Center. It is the part of the 
Department of Homeland Security where the carriers have a 
common meeting ground to both plan around continuity and also 
to respond to an event.
    During the World Trade Center, we worked through the NCC--
at that time, it was part of the FCC--to understand where we 
need to bring in equipment or where we needed to have people. 
So the key function of the Department of Homeland Security for 
us is that kind of coordination role.
    Another one is if we consider--what we try to do is not 
wait for the disaster but how do you get ahead and be proactive 
and look at the events that are coming up that you might need 
to worry about the impacts on your network or your people. I 
look at national security events as a big concern when one is 
declared by the government, understanding what is the real 
risk, what is the impact to our network. Do we need to do 
something different ahead of time to further harden our 
network, to bring in additional people in a nearby area? That 
is one area where the Department of Homeland Security 
definitely takes the lead around coordinating, around the 
contingency planning for national special security events; and 
we work through them.
    Mr. Ruppersberger. Are you coordinating your networks for--
using your own money. Do you use Federal money? Where are you 
as it relates to money?
    Mr. Kern. Right now, any of the planning that we do, any 
contingency planning that we do, it's our own money. As far as 
I know, we have not received any grants or funding to do our 
disaster recovery work or to do any of the contingency work. It 
is something that we have determined that is important to our 
customers, to the services that we provide and our ability to 
operate them under any event. We decided to undertake the 
expense and risk to do that.
    Mr. Ruppersberger. If an event occurs, another event in a 
major metropolitan area, are you ready?
    Mr. Kern. Yes. We have had our program for the last 12 
years. We were prepared for September 11, not for that type of 
event. But based on the structure and contingencies we had in 
place we were able to respond and deploy equipment to meet the 
needs from that disaster. Since September 11, we have increased 
our capabilities and added more people to the process and we 
are looking at things, some of the risks that are out there, 
maybe have a higher probability, the more manmade, chemical, 
biological attacks. We are participating in TOPOFF 3, which is 
the WMD exercise that is going to be held in New Jersey, 
Connecticut area next year. We have increased our capabilities 
to respond to those new threats. If there is an event in this 
country, we are prepared to respond.
    Mr. Ruppersberger. What about your other major competitors? 
Are they in the same position you're in, based on your 
knowledge? I know you are going to say you're the best, but are 
they close?
    Mr. Kern. We don't spend any money looking to see what our 
competitors are doing with investment money.
    Mr. Ruppersberger. From a national security point of view, 
in the event there is a catastrophe, are we able to provide the 
communications needed? Because you are not the only game in 
town.
    Mr. Kern. Unfortunately, that question would be best left 
to the competitors. I would say that none of our competitors 
have the mobile recovery capability that we have developed, the 
resiliency that we have developed, the multiple layers of 
backup that we have developed. To my knowledge, none of our 
competitors have taken their services as seriously as we have 
and do not have that type of capability.
    We have invested more than $300 million. We have 150 pieces 
of mobile disaster recovery equipment dedicated to AT&T's 
network, both private enterprise and the Federal Government.
    To my knowledge--I have been in the telecommunication 
industry for more than 28 years, and I have been in the 
disaster recovery field for more than 7 years, and none of our 
competitors have a mobile recovery capability to the extent 
that we do and could not respond in the same fashion that we 
can.
    Chairman Tom Davis. Thank you very much.
    I want to thank the Members for attending and thank our 
panelists.
    Mr. Kern, thank you very much. This has been very helpful 
to us; and we wish you luck in your future endeavors as well.
    Again, I want to thank our witnesses for attending. I would 
like to add that the record will be kept open for 2 weeks to 
allow witnesses to include any other information in the record.
    The hearing is adjourned.
    [Whereupon, at 11:30 a.m., the committee was adjourned.]
    [Note.--The GAO report entitled, ``Continuity of 
Operations, Improved Planning Needed to Ensure Delivery of 
Essential Government Services,'' may be found in committee 
files.]
    [The prepared statement of Hon. Elijah E. Cummings and 
additional information submitted for the hearing record 
follow:]

[GRAPHIC] [TIFF OMITTED] T5423.033

[GRAPHIC] [TIFF OMITTED] T5423.034

[GRAPHIC] [TIFF OMITTED] T5423.035

[GRAPHIC] [TIFF OMITTED] T5423.036

                                 
