Continuity of Operations: Agency Plans Have Improved, but Better
Oversight Could Assist Agencies in Preparing for Emergencies
(28-APR-05, GAO-05-577).
To ensure that essential government services are available in
emergencies, federal agencies are required to develop continuity
of operations plans. According to guidance from the Federal
Emergency Management Agency (FEMA), which is responsible for
providing guidance for and assessing agency continuity plan, a
key element of a viable capability is the proper identification
of essential functions. GAO previously reported on agency
continuity plan compliance, and determined that a number of
agencies and their components did not have continuity plans in
place on October 1, 2002, and those that were in place did not
generally comply with FEMA's guidance. GAO was asked to
determine, among other things, to what extent (1) major federal
agencies used sound practices to identify and validate their
essential functions and (2) agencies had made progress since 2002
in improving compliance with FEMA guidance.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-05-577
ACCNO: A22839
TITLE: Continuity of Operations: Agency Plans Have Improved, but
Better Oversight Could Assist Agencies in Preparing for
Emergencies
DATE: 04/28/2005
SUBJECT: Agency evaluation
Continuity of operations
Continuity of operations plan
Emergency preparedness
Federal agencies
Federal Emergency Management Agency
Homeland security
Mission essential operations
National preparedness
Performance measures
Strategic planning
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-05-577
United States Government Accountability Office
GAO Report to the Chairman, Committee on Government Reform, House of
Representatives
April 2005
CONTINUITY OF OPERATIONS
Agency Plans Have Improved, but Better Oversight Could Assist Agencies in
Preparing for Emergencies
a
GAO-05-577
[IMG]
April 2005
CONTINUITY OF OPERATIONS
Agency Plans Have Improved, but Better Oversight Could Assist Agencies in
Preparing for Emergencies
What GAO Found
Many of the 23 agencies that GAO reviewed reported using sound practices
for identifying and validating essential functions (see table), but few
provided documentation sufficient for GAO to confirm their responses. This
indicates that agencies-although aware of the practices-may not have
followed them thoroughly or effectively. Further, the essential functions
identified by agencies varied widely: the number of functions identified
in each plan ranged from 3 to 538 and included ones that appeared to be of
secondary importance. A major factor contributing to these shortcomings
was that FEMA's guidance did not provide specific criteria for identifying
essential functions. Subsequent guidance from FEMA and the White House
significantly addresses the sound practices GAO identified. In addition,
the White House plans further actions to improve continuity planning. If
this guidance and these follow-up actions are implemented effectively,
they could lead to improved identification of essential functions in the
executive branch.
As of May 1, 2004, agencies had made progress in improving compliance with
FEMA guidance, but significant weaknesses remained. Agencies that had
plans in place in both years showed significant improvement in the area of
tests, training, and exercises. However, although some improvement
occurred for other planning areas, important weaknesses remained: for
example, 31 of 45 plans did not fully identify mission-critical systems
and data necessary to conduct essential functions. Inadequate oversight by
FEMA contributed to the level of weaknesses in agency continuity plans.
FEMA plans to improve oversight using an online readiness reporting
system, which it plans to have fully operational later this year, and it
has already taken other steps to help agencies improve their plans, such
as conducting an interagency exercise. However, FEMA does not plan to
verify the readiness information that agencies will report in the system.
Sound Practices Identified by GAO for Determining Essential Functions
Practices
Establish a structured continuity project work group/committee that
includes representatives of all agency components, legal advisers, and
continuity experts and either includes a member of the agency's executive
management or reports to a member of the agency's executive management.
Such a committee should be involved in the initial selection of essential
functions.
Determine the resources necessary to perform each function.
Determine the dependencies necessary to perform each function.
Develop a schedule or project plan for critical stages in the continuity
program effort.
Identify and rank plausible threats, vulnerabilities, liabilities, and/or
exposures through a risk assessment.
Perform a risk and impact analysis for each essential function-including
prioritization of essential functions and determination of minimum
acceptance level of output and recovery time objective for each function.
Develop and implement a strategy for validating the plan and underlying
essential functions.
Change agency's essential functions as the result of the validation
process.
Source: GAO.
United States Government Accountability Office
Contents
Letter 1 Recommendations 4 Agency Comments and Our Evaluation 4
Appendixes
Appendix I: Unclassified Version of February 28, 2005, Briefing to the
Committee on Government Reform, House of
Representatives 7
Appendix II: Comments from the Department of Homeland Security 79
Abbreviations
COOP continuity of operations
DHS Department of Homeland Security
FEMA Federal Emergency Management Agency
FPC Federal Preparedness Circular
OMB Office of Management and Budget
OPM Office of Personnel Management
PDD Presidential Decision Directive
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
A
United States Government Accountability Office Washington, D.C. 20548
April 28, 2005
The Honorable Tom Davis Chairman, Committee on Government Reform House of
Representatives
Dear Mr. Chairman:
As you know, essential government services can be interrupted by a range
of events, including terrorist attacks, severe weather, or building-level
emergencies. Federal agencies are required by Presidential Decision
Directive (PDD) 67 to develop plans for ensuring the continuity of such
services in emergency situations. This directive also designated the
Federal Emergency Management Agency (FEMA) as executive agent for
executive branch continuity of operations (COOP) planning, which includes
the responsibility for formulating guidance on such planning and for
assessing the status of executive branch COOP capabilities.
In response, FEMA issued Federal Preparedness Circular (FPC) 65 in July
1999 as guidance to agencies. The circular states that, in order to have a
viable COOP capability, agencies should identify their essential
functions. These functions then provide the basis for subsequent planning
steps. The circular also identified eight elements of a viable capability.
In June 2004, FEMA released an updated version of FPC 65, providing
additional guidance to agencies on each of the topics covered in the
original guidance, including an annex on essential functions.
We previously reviewed agency COOP plan compliance with FEMA's guidance at
your request. At that time, we reported that a number of agencies and
their components did not have continuity plans in place on October 1,
2002, and those that were in place did not generally comply with FEMA's
guidance.1
At your request, we subsequently assessed plans in place on May 1, 2004,
both from the agencies that we previously reviewed that had plans in place
in 2002 and from agencies that subsequently adopted plans. For the current
1GAO, Continuity of Operations: Improved Planning Needed to Ensure
Delivery of Essential Government Services, GAO-04-160 (Washington, D.C.:
Feb. 27, 2004) and Continuity of Operations: Improved Planning Needed to
Ensure Delivery of Essential Services, GAO-04-638T (Washington, D.C.: Apr.
22, 2004).
review, as agreed with the Committee, our objectives were to determine to
what extent
o major federal agencies used sound practices to identify and validate
their essential functions,
o agencies had made progress in improving compliance with the guidance
outlined in the July 1999 version of FPC 65 since our 2002 review,2 and
o agency continuity of operations plans addressed the use of telework
arrangements (in which work is performed at an employee's home or at a
work location other than a traditional office) during emergencies.
To achieve our first objective, we reviewed published literature on
continuity planning; consulted with experts on continuity planning;
surveyed agency officials responsible for COOP planning to determine which
practices were used when agencies identified their essential functions;
reviewed supporting documentation submitted by agency officials to support
their responses; and conducted additional quantitative and qualitative
analyses of the essential functions listed in agency plans.
For our second objective, we obtained and evaluated the headquarters
continuity plans in place as of May 1, 2004, from 20 of the 23 largest
civilian departments and agencies, as well as the headquarters plans for
25 components of departments. These agencies were selected because they
were responsible for programs previously deemed high impact by the Office
of Management and Budget (OMB).3 We also interviewed the agency officials
responsible for developing these plans, obtained and analyzed FEMA
guidance and documents describing its efforts to provide oversight and
assessments of the federal COOP planning efforts, and interviewed FEMA
officials to clarify the activities described in these documents.
Finally, to accomplish our third objective, we reviewed our prior reports
on telework to determine key practices for the development of an effective
telework program; developed a series of questions regarding agency plans
2Since the June 2004 version of FPC 65 was released after our cutoff date
of May 1, 2004, we assessed plans against the July 1999 version of FPC 65.
3In addition to the 24 components selected for their high impact programs,
we evaluated the plan from the Department of the Treasury's Financial
Management Service because of its significant role in processing federal
payments.
to use telework during a COOP event; surveyed agency officials responsible
for continuity planning to determine to what extent telework key practices
were used in making continuity preparations; and reviewed supporting
documentation submitted by agency officials to support their responses. We
conducted our review between April 2004 and January 2005, in accordance
with generally accepted government auditing standards.
On February 28, we provided your office with a classified briefing on the
results of this review. The purpose of this letter is to provide you with
the unclassified material from our briefing. (See app. I.)
In summary, many of the 23 agencies reported using the eight sound
practices for identifying and validating essential functions that we
identified (for example, performing a risk and impact analysis for each
essential function), but few provided documentation sufficient for us to
confirm their responses. This indicates that agencies-although aware of
these practices-may not have followed them thoroughly or effectively. In
addition, the number of functions identified in each agency plan ranged
from 3 to 538 and included ones that appeared to be of secondary
importance. Both FEMA's revision to its guidance and a recently initiated
White House effort have the potential, if effectively implemented, to help
agencies better identify their essential functions and thus develop better
continuity plans. However, the lack of a schedule to complete the White
House effort makes it unclear when these improvements might take place.
Furthermore, although agency COOP plans have shown improvement since our
prior assessment of 2002 plans, most plans in place on May 1, 2004,
continued to exhibit inconsistencies in the identification of essential
functions and significant lack of compliance with FEMA's guidance.
Inadequate oversight by FEMA contributed to the level of weaknesses in
agency COOP plans. FEMA plans to improve oversight using an online
readiness reporting system, which it plans to have fully operational later
this year, and it has already taken other steps to help agencies improve
their plans, such as conducting an interagency exercise. However, FEMA no
longer plans to verify the readiness information that agencies will report
in the system.
Finally, according to guidance from the Office of Personnel Management
(OPM), one of the major benefits of a telework program is the ability of
telework employees to continue working at their alternative work sites
during a disruption to operations.4 Even though FEMA's continuity planning
guidance in place in May 2004 did not address telework, one agency's
continuity plan in place at that time indicated that it was planning to
use telework in response to an emergency. In addition, 10 agencies
reported that they planned to use telework following a COOP event, but
their plans were not clearly documented.
Recommendations To ensure that agencies are adequately prepared to
continue performing essential functions following an emergency, we are
making four recommendations. We recommend that the Assistant to the
President for Homeland Security establish a schedule for the completion of
the recently initiated effort to validate agency essential functions and
refine federal continuity of operations policy. We also recommend that the
Secretary of Homeland Security direct the Under Secretary for Emergency
Preparedness and Response to
o develop a strategy for short-term oversight that ensures that agencies
are prepared for a disruption in essential functions while the current
effort to identify essential functions and develop new guidance is
ongoing;
o develop and implement procedures that verify the agency-reported data
used in oversight of agency continuity of operations planning; and
o develop, in consultation with OPM, guidance on the steps that agencies
should take to adequately prepare for the use of telework during a COOP
event.
Agency Comments and We received written comments on a draft of our
briefing from the Under Secretary for Emergency Preparedness and Response
of the Department of
Our Evaluation Homeland Security (DHS). (These comments are reproduced in
app. II.) In commenting on the briefing, the Under Secretary stated that
DHS agreed that there has been improvement in COOP plans and attributed
that improvement to a renewed emphasis by DHS and the White House. The
department also agreed with the need for additional oversight and noted
4U.S. Office of Personnel Management, Washington, DC, Area Dismissal or
Closure Procedures (Washington, D.C.: Dec. 4, 2003).
that FEMA had begun conducting COOP site assessments at departments and
agencies to improve readiness.
The Under Secretary's letter drew attention to a number of actions taken
after the May 1, 2004, cutoff date for our assessment. These actions
include an interagency exercise conducted in May 2004, the June 2004
release of the revised FPC 65, FEMA's training for COOP managers, and
initial planning for the next interagency exercise in 2006. These actions
are described in our briefing. However, we did not use the June 2004
guidance in our assessments because it was released after we began our
review.
The Under Secretary wrote that it was unclear whether we had considered
classified information that DHS provided about interagency communications
in our assessments. We considered this information in our assessments of
individual agency plans, and the briefing reflects the results.
Finally, the Under Secretary pointed out that the readiness reporting
system that FEMA is developing was not intended to be a COOP plan
assessment tool, but that it instead provides key officials with the
ability to determine plan status in near real time. We continue to believe
that it is important for FEMA to assess agency plans as part of its
oversight responsibilities. Regardless of the system's intended use, we
believe its capabilities, as described by FEMA, make it a valuable tool
that the agency should use when exercising these responsibilities.
We subsequently met with FEMA officials in April 2005 to receive an update
on their oversight efforts. Officials stated that development of the
readiness reporting system was completed in March 2005, and that the
system is expected to be operational and certified by October 2005, at
which time there will be seven locations (including two FEMA locations)
using the system. In addition, FEMA reported that as of April 2005, it has
trained 682 federal, state, and local officials representing 30 major
federal departments and agencies and 209 smaller agencies.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days from
the date of this report. At that time, we will send copies of this report
to the Chairmen and Ranking Minority Members of the Subcommittee on
Homeland Security, House Committee on Appropriations; Subcommittee on
National Security, Emerging Threats, and International Relations, House
Committee on Government Reform; and the Subcommittee on Oversight of
Government Management, the Federal Workforce, and the District of
Columbia, Senate Committee on Governmental Affairs. We are also sending
copies to the Secretary of Homeland Security. We will make copies
available on request. In addition, the report will be available at no
charge on the GAO Web site at http://www.gao.gov.
Should you or your offices have any questions about matters discussed in
this report, please contact me at (202) 512-6240 or by e-mail at
[email protected]. You may also contact James R. Sweetman, Jr., at (202)
512-3347 or by e-mail at [email protected]. Major contributors to this
report also included Barbara Collier, Mike Dolak, Nick Marinos, and
Jessica Waselkow.
Sincerely yours,
Linda D. Koontz Director, Information Management Issues
Appendix I
Unclassified Version of February 28, 2005, Briefing to the Committee on
Government Reform, House of Representatives
Continuity of Operations: Agency Plans Have Improved, but Better Oversight
Could Assist Agencies in Preparing for Emergencies
Briefing for the Staff of the Committee on Government Reform, House of
Representatives
1
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Introduction
Objectives, Scope, and Methodology
Results in Brief
Background
Results
o Identification of essential functions
o Compliance of federal agency continuity plans with guidance
o Telework Conclusions Recommendations Agency Comments and Our Evaluation
Attachment 1: Continuity Planning Bibliography Attachment 2: Major
Agencies Reviewed Attachment 3: Component Agencies Reviewed, with
High-Impact Program Responsibilities Attachment 4: 38 High-Impact Programs
and Responsible Agencies
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Federal operations and facilities have been disrupted by a range of
events, including
o the terrorist attacks on September 11, 2001, and at Oklahoma City;
o localized shutdowns due to severe weather conditions, such as the
closure of federal offices in Washington, D.C., in September 2003 due to
Hurricane Isabel; and
o building-level events, such as asbestos contamination at the Department
of the Interior's headquarters.
Such disruptions, particularly if prolonged, can lead to interruptions in
essential government services. Prudent management, therefore, requires
that federal agencies develop plans for ensuring the continuity of such
services in emergency situations. These are referred to as continuity of
operations (COOP) plans. These plans lay out an agency's approach to
maintaining services, ensuring proper authority for government actions,
and protecting vital assets.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In October 1998, Presidential Decision Directive (PDD) 67 identified the
Federal Emergency Management Agency (FEMA) as the executive agent for
federal COOP planning across the federal executive branch.
FEMA's responsibilities include
o formulating guidance for agencies to use in developing viable plans,
o coordinating interagency exercises and facilitating interagency
coordination as appropriate, and
o overseeing and assessing the status of COOP capabilities across the
executive branch.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In July 1999, FEMA first issued Federal Preparedness Circular (FPC) 65.
FPC 65 is guidance to the federal executive branch for use in developing
viable and executable contingency plans that facilitate the performance of
essential functions during any emergency. Specifically, the guidance
o established the identification of essential functions as the basis for
COOP planning;
o defined essential functions as those that enable agencies to provide
vital services, exercise civil authority, maintain safety, and sustain the
economy during an emergency;
o defined the elements of a viable continuity of operations capability
according to eight topic areas: identification of essential functions;
development of plans and procedures; identification of orders of
succession; delegations of authority; provision for alternate facilities;
provision of interoperable communications; availability of vital records;
and conduct of regular tests, training, and exercises; and
o set up an interagency working group to coordinate continuity planning.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
FPC 65 applies to all federal executive branch departments and agencies at
all levels, including locations outside Washington, D.C. It directed the
heads of each agency to assume responsibilities including
o developing, approving, and maintaining agency continuity plans and
procedures;
o developing a COOP multiyear strategy and program management plan; and
o conducting tests and training of agency continuity plans, contingency
staffs, and essential systems and equipment.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objectives
We previously reviewed agency COOP plan compliance with FEMA's guidance at
the request of the Chairman, House Committee on Government Reform. At that
time, we found that a number of agencies and their components did not have
continuity plans in place on October 1, 2002, and those that were in place
did not generally comply with FEMA's guidance.
At the Chairman's request, we subsequently assessed plans in place on May
1, 2004, both from the agencies that had plans in place in 2002 and from
agencies that subsequently adopted plans. For the current review, as
agreed with the Committee, our objectives were to determine to what extent
o major federal agencies used sound practices to identify and validate
their essential functions,
o agencies had made progress in improving compliance with the guidance
outlined in FPC 65 since our 2002 review, and
o agency continuity of operations plans addressed the use of telework
arrangements (in which work is performed at an employee's home or at a
work location other than a traditional office) during emergencies.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Scope and Methodology
To accomplish our objective on sound practices, we
o reviewed published literature on continuity planning to identify sound
practices in selecting and validating essential functions (a bibliography
is included in attachment 1);
o consulted with experts on continuity planning to validate the resulting
list of sound practices;1
o surveyed agency officials responsible for COOP planning to determine
which practices were used when agencies identified their essential
functions;
o reviewed supporting documentation submitted by agency officials to
support their responses; and
o conducted additional quantitative and qualitative analyses of the
essential functions listed in agency plans.
1 We consulted with experts on continuity planning from the Business
Continuity Institute and the Disaster Recovery Institute International, as
well as from five private sector businesses-the Gillette Company, Lockheed
Martin Corporation, Macy's West, Marsh & McLennan Companies, Inc., and
Science Applications International Corporation. We selected the five
businesses based on their experience and knowledge of human capital or
emergency management as it relates to continuity, based in part on input
from the National Academy of Public Administration, the Private Sector
Council, and FEMA.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Based on an analysis of published literature and in consultation with
experts on continuity planning, we identified eight sound practices
related to essential functions that organizations should use when
developing their continuity plans. These practices constitute an ongoing
process that includes the selection and validation of essential functions.
We surveyed agency officials responsible for COOP planning to determine
which of the eight practices were used when agencies developed their
continuity plans. Agencies were asked whether they used each sound
practice and to respond with "yes," "no," or "partial" (if they used some,
but not all of the described practice). For "yes" and "partial" responses,
agencies were requested to provide supporting documentation. We then
analyzed the provided documentation to determine if the documents
supported the related response. We tabulated the results of the survey,
distinguishing responses that were supported with adequate documentation
from those that were not.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
To assess agency compliance with FPC 65 in May 2004, we
o obtained and evaluated headquarters contingency plans in place as of
May 1, 2004, from 20 of the 23 largest civilian departments and agencies1
(the 23 agencies are listed in attachment 2);
o obtained and evaluated plans from 24 components of departments,
selected because they were responsible for a program previously deemed
high-impact by the Office of Management and Budget (OMB),2 as well as the
Department of the Treasury's Financial Management Service, which we
selected because of its significant role in processing federal payments
(attachment 3 lists these 25 components and the high-impact programs for
which they are responsible);
o interviewed agency officials responsible for developing each of the 45
continuity plans
and reviewed other documentation provided by agencies to demonstrate
compliance with
the guidance;
o obtained and analyzed FEMA's COOP guidance and documents describing its
efforts to
provide oversight and assessments of federal planning efforts, and
conducted interviews
with FEMA officials to clarify the activities described in these
documents.
1Two agencies had not yet developed plans, and one plan was not assessed
against FPC 65 because the agency identified
no essential functions.
2In March 1999, during its planning to address the Year 2000 computing
issue, OMB identified a number of programs which
it determined to have a high impact on the public. The agencies
responsible for these programs are listed in attachment 4.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
As we did in 2002, we assessed each agency plan using yes/no questions
based on the guidance in FPC 65. These questions address each of the eight
topic areas discussed in the guidance:
o essential functions,
o plans and procedures, o orders of succession,
o delegations of authority,
o alternate facilities,
o redundant emergency communications,
o vital records, and
o tests, training, and exercises. Each topic area included two to eight
questions.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Based on the agency contingency plans and other related documents, we used
content analysis to assign an answer of yes (compliant with all of the
guidance related to that question), no (not compliant with any of the
guidance related to that question), or partially (compliant with some, but
not all of the guidance) to these 34 questions.
o Documents were reviewed and compared independently by two analysts.
o The analysts then met to compare their assessments and reach a
consensus assessment. A third analyst reviewed plans where the initial two
could not reach consensus.
o Initial assessments were shared with each agency during structured
interviews.
o Agency officials had the opportunity to provide additional
documentation to demonstrate compliance.
o Any supplemental information provided by the agencies was again
reviewed by multiple analysts, first independently and then jointly.
Based on this analysis, we created summary tables that compared answers
across agencies.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
To accomplish our objective on the use of telework, we
o reviewed prior GAO work on telework1 to determine key practices for the
development of an effective telework program;
o developed a series of questions regarding agency plans to use telework
during a COOP event;
o surveyed agency officials responsible for continuity planning to
determine to what extent telework key practices were used in making
continuity preparations;
o reviewed supporting documentation submitted by agency officials to
support their responses.
We conducted our review between April 2004 and January 2005, in accordance
with generally accepted government auditing standards.
1 GAO, Human Capital: Further Guidance, Assistance, and Coordination Can
Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.: July 18,
2003).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Many of the 23 agencies reported using the eight sound practices for
identifying and validating essential functions that we identified (for
example, performing a risk and impact analysis for each essential
function), but few provided documentation sufficient for us to confirm
their responses. This indicates that agencies-although aware of these
practices- may not have followed them thoroughly or effectively. In any
case, the essential functions identified by agencies varied widely.
Specifically, of 45 plans in place on May 1, 2004, 43 identified at least
one essential function. However, the number of functions identified in
each plan ranged from 3 to 538 and included ones that appeared to be of
secondary importance. For example, one agency included "champion
decision-making decisions," among its essential functions.
A major factor contributing to these shortcomings was that as of May 1,
2004, FEMA's guidance did not provide specific criteria for identifying
essential functions. Subsequent guidance from FEMA and the White House
significantly addresses the best practices we identified. In addition, the
White House plans further actions to improve continuity planning. If this
guidance and follow-up actions are implemented effectively, they could
lead to more consistent identification of essential functions across the
executive branch.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Compared to our 2002 review, agencies had made progress in improving
compliance with FPC 65 as of May 1, 2004, but significant weaknesses
remained. Specifically, one of the three major agencies that did not have
a plan in place in 2002 subsequently developed a plan, but the other two
had no plans in place as of May 1. Plans were in place on May 1 for the
other 20 major agencies, as well as for 25 of their components responsible
for highimpact programs (9 more components than had plans in 2002).
Agencies that had plans in place in both 2002 and 2004 showed significant
improvement in the area of tests, training, and exercises. However,
although some improvement occurred for the other seven designated planning
areas, important weaknesses remained: for example, 31 of 45 plans did not
fully identify mission-critical systems and data necessary to conduct
essential functions, and 32 of 45 did not fully establish the staffing and
resource requirements needed to perform the essential functions.
Inadequate oversight by FEMA contributed to the level of weaknesses in
agency COOP plans. FEMA plans to improve oversight using an online
readiness reporting system, which it plans to have fully operational later
this year, and it has already taken other steps to help agencies improve
their plans, such as conducting an interagency exercise. However, FEMA no
longer plans to verify the readiness information that agencies will report
in the system. Without more effective oversight, improvements in
continuity plans could continue to proceed slowly, and the risk will
remain significant that the public will not be able to rely upon the
continued delivery of essential programs and services following an
emergency.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Although not required to do so, one of the 21 agency continuity plans in
place on May 1 documented plans to address some essential functions
through telework. Two other agencies reported that they planned to use
telework to fulfill their essential functions and eight agencies reported
that they planned for nonessential staff to telework during a COOP event,
but their continuity documents did not specifically document such plans.
In addition, none of the agencies that were planning to use telework
during a COOP event documented that they had followed the practices
necessary for the development of an effective telework program.1 In the
subsequent revision to its guidance, FEMA suggested that agencies consider
the use of telework, but neither this guidance nor telework guidance
issued by OPM addresses the preparations necessary to ensure an effective
telework program. As a result, agencies may not be able to use telework
effectively to ensure the continuity of their essential functions in
emergencies.
1 We identified key practices for preparing an effective telework program
from existing telework-related literature as well as other sources, such
as our work on human capital. GAO, Human Capital: Further Guidance,
Assistance, and Coordination Can Improve Federal Telework Efforts,
GAO-03-679 (Washington, D.C.: July 18, 2003).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
To help improve the ability of the executive branch to continue to provide
essential services during emergencies, we are making recommendations to
the Assistant to the President for Homeland Security and the Secretary of
Homeland Security.
In written comments on a draft of this briefing, the Department of
Homeland Security's Under Secretary for Emergency Preparedness and
Response stated that the department agreed that there has been improvement
in agency plans. He also agreed with the need for increased oversight, and
described actions FEMA is taking to assess agency COOP sites. The Under
Secretary also called attention to actions that took place after the
cutoff date of our assessment, and provided additional information on
several other topics. We reviewed the briefing to ensure that the issues
identified by the Under Secretary are adequately addressed.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In 1988, Executive Order 12656 established policy for preparedness to
address emergencies that affect national security, including technological
emergencies and natural disasters. The order identified the National
Security Council as the agency responsible for developing and
administering plans to meet essential needs during such emergencies, with
the assistance of FEMA.
In July 1999, FEMA issued FPC 65 to assist agencies in meeting the October
1999 deadline established by presidential directive. The guidance states
that COOP planning should address any emergency or situation that could
disrupt normal operations, including localized emergencies; thus, it
extended the scope of the required planning beyond the national
emergencies described in the Executive Order.
The guidance also states that essential functions form the basis of
continuity planning-they establish the planning parameters that drive the
agency's efforts in all other planning topics. For example, the guidance
directs agencies to identify alternative facilities, staff, and resources
necessary to support continuation of their essential functions. The
effectiveness of the plan as a whole and the implementation of all other
elements depend on the performance of this initial step.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Following the identification of essential functions, agencies are
responsible for developing agency continuity plans and procedures, as well
as a multiyear strategy and program management plan, which should address
continuity planning goals and objectives, budgetary requirements, and
planning milestones.
Finally, agencies are responsible for conducting training related to
agency continuity plans, as well as tests to verify the adequacy of their
plans and their ability to carry them out.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
We previously reported on federal agency headquarters contingency plans in
place in October 2002 at the request of the Chairman, House Committee on
Government Reform.1 At that time, we found that most agencies identified
at least one function as essential, but the functions varied in number and
apparent importance. We also found that while 20 of 23 agencies had
documented COOP plans, none addressed all the guidance in FPC 65. We
identified inadequate guidance and oversight as factors contributing to
these weaknesses, and recommended that the Department of Homeland Security
(DHS) (1) ensure that agencies without plans develop them, (2) ensure that
agencies address weaknesses in their plans, and (3) conduct assessments of
plans that included an independent verification of agency-provided data
and an assessment of identified essential functions. In response to these
recommendations, DHS reported in July 2004 that it (1) was developing an
online system to collect data from agencies on the readiness of their
continuity plans that would evaluate compliance with the guidance, (2) had
conducted an interagency exercise, and (3) had developed a training
program for agency continuity planning managers. DHS added that it planned
to conduct an independent validation of each agency's self-assessment
after deployment of the readiness system.2
1GAO, Continuity of Operations: Improved Planning Needed to Ensure
Delivery of Essential Government Services, GAO-04
160 (Washington, D.C.: Feb. 27, 2004) and Continuity of Operations:
Improved Planning Needed to Ensure Delivery of
Essential Services, GAO-04-638T (Washington, D.C.: Apr. 22, 2004).
2GAO, Status of Key Recommendations GAO Has Made to DHS and Its Legacy
Agencies, GAO-04-865R (Washington, D.C.:
July 2, 2004).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Based on an analysis of published literature and in consultation with
experts on continuity planning, we identified eight sound practices
related to essential functions that organizations should use when
developing their COOP plans. These practices constitute an ongoing process
that includes identifying and validating essential functions:
1. Establish a structured COOP project work group/committee that includes
representatives of all agency components, legal advisors, and continuity
experts and either includes a member of the agency's executive management
or reports to a member of the agency's executive management. Such a
committee should be involved in the initial selection of essential
functions.
2. Determine the resources necessary to perform each function.
3. Determine the dependencies necessary to perform each function.
4. Develop a schedule or project plan for critical stages in the
continuity of operations program effort.
5. Identify and rank plausible threats, vulnerabilities, liabilities,
and/or exposures through a risk assessment.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
6. Perform a risk and impact analysis for each essential
function-including prioritization of essential functions and determination
of minimum acceptance level of output and recovery time objective for each
function.
7. Develop and implement a strategy for validating the continuity plan and
the underlying essential functions.
8. Change its essential functions as the result of the validation process.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Agencies' inability to provide documentation adequate to support their
reported use of sound continuity planning practices raises concerns that
the practices may not have been followed thoroughly or effectively. For
example, it is unlikely that a thorough risk analysis of essential
functions could be performed without being documented.
Whether or not these practices were followed, the results were
inconsistent, and some of the functions identified were of questionable
importance. For example, although 43 of the 45 COOP plans in our review
identified at least one essential function, the number of functions in
each plan varied widely-ranging from 3 to 538. In addition, the apparent
importance of the functions was not consistent. For example, a number of
essential functions were of clear importance, such as
o "conduct payments to security holders";
o "provide emergency staffing and compensation policy advice"; and
o "carry out a rapid and effective response to all hazards, emergencies,
and disasters." Other identified functions appeared vague or of
questionable importance:
o "champion decision-making decisions";
o "provide advice to the Under Secretary"; and
o "produce speeches and articles for the Secretary and Deputy Secretary."
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
The high level of generality in FEMA's guidance on essential functions
contributed to the inconsistencies in agencies' identification of these
functions. As was the case during our 2002 review, the version of FPC 65
in place on May 1, 2004, defined essential functions as those that enable
agencies to provide vital services, exercise civil authority, maintain
safety, and sustain the economy during an emergency. The document did not,
however, define a process that agencies could use to select their
essential functions.
In June 2004, FEMA released an updated version of FPC 65, providing
additional guidance to agencies on each of the topics covered in the
original guidance, including an annex on essential functions. The annex
lists several categories that agencies must consider when determining
which functions are essential, including
o functions that must continue with minimal interruption or cannot be
interrupted for more than 12 hours without compromising the organization's
ability to perform its mission and
o functions assigned to the agency by federal law or by order of the
President.
The new guidance goes on to outline steps addressing the prioritization of
selected functions as well as the identification of resources necessary to
accomplish them and of interdependencies with other agencies.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
On January 10, 2005, the Assistant to the President for Homeland Security
issued a memorandum outlining additional guidance on essential functions
and initiated a process to identify and validate agency-level functions.
The memorandum noted that in the past many departments and agencies had
had difficulty clearly identifying and articulating their essential
functions. It attributed this difficulty, in part, to the lack of a
defined set of national-level essential functions to guide agency
continuity planning, resulting in multiple efforts to develop agency
essential functions for different specific purposes (e.g., planning for
Year 2000 computer continuity, information technology planning, and
critical infrastructure planning). Further, it noted that departments and
agencies sometimes do not distinguish between a "function" and the
specific activities necessary to perform the function.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
To address these issues, the memorandum identified eight National
Essential Functions that are necessary to lead and sustain the country
during an emergency and, therefore, must be supported through continuity
capabilities:
o Preserve our constitutional form of government.
o Provide leadership visible to the nation and the world; maintain the
trust and confidence of the American people.
o Defend the country against all enemies, foreign or domestic, and
prevent or interdict future attacks.
o Maintain and foster effective relationships with foreign nations.
o Protect against threats to the homeland and bring to justice
perpetrators of crimes or attacks against the nation, its citizens, or its
interests.
o Provide rapid and effective response to and recovery from the domestic
consequences of an attack or other incident.
o Protect and stabilize the nation's economy; ensure confidence in
financial systems.
o Provide for critical federal government services that address the
national health, safety, and welfare needs of the nation.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Also, the memorandum asked major agencies to identify their Priority
Mission Essential Functions-those functions that must be performed to
support or implement the National Essential Functions before, during, and
in the immediate aftermath of an emergency. The document states that
generally priority functions must be uninterrupted or resumed during the
first 24 to 48 hours after the occurrence of an emergency and continued
through full resumption of all government functions.
When identifying their functions, agencies were asked to also identify the
National Essential Function that each priority function supports, the time
in which the priority function must be accomplished, and the partners
necessary to perform the priority function. The memorandum asked agencies
to reply by February 18, 2005.
The memorandum emphasized the need for the involvement of senior-level
agency officials, calling for each agency's functions to be first approved
by an official with agencywide responsibilities. The memorandum then laid
out a process by which the functions would be validated by an interagency
group within the Homeland Security Council.
The validated functions would then be used to support development of a new
continuity policy and would be used to develop and implement improved
requirements for capabilities, inform the annual budget process, establish
program metrics, and guide training and exercises and other continuity
program activities. The memorandum did not set any time frames for these
later steps.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Together, FEMA's revised guidance and the guidance from the White House
significantly address the best practices that we identified. For example:
o Both documents call for agencies to identify dependencies necessary to
perform the functions.
o FEMA's guidance calls for agencies to prioritize their essential
functions and identify the resources necessary to perform them.
o The White House guidance calls on agencies to identify the recovery
time necessary for each function and outlines a process to validate the
initial list of functions.
If implemented effectively, the new guidance and the review process
conducted by the White House could result in more consistent
identification of essential functions across the executive branch. The
functions could then form the basis for better plans for continuing the
most critical functions following a disruption to normal operations.
However, without time frames for completing the outlined process, it is
unclear when the expected improvements will occur.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
When compared with our prior assessment, agency continuity plans in place
on May 1, 2004, showed improved compliance with FEMA's guidance in two
ways:
o One agency and 9 component agencies that did not have documented
continuity plans in place at the time of our 2002 review had put such
plans in place by May 1.
o For each of the topic areas outlined in the guidance, agencies
generally made progress in increasing compliance.
However, two major agencies did not have plans in place on May 1, 2004.
Neither agency had put a plan in place by December 2004-one planned to
have a plan finalized in early 2005, and the other did not have an
estimate of when its plan would be completed.
In addition, none of the plans that were in place on May 1 followed all of
FEMA's guidance.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
The following sections describe agency compliance in each of the eight
planning areas of FPC 65. For each area, our assessments of three sets of
plans are listed for comparison purposes:
o the results from our review of plans in place in 2002, which included
34 plans covering 35 agencies and components;
o the results from our 2004 review for the 35 plans covering the agencies
and components included in our 2002 review; and
o the results from all 45 agency and component plans in place on May 1,
2004.1
1This does not include the agency-level plan that identified no essential
functions for COOP purposes.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Essential Functions
Although most agency plans identified at least one essential function,
many COOP plans did not fully address other aspects of the guidance
related to essential functions, such as prioritizing the functions or
identifying interdependencies among them. If agencies do not prioritize
their essential functions and identify the resources necessary to
accomplish them, their plans will not be effective, as the other seven
topics of the continuity plan are designed around supporting these
functions.
Answers to All Essential Functions Questions in 2002 and 2004 Assessments
Note: During our 2002 review, one plan covered two components responsible
for high-impact programs. The components responsible for those programs
had separate plans in 2004.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Essential Functions
Essential Functions: Responses by Question
The following table summarizes the results of our analysis of agency plans
in place on May 1, 2004, according to the existing detailed guidance in
FPC 65 on essential functions. It compares the results of our analysis of
the 34 plans reviewed in 2002 to the 2004 results for the 35 agencies
included in plans reviewed in 2002 as well as the total 45 agency plans
reviewed in 2004.
Did the COOP documentation- Year (plans) Yes Partially No
2002 (34) 25 4 5
Identify the agency's essential functions? a 2004 (35) 31 2 2
2004 (45) 40 3 2
Identify which essential functions must be 2002 (34) 14 3 17
continued under all circumstances? 2004 (35) 28 2 5
2004 (45) 35 2 8
2002 (34) 13 2 19
Prioritize essential functions? 2004 (35) 14 3 18
2004 (45) 20 4 21
Establish staffing and resource requirements 2002 (34) 8 20 6
needed to perform the essential functions? 2004 (35) 10 23 2
2004 (45) 13 30 2
a The analysis for this question addressed only whether essential
functions were named; it did not evaluate the functions chosen.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Essential Functions Essential Functions: Responses by Question (cont'd)
Did the COOP documentation- Year (plans) Yes Partially No
Identify mission-critical systems and data 2002 (34) 7 12 15
necessary to conduct essential functions? 2004 (35) 11 17 7
2004 (45) 14 24 7
Integrate supporting activities/identify 6 9 19
interdependencies among the essential 2002 (34)
functions and functions or resources 2004 (35) 8 14 13
controlled by others? 2004 (45) 10 15 20
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Plans and Procedures
FPC 65 calls for COOP plans to be developed and documented that provide
for the performance of essential functions under all circumstances.
Most agency continuity documents included the plans and procedures
outlined in FEMA's guidance. However, in those cases where plans and
procedures are not adequately documented, agency personnel may not know
what to do in an emergency.
Answers to All Plans and Procedures Questions in 2002 and 2004 Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Plans and Procedures
Plans and Procedures: Responses by Question
Did the COOP documentation- Year (plans) Yes Partially No
Identify a roster of personnel to perform 2002 (34) 22 6 6
essential functions? 2004 (35) 24 11 0
2004 (45) 28 17 0
Identify procedures for employee advisories, 2002 (34) 19 11 4
alerts, notification, and relocation 2004 (35) 21 14 0
instructions to the alternate facilities? 2004 (45) 24 20 1
Establish a goal of becoming operational 2002 (34) 25 4 5
within 12 hours and maintaining that 2004 (35) 29 4 2
capability for 30 days? 2004 (45) 35 5 5
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Order of Succession
Orders of succession ensure continuity by identifying individuals
authorized to act for agency officials in case those officials are
unavailable.
While most agency COOP documents adequately described the order of
succession to the agency head, fewer addressed other succession planning
procedures outlined in FPC 65. If orders of succession are not clearly
established, agency personnel may not know who has authority and
responsibility if agency leadership is incapacitated in an emergency.
Answers to All Succession Questions in 2002 and 2004 Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Order of Succession Order of Succession: Responses by Question (cont'd)
Did the COOP documentation- Year (plans) Yes Partially No
Establish rules and procedures for resolving 2002 (34) 14 3 17
questions regarding succession in 2004 (35) 28 0 7
emergencies? 2004 (45) 33 0 12
Define the conditions under which succession 2002 (34) 9 20 5
takes place and how successors are to be 2004 (35) 18 14 3
relieved? 2004 (45) 20 17 8
Require orientation programs to prepare 2002 (34) 0 7 27
potential successors for their emergency 2004 (35) 5 9 21
duties? 2004 (45) 7 9 29
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Delegations of Authority
To provide for rapid response to emergencies, FEMA's guidance calls for
agencies to predelegate authorities for making policy determinations at
all levels. Generally, these delegations define what actions those
individuals identified in the orders of succession can take in
emergencies.
We found that few agencies had fully documented delegations of authority.
If delegations of authority are not clearly established, agency personnel
may not know who has authority to make key decisions in an emergency.
Answers to All Delegations of Authority Questions in 2002 and 2004
Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Delegations of Authority
Delegations of Authority: Responses by Question
Did the COOP documentation- Year (plans) Yes Partially No
Document the legal authority for officials 2002 (34) 8 16 10
(including those below the agency head) to 2004 (35) 8 25 2
make policy decisions during an emergency? 2004 (45) 9 30 6
Identify when emergency legal authorities 2002 (34) 5 20 9
begin and when they terminate? 2004 (35) 7 21 7
2004 (45) 8 26 11
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Alternate Facilities
Alternate facilities provide a physical location from which to conduct
essential functions if the agency's usual facilities are unavailable.
Most agency COOP plans document the acquisition of at least one alternate
facility for use in emergencies, but few of those plans demonstrate that
the facilities are capable of meeting the agencies' emergency operating
requirements. If alternate facilities are not provided or are inadequate,
agency operations may not be able to continue in an emergency.
Answers to All Alternate Facility Questions in 2002 and 2004 Assessment
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Alternate Facilities
Alternate Facilities: Responses by Question
Did the COOP documentation- Year (plans) Yes Partially No
Document the acquisition of alternate 2002 (34) 24 6 4
facilities? 2004 (35) 28 7 0
2004 (45) 31 12 2
Identify alternate facilities both within 2002 (34) 20 11 3
and outside of the local area? 2004 (35) 26 9 0
2004 (45) 31 12 2
Document the facilities' capability to 2 16 15
provide previously identified equipment and 2002 (34)
space for previously identified staff? (One 3 28 4
agency transferred operations rather than 2004 (35)
relocating staff in 2002.) 2004 (45) 3 36 6
Document the capability to provide 5 15 14
interoperable communications with internal 2002 (34)
and external organizations, critical 2004 (35) 6 25 4
customers, and the public? 2004 (45) 8 28 9
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Redundant Emergency Communications
The success of agency operations at an alternate facility depends on
available and redundant communications with internal organizations, other
agencies, critical customers, and the public.
Most COOP documents identified some redundant emergency communications
capabilities, but few include emergency communications available for vital
electronic systems. If communications fail in an emergency, essential
agency operations may not be possible.
Analysis of All Emergency Communications Questions in 2002 and 2004
Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Vital Records
FPC 65 states that agency personnel must have access to and be able to use
electronic and hard-copy records and information systems needed to perform
their essential functions.
About 38 percent of the continuity plans fully identified agencies' vital
paper and electronic records, while fewer documented the procedures for
protecting or updating them. If agency personnel cannot access and use
up-to-date vital records, they may be unable to carry out essential
functions.
Analysis of All Vital Records Questions in 2002 and 2004 Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Vital Records
Vital Records: Responses by Question
Did the COOP documentation- Year (plans) Yes Partially No
Identify the vital records needed to support 2002 (34) 8 13 13
the identified essential functions? 2004 (35) 14 15 6
2004 (45) 17 19 9
Identify where and how agency personnel are 2002 (34) 2 10 22
to access the vital records? 2004 (35) 3 21 11
2004 (45) 3 26 16
Outline procedures for regularly 2002 (34) 3 15 16
pre-positioning and updating the identified 2004 (35) 2 27 6
vital records? 2004 (45) 2 32 11
Source: GAO analysis of agency continuity planning documents.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Tests, Training, and Exercises
Tests, training, and exercises of continuity of operations capabilities
are essential to demonstrate and improve agencies' abilities to execute
their plans.
The interagency COOP exercise conducted by FEMA in May 2004 helped improve
compliance in this area. However, few agencies have documented that they
conducted internal tests, training, and exercises at the recommended
frequency before the FEMA exercise. If emergency procedures are not tested
and staff is not trained in their use, planned responses to an emergency
may not be adequate to continue essential functions.
Analysis of All Test and Training Questions in 2002 and 2004 Assessments
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Objective 2: Compliance with COOP Guidance
Tests, Training, and Exercises
Tests, Training, and Exercises: Responses by Question
Did the COOP documentation show that the
agency- Year (plans) Yes Partially No
Conducted annual individual and team 2002 (34) 1 11 22
training for COOP staff? 2004 (35) 1 18 16
2004 (45) 1 21 23
Conducted annual internal agency testing and
exercising of COOP plans and procedures, 2002 (34) 3 10 21
including operations at the alternate 2004 (35) 1 17 17
facility(ies)? 2004 (45) 1 21 23
Conducted quarterly testing of alert and 2002 (34) 0 10 24
notification procedures? 2004 (35) 4 16 15
2004 (45) 4 19 22
Conducted refresher orientations for staffs 0 0 33
arriving at alternate facilities? (One 2002 (34)
agency transfers operations rather than 2004 (35) 16 4 15
relocating to an alternate facility.) 2004 (45) 18 4 23
Conducted joint agency exercises, where 2002 (34) 1 0 29
applicable and feasible? 2004 (35) 25 1 9
2004 (45) 33 1 11
Source: GAO analysis of agency continuity planning documents.
Note: In 2002, four agencies determined that interagency exercises were
not applicable. In 2004, all the agencies we reviewed and 13 of their
components participated in an interagency exercise run by FEMA in mid-May
2004. Participation in this exercise was considered in our assessment of
the question on joint agency exercises.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
FEMA's guidance also assigns agency heads several specific continuity of
operations responsibilities, including developing, approving, and
maintaining agency contingency plans and procedures, as well as developing
plans to manage these activities. However, we found that agency heads were
not consistently fulfilling these responsibilities.
Specifically, most of the agencies we reviewed could not document approval
of their COOP plans by senior management. Of the 20 agency-level plans,
o 6 were approved by the agency head or deputy,
o 2 were approved by the next level of official (i.e., assistant
secretary),
o 2 were approved by a lower-level official (i.e., director of security),
and
o 10 were unsigned. Of the 25 component plans,
o 12 were approved by the component head or deputy,
o 1 was approved by a lower-level official, and
o 12 were unsigned.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In addition, only 3 of the 21 major agencies had current COOP management
plans in place on May 1, 2004. According to the guidance, agencies should
use such plans to develop and maintain their contingency planning
capabilities. The plans should outline the process agencies use to
designate essential functions and resources, define short-term and
longterm COOP goals and objectives, forecast budgetary requirements, and
establish planning milestones. Without such plans, agencies will be
hampered in their efforts to ensure that continuity planning efforts are
timely and cost-effective.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
During our prior review of 2002 plans, we found that insufficient
oversight by FEMA contributed to agencies' lack of compliance with the
guidance. Specifically, we noted that FEMA had not conducted an assessment
of agency contingency plans since 1999. As a result, we recommended that
FEMA conduct assessments of agency continuity plans that include
independent verification of agency-reported information. In response DHS
reported that it was developing a readiness reporting system to assist it
in assessing agency plans and planned to verify the information reported
by the agencies.
Although neither of these planned actions was completed by May 1, 2004,
FEMA has made subsequent efforts to improve its oversight. According to
FEMA officials, its readiness reporting system is due to be operational by
January 31, 2005, and will be fully certified 20 weeks later. They added
that once the system becomes fully operational, agencies will be required
to periodically provide updated information on their compliance with
FEMA's guidance. These officials also reported that the agency had taken
additional steps to improve readiness. Specifically, they stated that the
interagency exercise held in mid-May 2004 successfully activated and
tested agency plans; they based this assessment on reports provided by the
agencies. Furthermore, FEMA has begun planning for another interagency
exercise in 2006. In addition, as of November 2004, FEMA had provided
training to 372 federal COOP managers from 65 departments and agencies.
FEMA officials stated that because of these additional successful efforts
to improve readiness, they no longer planned to verify agency-reported
readiness data.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
While the revised guidance, recent exercise, and ongoing training should
help ensure that agency continuity plans follow FEMA's guidance, FEMA's
ongoing ability to oversee agency continuity planning activities will be
limited by its reliance on agency-provided data. Without verification of
such data, FEMA lacks assurance that agency plans are compliant and that
the procedures outlined in those plans will allow agencies to effectively
continue to perform their essential functions following a disruption.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Telework, also referred to as telecommuting or flexiplace, has gained
widespread attention over the past decade in both the public and private
sectors as a human capital flexibility that offers a variety of potential
benefits to employers, employees, and society. In a 2003 report to
Congress on the status of telework in the federal government, the Director
of the Office of Personnel Management (OPM) described telework as "an
invaluable management tool which not only allows employees greater
flexibility to balance their personal and professional duties, but also
allows both management and employees to cope with the uncertainties of
potential disruptions in the workplace, including terrorist threats."1
As we reported in an April 2004 report, telework is an important and
viable option for federal agencies in COOP planning and implementation
efforts, especially as the duration of an emergency event is extended.2 In
a July 2003 GAO report, we defined 25 key telework practices for
implementation of successful federal telework programs.3
1 U.S. Office of Personnel Management, Report to the Congress: The Status
of Telework in the Federal Government (Washington, D.C.: January 2003).
2GAO, Human Capital: Opportunities to Improve Federal Continuity Planning
Guidance, GAO-04-384 (Washington, D.C.: Apr. 20, 2004).
3 GAO, Human Capital: Further Guidance, Assistance, and Coordination Can
Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.: July 18,
2003).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
According to OPM's guidance on Washington, D.C., area closures, one of the
major benefits of a telework program is the ability of telework employees
to continue working at their alternative work sites during a disruption to
operations.1 In recognition of the growing importance of teleworkers to
the continuity of agency operations, OPM states that agencies may wish to
modify their current policies concerning teleworkers and emergency
closures. OPM's guidance on emergency decision-making also notes that
agency COOP facilities cannot accommodate enough key staff to facilitate
maximum government operations, and that telework provides access to
resources that may not be available otherwise.2
In addition, to make effective use of telework, experts told us that
organizations should identify those employees who are expected to telework
during a disruption and communicate that expectation to them in advance.
Further, organizations should provide teleworkers with adequate support in
terms of tools, training, and guidance.
1U.S. Office of Personnel Management, Washington, DC, Area Dismissal or
Closure Procedures (Washington, D.C.: Dec. 4,
2003).
2U.S. Office of Personnel Management, Federal Managers'/Decision-makers'
Emergency Guide (Washington, D.C.: Mar. 17,
2003).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Although not required to do so, one of the 21 agency continuity plans in
place on May 1, 2004, documented plans to address some essential functions
through telework. Two other agencies reported that they planned to use
telework to fulfill their essential functions, and eight agencies reported
that they planned for nonessential staff to telework during a COOP event,
but their continuity plans do not specifically mention telework.
In addition, none of the agencies that are planning to use telework during
a COOP event documented that the necessary preparations had taken place
(these preparations are derived from the practices for the development of
an effective telework program that we identified earlier1). These
preparations include informing and training the staff, ensuring that there
is adequate technological capacity for telework, providing technological
assistance, and testing the ability to telework.
1 GAO, Human Capital: Further Guidance, Assistance, and Coordination Can
Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.: July 18,
2003).
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In May 2004, OPM's guidance on Washington, D.C., area closures and
emergency planning (as mentioned earlier) were the only telework guidance
available to agency emergency planners. Planners now have additional
guidance from FEMA-the June 2004 version of its continuity planning
guidance mentions telework as one option that agencies should consider
when making plans for alternate facilities. However, neither agency's
guidance addresses the steps that agencies who choose to use telework
following a COOP event should take to ensure that they are fully prepared.
If agencies are not informed of the need for such preparations, their
future efforts to increase the use of telework may not effectively
contribute to the continuity of the agencies' essential functions.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Although agency COOP plans have shown improvement since our prior
assessment of 2002 plans, most plans in place on May 1, 2004, continued to
exhibit inconsistencies in the identification of essential functions and
significant lack of compliance with FEMA's guidance. Both FEMA's revision
to this guidance and a recently initiated White House effort have the
potential, if effectively implemented, to help agencies better identify
their essential functions and thus develop better continuity plans.
However, the lack of a schedule to complete the White House effort makes
it unclear when these improvements might take place. Agencies' efforts to
develop continuity plans could also be aided by FEMA's efforts to develop
a readiness reporting system, conduct a governmentwide exercise, and train
agency COOP planners, as well as by any guidance or policies that result
from the White House effort. At this time, we do not believe that agencies
should begin extensive efforts to bring their plans into compliance with
all of the current FEMA guidance because it appears likely to be revised.
However, agencies that do not take some interim steps to address those
weaknesses that directly affect their ability to perform their essential
functions are placing their ability to perform those functions at risk. In
addition, if FEMA continues to base its oversight activities on
agency-reported data, its effectiveness will be limited. Without more
effective oversight, improvements in continuity plans could continue to
proceed slowly, and the risk will remain significant that the public will
not be able to rely upon the continued delivery of essential programs and
services following an emergency.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Even though FEMA's continuity planning guidance in place in May 2004 did
not address telework, one agency's continuity plan in place at that time
indicated that it was planning to use telework in response to an
emergency. In addition, 10 agencies reported that they planned to use
telework following a COOP event, but their plans were not clearly
documented. FEMA's inclusion of telework in its recently revised
continuity planning guidance could encourage other agencies to add
telework to their plans in the future. While some of the agencies that
plan to use telework during an emergency reported making related
preparations, the general lack of documentation to support their responses
leads us to believe that few agencies are likely to have fully implemented
the telework preparations we have previously found to be effective. Should
agencies fail to support their plans with adequate preparations, the
ability of their teleworking staff to contribute to the agency's essential
functions during a COOP event could be hampered.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
To ensure that agencies are adequately prepared to continue performing
essential functions following an emergency, we recommend that the
Assistant to the President for Homeland Security establish a schedule for
the completion of the recently initiated effort to validate agency
essential functions and refine federal continuity of operations policy. We
also recommend that the Secretary of Homeland Security direct the Under
Secretary for Emergency Preparedness and Response to
o develop a strategy for short-term oversight that ensures that agencies
are prepared for a disruption in essential functions while the current
effort to identify essential functions and develop new guidance is
ongoing;
o develop and implement procedures that verify the agency-reported data
used in oversight of agency continuity of operations planning; and
o develop, in consultation with OPM, guidance on the steps that agencies
should take to adequately prepare for the use of telework during a COOP
event.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
In written comments on a draft of this briefing, the Department of
Homeland Security's Under Secretary for Emergency Preparedness and
Response replied that DHS agrees that there has been improvement in COOP
plans, and attributed that improvement to a renewed emphasis by DHS and
the White House. The department also agreed with the need for additional
oversight, and noted that FEMA had begun conducting COOP site assessments
at departments and agencies to improve readiness.
The Under Secretary's letter drew attention to a number of actions taken
after the May 1, 2004, cutoff date for our assessment. These actions
include the May 2004 interagency exercise, the June 2004 release of the
revised FPC 65, FEMA's COOP manager's training, and initial planning for
the next interagency exercise in 2006. These actions are described in our
briefing. However, we did not use the June 2004 guidance in our
assessments because it was released after we began our audit.
The Under Secretary wrote that it was unclear whether we had considered
classified information DHS provided about interagency communications in
our assessments. We considered this information in our assessments of
individual agency plans, and the briefing reflects the results.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Finally, the Under Secretary pointed out that the readiness reporting
system FEMA is developing was not intended to be a COOP plan assessment
tool, and instead provides key officials with the ability to determine
plan status in near real time. We continue to believe that it is important
for FEMA to assess agency plans as part of its oversight responsibilities.
Regardless of the system's intended use, we believe its capabilities, as
described by FEMA, make it a valuable tool the agency should use when
exercising these responsibilities.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Australian National Audit Office. Business Continuity Management: Keeping
the Wheels in Motion. January 2000.
Business Continuity Institute. Business Continuity Management: Good
Practice Guide. January 11, 2002.
DRI International. Professional Practices for Business Continuity
Planners. August 28, 2003.
Federal Emergency Management Agency. Emergency Management Guide for
Business and Industry.
Gartner, Inc. Management Update: Best Practices in Business Continuity and
Disaster Recovery. March 17, 2004.
Gartner, Inc. Management Update: Many Challenges Faced by Business
Continuity Managers in 2004. January 7, 2004.
GAO. Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19). August 1998.
Government Information Technology Agency for the State of Arizona.
Business Continuity/Disaster Recovery Plan. October 15, 2001.
Hiles, Andrew FBCI. Business Continuity: Best Practices. June 2000.
National Fire Protection Association. NFPA 1600 Standard on
Disaster/Emergency Management and Business Continuity Programs. January
16, 2004.
Office of Critical Infrastructure Protection and Emergency Preparedness.
Self-Help Advice for Businesses and Institutions: A Guide to Business
Continuity Planning.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Department of Agriculture
Department of Commerce
Department of Education
Department of Energy
Department of Health and Human Services
Department of Homeland Security1
Department of Housing and Urban Development
Department of Justice
Department of Labor
Department of State
Department of the Interior
Department of the Treasury
Department of Transportation
Department of Veterans Affairs
Agency for International Development
Environmental Protection Agency
General Services Administration
National Aeronautics and Space Administration
National Science Foundation
Nuclear Regulatory Commission
Office of Personnel Management
Small Business Administration
Social Security Administration
1 The Department of Homeland Security did not exist at the time of our
2002 review. We added it to the list of agencies we reviewed in 2004
because it encompasses FEMA, which was an independent agency in 2002, as
well as several components responsible for high-impact programs, such as
the Coast Guard.
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix I
Unclassified Version of February 28, 2005,
Briefing to the Committee on Government
Reform, House of Representatives
Appendix II
Comments from the Department of Homeland Security
Appendix II Comments from the Department of Homeland Security
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548
Public Affairs Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
PRINTED ON RECYCLED PAPER
*** End of document. ***