Continuity of Operations
Agency Plans Have Improved, but Better Oversight Could Assist Agencies in Preparing for Emergencies Gao ID: GAO-05-577 April 28, 2005To ensure that essential government services are available in emergencies, federal agencies are required to develop continuity of operations plans. According to guidance from the Federal Emergency Management Agency (FEMA), which is responsible for providing guidance for and assessing agency continuity plan, a key element of a viable capability is the proper identification of essential functions. GAO previously reported on agency continuity plan compliance, and determined that a number of agencies and their components did not have continuity plans in place on October 1, 2002, and those that were in place did not generally comply with FEMA's guidance. GAO was asked to determine, among other things, to what extent (1) major federal agencies used sound practices to identify and validate their essential functions and (2) agencies had made progress since 2002 in improving compliance with FEMA guidance.
Many of the 23 agencies that GAO reviewed reported using sound practices for identifying and validating essential functions, but few provided documentation sufficient for GAO to confirm their responses. This indicates that agencies--although aware of the practices--may not have followed them thoroughly or effectively. Further, the essential functions identified by agencies varied widely: the number of functions identified in each plan ranged from 3 to 538 and included ones that appeared to be of secondary importance. A major factor contributing to these shortcomings was that FEMA's guidance did not provide specific criteria for identifying essential functions. Subsequent guidance from FEMA and the White House significantly addresses the sound practices GAO identified. In addition, the White House plans further actions to improve continuity planning. If this guidance and these follow-up actions are implemented effectively, they could lead to improved identification of essential functions in the executive branch. As of May 1, 2004, agencies had made progress in improving compliance with FEMA guidance, but significant weaknesses remained. Agencies that had plans in place in both years showed significant improvement in the area of tests, training, and exercises. However, although some improvement occurred for other planning areas, important weaknesses remained: for example, 31 of 45 plans did not fully identify mission-critical systems and data necessary to conduct essential functions. Inadequate oversight by FEMA contributed to the level of weaknesses in agency continuity plans. FEMA plans to improve oversight using an online readiness reporting system, which it plans to have fully operational later this year, and it has already taken other steps to help agencies improve their plans, such as conducting an interagency exercise. However, FEMA does not plan to verify the readiness information that agencies will report in the system.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-577, Continuity of Operations: Agency Plans Have Improved, but Better Oversight Could Assist Agencies in Preparing for Emergencies
This is the accessible text file for GAO report number GAO-05-577
entitled 'Continuity Of Operations Agency Plans Have Improved, but
Better Oversight Could Assist Agencies in Preparing for Emergencies'
which was released on April 28, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Government Reform, House of
Representatives:
April 2005:
Continuity Of Operations:
Agency Plans Have Improved, but Better Oversight Could Assist Agencies
in Preparing for Emergencies:
GAO-05-577:
GAO Highlights:
Highlights of GAO-05-577, a report to the Chairman, Committee on
Government Reform, House of Representatives.
Why GAO Did This Study:
To ensure that essential government services are available in
emergencies, federal agencies are required to develop continuity of
operations plans. According to guidance from the Federal Emergency
Management Agency (FEMA), which is responsible for providing guidance
for and assessing agency continuity plans, a key element of a viable
capability is the proper identification of essential functions. GAO
previously reported on agency continuity plans compliance, and
determined that a number of agencies and their components did not have
continuity plans in place on October 1, 2002, and those that were in
place did not generally comply with FEMA‘s guidance.
GAO was asked to determine, among other things, to what extent (1)
major federal agencies used sound practices to identify and validate
their essential functions and (2) agencies had made progress since 2002
in improving compliance with FEMA guidance.
To help ensure that agencies are adequately prepared to continue
performing essential functions following an emergency, GAO is making
recommendations aimed at improving the assessment and oversight of
agency continuity plans.
What GAO Found:
Many of the 23 agencies that GAO reviewed reported using sound
practices for identifying and validating essential functions (see
table), but few provided documentation sufficient for GAO to confirm
their responses. This indicates that agencies”although aware of the
practices”may not have followed them thoroughly or effectively.
Further, the essential functions identified by agencies varied widely:
the number of functions identified in each plan ranged from 3 to 538
and included ones that appeared to be of secondary importance (for
example, ’provide advice to the Under Secretary“). A major factor
contributing to these shortcomings was that FEMA‘s guidance did not
provide specific criteria for identifying essential functions.
Subsequent guidance from FEMA and the White House significantly
addresses the sound practices GAO identified. In addition, the White
House plans further actions to improve continuity planning. If this
guidance and these follow-up actions are implemented effectively, they
could lead to improved identification of essential functions in the
executive branch.
Between 2002 and 2004, agencies made progress in improving compliance
with FEMA guidance, but significant weaknesses remain. Agencies that
had plans in place in both years showed significant improvement in the
area of tests, training, and exercises. However, although some
improvement occurred for other planning areas, important weaknesses
remained: for example, 31 of 45 plans did not fully identify mission-
critical systems and data necessary to conduct essential functions.
Inadequate oversight by FEMA contributed to the level of weaknesses in
agency continuity plans. FEMA plans to improve oversight using an
online readiness reporting system, which it plans to have fully
operational later this year, and it has already taken other steps to
help agencies improve their plans, such as conducting an interagency
exercise. However, FEMA does not plan to verify the readiness
information that agencies will report in the system.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-577].
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Linda Koontz at (202) 512-6240 or
koontzl@gao.gov.
[End of Section]
Contents:
Letter:
Recommendations:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Unclassified Version of February 28, 2005, Briefing to the
Committee on Government Reform, House of Representatives:
Appendix II: Comments from the Department of Homeland Security:
Abbreviations:
COOP: continuity of operations:
DHS: Department of Homeland Security:
FEMA: Federal Emergency Management Agency:
FPC: Federal Preparedness Circular:
OMB: Office of Management and Budget:
OPM: Office of Personnel Management:
PDD: Presidential Decision Directive:
Letter:
April 28, 2005:
The Honorable Tom Davis:
Chairman, Committee on Government Reform:
House of Representatives:
Dear Mr. Chairman:
As you know, essential government services can be interrupted by a
range of events, including terrorist attacks, severe weather, or
building-level emergencies. Federal agencies are required by
Presidential Decision Directive (PDD) 67 to develop plans for ensuring
the continuity of such services in emergency situations. This directive
also designated the Federal Emergency Management Agency (FEMA) as
executive agent for executive branch continuity of operations (COOP)
planning, which includes the responsibility for formulating guidance on
such planning and for assessing the status of executive branch COOP
capabilities.
In response, FEMA issued Federal Preparedness Circular (FPC) 65 in July
1999 as guidance to agencies. The circular states that, in order to
have a viable COOP capability, agencies should identify their essential
functions. These functions then provide the basis for subsequent
planning steps. The circular also identified eight elements of a viable
capability. In June 2004, FEMA released an updated version of FPC 65,
providing additional guidance to agencies on each of the topics covered
in the original guidance, including an annex on essential functions.
We previously reviewed agency COOP plan compliance with FEMA's guidance
at your request. At that time, we reported that a number of agencies
and their components did not have continuity plans in place on October
1, 2002, and those that were in place did not generally comply with
FEMA's guidance.[Footnote 1]
At your request, we subsequently assessed plans in place on May 1,
2004, both from the agencies that we previously reviewed that had plans
in place in 2002 and from agencies that subsequently adopted plans. For
the current review, as agreed with the Committee, our objectives were
to determine to what extent:
* major federal agencies used sound practices to identify and validate
their essential functions,
* agencies had made progress in improving compliance with the guidance
outlined in the July 1999 version of FPC 65 since our 2002
review,[Footnote 2] and:
* agency continuity of operations plans addressed the use of telework
arrangements (in which work is performed at an employee's home or at a
work location other than a traditional office) during emergencies.
To achieve our first objective, we reviewed published literature on
continuity planning; consulted with experts on continuity planning;
surveyed agency officials responsible for COOP planning to determine
which practices were used when agencies identified their essential
functions; reviewed supporting documentation submitted by agency
officials to support their responses; and conducted additional
quantitative and qualitative analyses of the essential functions listed
in agency plans.
For our second objective, we obtained and evaluated the headquarters
continuity plans in place as of May 1, 2004, from 20 of the 23 largest
civilian departments and agencies, as well as the headquarters plans
for 25 components of departments. These agencies were selected because
they were responsible for programs previously deemed high impact by the
Office of Management and Budget (OMB).[Footnote 3] We also interviewed
the agency officials responsible for developing these plans, obtained
and analyzed FEMA guidance and documents describing its efforts to
provide oversight and assessments of the federal COOP planning efforts,
and interviewed FEMA officials to clarify the activities described in
these documents.
Finally, to accomplish our third objective, we reviewed our prior
reports on telework to determine key practices for the development of
an effective telework program; developed a series of questions
regarding agency plans to use telework during a COOP event; surveyed
agency officials responsible for continuity planning to determine to
what extent telework key practices were used in making continuity
preparations; and reviewed supporting documentation submitted by agency
officials to support their responses. We conducted our review between
April 2004 and January 2005, in accordance with generally accepted
government auditing standards.
On February 28, we provided your office with a classified briefing on
the results of this review. The purpose of this letter is to provide
you with the unclassified material from our briefing. (See app. I.)
In summary, many of the 23 agencies reported using the eight sound
practices for identifying and validating essential functions that we
identified (for example, performing a risk and impact analysis for each
essential function), but few provided documentation sufficient for us
to confirm their responses. This indicates that agencies--although
aware of these practices--may not have followed them thoroughly or
effectively. In addition, the number of functions identified in each
agency plan ranged from 3 to 538 and included ones that appeared to be
of secondary importance. Both FEMA's revision to its guidance and a
recently initiated White House effort have the potential, if
effectively implemented, to help agencies better identify their
essential functions and thus develop better continuity plans. However,
the lack of a schedule to complete the White House effort makes it
unclear when these improvements might take place.
Furthermore, although agency COOP plans have shown improvement since
our prior assessment of 2002 plans, most plans in place on May 1, 2004,
continued to exhibit inconsistencies in the identification of essential
functions and significant lack of compliance with FEMA's guidance.
Inadequate oversight by FEMA contributed to the level of weaknesses in
agency COOP plans. FEMA plans to improve oversight using an online
readiness reporting system, which it plans to have fully operational
later this year, and it has already taken other steps to help agencies
improve their plans, such as conducting an interagency exercise.
However, FEMA no longer plans to verify the readiness information that
agencies will report in the system.
Finally, according to guidance from the Office of Personnel Management
(OPM), one of the major benefits of a telework program is the ability
of telework employees to continue working at their alternative work
sites:
during a disruption to operations.[Footnote 4] Even though FEMA's
continuity planning guidance in place in May 2004 did not address
telework, one agency's continuity plan in place at that time indicated
that it was planning to use telework in response to an emergency. In
addition, 10 agencies reported that they planned to use telework
following a COOP event, but their plans were not clearly documented.
Recommendations:
To ensure that agencies are adequately prepared to continue performing
essential functions following an emergency, we are making four
recommendations. We recommend that the Assistant to the President for
Homeland Security establish a schedule for the completion of the
recently initiated effort to validate agency essential functions and
refine federal continuity of operations policy. We also recommend that
the Secretary of Homeland Security direct the Under Secretary for
Emergency Preparedness and Response to:
* develop a strategy for short-term oversight that ensures that
agencies are prepared for a disruption in essential functions while the
current effort to identify essential functions and develop new guidance
is ongoing;
* develop and implement procedures that verify the agency-reported data
used in oversight of agency continuity of operations planning; and:
* develop, in consultation with OPM, guidance on the steps that
agencies should take to adequately prepare for the use of telework
during a COOP event.
Agency Comments and Our Evaluation:
We received written comments on a draft of our briefing from the Under
Secretary for Emergency Preparedness and Response of the Department of
Homeland Security (DHS). (These comments are reproduced in app. II.) In
commenting on the briefing, the Under Secretary stated that DHS agreed
that there has been improvement in COOP plans and attributed that
improvement to a renewed emphasis by DHS and the White House. The
department also agreed with the need for additional oversight and noted
that FEMA had begun conducting COOP site assessments at departments and
agencies to improve readiness.
The Under Secretary's letter drew attention to a number of actions
taken after the May 1, 2004, cutoff date for our assessment. These
actions include an interagency exercise conducted in May 2004, the June
2004 release of the revised FPC 65, FEMA's training for COOP managers,
and initial planning for the next interagency exercise in 2006. These
actions are described in our briefing. However, we did not use the June
2004 guidance in our assessments because it was released after we began
our review.
The Under Secretary wrote that it was unclear whether we had considered
classified information that DHS provided about interagency
communications in our assessments. We considered this information in
our assessments of individual agency plans, and the briefing reflects
the results.
Finally, the Under Secretary pointed out that the readiness reporting
system that FEMA is developing was not intended to be a COOP plan
assessment tool, but that it instead provides key officials with the
ability to determine plan status in near real time. We continue to
believe that it is important for FEMA to assess agency plans as part of
its oversight responsibilities. Regardless of the system's intended
use, we believe its capabilities, as described by FEMA, make it a
valuable tool that the agency should use when exercising these
responsibilities.
We subsequently met with FEMA officials in April 2005 to receive an
update on their oversight efforts. Officials stated that development of
the readiness reporting system was completed in March 2005, and that
the system is expected to be operational and certified by October 2005,
at which time there will be seven locations (including two FEMA
locations) using the system. In addition, FEMA reported that as of
April 2005, it has trained 682 federal, state, and local officials
representing 30 major federal departments and agencies and 209 smaller
agencies.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from the date of this report. At that time, we will send copies of this
report to the Chairmen and Ranking Minority Members of the Subcommittee
on Homeland Security, House Committee on Appropriations; Subcommittee
on National Security, Emerging Threats, and International Relations,
House Committee on Government Reform; and the Subcommittee on Oversight
of Government Management, the Federal Workforce, and the District of
Columbia, Senate Committee on Governmental Affairs. We are also sending
copies to the Secretary of Homeland Security. We will make copies
available on request. In addition, the report will be available at no
charge on the GAO Web site at [Hyperlink, http://www.gao.gov]
Should you or your offices have any questions about matters discussed
in this report, please contact me at (202) 512-6240 or by e-mail at
[Hyperlink, koontzl@gao.gov]. You may also contact James R. Sweetman,
Jr., at (202) 512-3347 or by e-mail at [Hyperlink, sweetmanj@gao.gov].
Major contributors to this report also included Barbara Collier, Mike
Dolak, Nick Marinos, and Jessica Waselkow.
Sincerely yours,
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendixes:
Appendix I: Unclassified Version of February 28, 2005, Briefing to the
Committee on Government Reform, House of Representatives:
Accountability * Integrity * Reliability:
Continuity of Operations: Agency Plans Have Improved, but Better
Oversight Could Assist Agencies in Preparing for Emergencies:
Briefing for the Staff of the Committee on Government Reform, House of
Representatives:
Outline of Briefing:
Introduction:
Objectives, Scope, and Methodology Results in Brief:
Background Results * Identification of essential functions:
* Compliance of federal agency continuity plans with guidance *
Telework:
Conclusions Recommendations Agency Comments and Our Evaluation
Attachment 1: Continuity Planning Bibliography Attachment 2: Major
Agencies Reviewed Attachment 3: Component Agencies Reviewed, with High-
Impact Program Responsibilities Attachment 4: 38 High-Impact Programs
and Responsible Agencies:
Introduction:
Federal operations and facilities have been disrupted by a range of
events, including:
* the terrorist attacks on September 11, 2001, and at Oklahoma City;
* localized shutdowns due to severe weather conditions, such as the
closure of federal offices in Washington, D.C., in September 2003 due
to Hurricane Isabel; and:
* building-level events, such as asbestos contamination at the
Department of the Interior's headquarters.
Such disruptions, particularly if prolonged, can lead to interruptions
in essential government services. Prudent management, therefore,
requires that federal agencies develop plans for ensuring the
continuity of such services in emergency situations. These are referred
to as continuity of operations (COOP) plans. These plans lay out an
agency's approach to maintaining services, ensuring proper authority
for government actions, and protecting vital assets.
In October 1998, Presidential Decision Directive (PDD) 67 identified
the Federal Emergency Management Agency (FEMA) as the executive agent
for federal COOP planning across the federal executive branch.
FEMA's responsibilities include:
* formulating guidance for agencies to use in developing viable plans,
* coordinating interagency exercises and facilitating interagency
coordination as appropriate, and:
[*] overseeing and assessing the status of COOP capabilities across the
executive branch.
In July 1999, FEMA first issued Federal Preparedness Circular (FPC) 65.
FPC 65 is guidance to the federal executive branch for use in
developing viable and executable contingency plans that facilitate the
performance of essential functions during any emergency. Specifically,
the guidance:
established the identification of essential functions as the basis for
COOP planning;
defined essential functions as those that enable agencies to provide
vital services, exercise civil authority, maintain safety, and sustain
the economy during an emergency;
defined the elements of a viable continuity of operations capability
according to eight topic areas: identification of essential functions;
development of plans and procedures; identification of orders of
succession; delegations of authority; provision for alternate
facilities; provision of interoperable communications; availability of
vital records; and conduct of regular tests, training, and exercises;
and:
set up an interagency working group to coordinate continuity planning.
FPC 65 applies to all federal executive branch departments and agencies
at all levels, including locations outside Washington, D.C. It directed
the heads of each agency to assume responsibilities including:
* developing, approving, and maintaining agency continuity plans and
procedures;
* developing a COOP multiyear strategy and program management plan; and:
* conducting tests and training of agency continuity plans, contingency
staffs, and essential systems and equipment.
Objectives, Scope, and Methodology:
Objectives:
We previously reviewed agency COOP plan compliance with FEMA's guidance
at the request of the Chairman, House Committee on Government Reform.
At that time, we found that a number of agencies and their components
did not have continuity plans in place on October 1, 2002, and those
that were in place did not generally comply with FEMA's guidance.
At the Chairman's request, we subsequently assessed plans in place on
May 1, 2004, both from the agencies that had plans in place in 2002 and
from agencies that subsequently adopted plans. For the current review,
as agreed with the Committee, our objectives were to determine to what
extent:
major federal agencies used sound practices to identify and validate
their essential functions,
agencies had made progress in improving compliance with the guidance
outlined in FPC 65 since our 2002 review, and:
agency continuity of operations plans addressed the use of telework
arrangements (in which work is performed at an employee's home or at a
work location other than a traditional office) during emergencies.
Scope and Methodology:
To accomplish our objective on sound practices, we:
reviewed published literature on continuity planning to identify sound
practices in selecting and validating essential functions (a
bibliography is included in attachment 1);
consulted with experts on continuity planning to validate the resulting
list of sound practices;[Footnote 5]:
surveyed agency officials responsible for COOP planning to determine
which practices were used when agencies identified their essential
functions;
reviewed supporting documentation submitted by agency officials to
support their responses; and:
conducted additional quantitative and qualitative analyses of the
essential functions listed in agency plans.
Based on an analysis of published literature and in consultation with
experts on continuity planning, we identified eight sound practices
related to essential functions that organizations should use when
developing their continuity plans. These practices constitute an
ongoing process that includes the selection and validation of essential
functions.
We surveyed agency officials responsible for COOP planning to determine
which of the eight practices were used when agencies developed their
continuity plans. Agencies were asked whether they used each sound
practice and to respond with "yes," "no," or "partial" (if they used
some, but not all of the described practice). For "yes" and "partial"
responses, agencies were requested to provide supporting documentation.
We then analyzed the provided documentation to determine if the
documents supported the related response. We tabulated the results of
the survey, distinguishing responses that were supported with adequate
documentation from those that were not.
To assess agency compliance with FPC 65 in May 2004, we:
obtained and evaluated headquarters contingency plans in place as of
May 1, 2004, from 20 of the 23 largest civilian departments and
agencies[Footnote 6] (the 23 agencies are listed in attachment 2);
obtained and evaluated plans from 24 components of departments,
selected because they were responsible for a program previously deemed
high-impact by the Office of Management and Budget (OMB),[Footnote 7]
as well as the Department of the Treasury's Financial Management
Service, which we selected because of its significant role in
processing federal payments (attachment 3 lists these 25 components and
the high-impact programs for which they are responsible);
interviewed agency officials responsible for developing each of the 45
continuity plans and reviewed other documentation provided by agencies
to demonstrate compliance with the guidance;
obtained and analyzed FEMA's COOP guidance and documents describing its
efforts to provide oversight and assessments of federal planning
efforts, and conducted interviews with FEMA officials to clarify the
activities described in these documents.
As we did in 2002, we assessed each agency plan using yes/no questions
based on the guidance in FPC 65. These questions address each of the
eight topic areas discussed in the guidance:
* essential functions,
* plans and procedures, * orders of succession,
* delegations of authority, * alternate facilities,
* redundant emergency communications, * vital records, and:
* tests, training, and exercises.
Each topic area included two to eight questions.
Based on the agency contingency plans and other related documents, we
used content analysis to assign an answer of yes (compliant with all of
the guidance related to that question), no (not compliant with any of
the guidance related to that question), or partially (compliant with
some, but not all of the guidance) to these 34 questions.
Documents were reviewed and compared independently by two analysts.
The analysts then met to compare their assessments and reach a
consensus assessment. A third analyst reviewed plans where the initial
two could not reach consensus.
Initial assessments were shared with each agency during structured
interviews.
Agency officials had the opportunity to provide additional
documentation to demonstrate compliance.
Any supplemental information provided by the agencies was again
reviewed by multiple analysts, first independently and then jointly.
Based on this analysis, we created summary tables that compared answers
across agencies.
To accomplish our objective on the use of telework, we:
reviewed prior GAO work on telework[Footnote 8] to determine key
practices for the development of an effective telework program;
developed a series of questions regarding agency plans to use telework
during a COOP event;
surveyed agency officials responsible for continuity planning to
determine to what extent telework key practices were used in making
continuity preparations;
reviewed supporting documentation submitted by agency officials to
support their responses.
We conducted our review between April 2004 and January 2005, in
accordance with generally accepted government auditing standards.
Results in Brief: Objective 1: Identification of Essential Functions:
Many of the 23 agencies reported using the eight sound practices for
identifying and validating essential functions that we identified (for
example, performing a risk and impact analysis for each essential
function), but few provided documentation sufficient for us to confirm
their responses. This indicates that agencies-although aware of these
practices-may not have followed them thoroughly or effectively. In any
case, the essential functions identified by agencies varied widely.
Specifically, of 45 plans in place on May 1, 2004, 43 identified at
least one essential function. However, the number of functions
identified in each plan ranged from 3 to 538 and included ones that
appeared to be of secondary importance. For example, one agency
included "champion decision-making decisions," among its essential
functions.
A major factor contributing to these shortcomings was that as of May 1,
2004, FEMA's guidance did not provide specific criteria for identifying
essential functions. Subsequent guidance from FEMA and the White House
significantly addresses the best practices we identified. In addition,
the White House plans further actions to improve continuity planning.
If this guidance and follow-up actions are implemented effectively,
they could lead to more consistent identification of essential
functions across the executive branch.
Results in Brief: Objective 2 COOP Plans' Compliance with FPC 65:
Compared to our 2002 review, agencies had made progress in improving
compliance with FPC 65 as of May 1, 2004, but significant weaknesses
remained. Specifically, one of the three major agencies that did not
have a plan in place in 2002 subsequently developed a plan, but the
other two had no plans in place as of May 1. Plans were in place on May
1 for the other 20 major agencies, as well as for 25 of their
components responsible for high-impact programs (9 more components than
had plans in 2002). Agencies that had plans in place in both 2002 and
2004 showed significant improvement in the area of tests, training, and
exercises. However, although some improvement occurred for the other
seven designated planning areas, important weaknesses remained: for
example, 31 of 45 plans did not fully identify mission-critical systems
and data necessary to conduct essential functions, and 32 of 45 did not
fully establish the staffing and resource requirements needed to
perform the essential functions.
Inadequate oversight by FEMA contributed to the level of weaknesses in
agency COOP plans. FEMA plans to improve oversight using an online
readiness reporting system, which it plans to have fully operational
later this year, and it has already taken other steps to help agencies
improve their plans, such as conducting an interagency exercise.
However, FEMA no longer plans to verify the readiness information that
agencies will report in the system. Without more effective oversight,
improvements in continuity plans could continue to proceed slowly, and
the risk will remain significant that the public will not be able to
rely upon the continued delivery of essential programs and services
following an emergency.
Results in Brief: Objective 3 Telework:
Although not required to do so, one of the 21 agency continuity plans
in place on May 1 documented plans to address some essential functions
through telework. Two other agencies reported that they planned to use
telework to fulfill their essential functions and eight agencies
reported that they planned for nonessential staff to telework during a
COOP event, but their continuity documents did not specifically
document such plans. In addition, none of the agencies that were
planning to use telework during a COOP event documented that they had
followed the practices necessary for the development of an effective
telework program.[Footnote 9] In the subsequent revision to its
guidance, FEMA suggested that agencies consider the use of telework,
but neither this guidance nor telework guidance issued by OPM addresses
the preparations necessary to ensure an effective telework program. As
a result, agencies may not be able to use telework effectively to
ensure the continuity of their essential functions in emergencies.
Results in Brief:
Recommendations and Agency Comments:
To help improve the ability of the executive branch to continue to
provide essential services during emergencies, we are making
recommendations to the Assistant to the President for Homeland Security
and the Secretary of Homeland Security.
In written comments on a draft of this briefing, the Department of
Homeland Security's Under Secretary for Emergency Preparedness and
Response stated that the department agreed that there has been
improvement in agency plans. He also agreed with the need for increased
oversight, and described actions FEMA is taking to assess agency COOP
sites. The Under Secretary also called attention to actions that took
place after the cutoff date of our assessment, and provided additional
information on several other topics. We reviewed the briefing to ensure
that the issues identified by the Under Secretary are adequately
addressed.
Background:
In 1988, Executive Order 12656 established policy for preparedness to
address emergencies that affect national security, including
technological emergencies and natural disasters. The order identified
the National Security Council as the agency responsible for developing
and administering plans to meet essential needs during such
emergencies, with the assistance of FEMA.
In July 1999, FEMA issued FPC 65 to assist agencies in meeting the
October 1999 deadline established by presidential directive. The
guidance states that COOP planning should address any emergency or
situation that could disrupt normal operations, including localized
emergencies; thus, it extended the scope of the required planning
beyond the national emergencies described in the Executive Order.
The guidance also states that essential functions form the basis of
continuity planning-they establish the planning parameters that drive
the agency's efforts in all other planning topics. For example, the
guidance directs agencies to identify alternative facilities, staff,
and resources necessary to support continuation of their essential
functions. The effectiveness of the plan as a whole and the
implementation of all other elements depend on the performance of this
initial step.
Following the identification of essential functions, agencies are
responsible for developing agency continuity plans and procedures, as
well as a multiyear strategy and program management plan, which should
address continuity planning goals and objectives, budgetary
requirements, and planning milestones.
Finally, agencies are responsible for conducting training related to
agency continuity plans, as well as tests to verify the adequacy of
their plans and their ability to carry them out.
We previously reported on federal agency headquarters contingency plans
in place in October 2002 at the request of the Chairman, House
Committee on Government Reform.[Footnote 10] At that time, we found
that most agencies identified at least one function as essential, but
the functions varied in number and apparent importance. We also found
that while 20 of 23 agencies had documented COOP plans, none addressed
all the guidance in FPC 65. We identified inadequate guidance and
oversight as factors contributing to these weaknesses, and recommended
that the Department of Homeland Security (DHS) (1) ensure that agencies
without plans develop them, (2) ensure that agencies address weaknesses
in their plans, and (3) conduct assessments of plans that included an
independent verification of agency-provided data and an assessment of
identified essential functions. In response to these recommendations,
DHS reported in July 2004 that it (1) was developing an online system
to collect data from agencies on the readiness of their continuity
plans that would evaluate compliance with the guidance, (2) had
conducted an interagency exercise, and (3) had developed a training
program for agency continuity planning managers. DHS added that it
planned to conduct an independent validation of each agency's self-
assessment after deployment of the readiness system.[Footnote 11]:
Objective 1: Essential Functions: Sound Practices:
Based on an analysis of published literature and in consultation with
experts on continuity planning, we identified eight sound practices
related to essential functions that organizations should use when
developing their COOP plans. These practices constitute an ongoing
process that includes identifying and validating essential functions:
1. Establish a structured COOP project work group/committee that
includes representatives of all agency components, legal advisors, and
continuity experts and either includes a member of the agency's
executive management or reports to a member of the agency's executive
management. Such a committee should be involved in the initial
selection of essential functions.
2. Determine the resources necessary to perform each function.
3. Determine the dependencies necessary to perform each function.
4. Develop a schedule or project plan for critical stages in the
continuity of operations program effort.
5. Identify and rank plausible threats, vulnerabilities, liabilities,
and/or exposures through a risk assessment.
6. Perform a risk and impact analysis for each essential function-
including prioritization of essential functions and determination of
minimum acceptance level of output and recovery time objective for each
function.
7. Develop and implement a strategy for validating the continuity plan
and the underlying essential functions.
8. Change its essential functions as the result of the validation
process.
Objective 1: Essential Functions: Agency Responses by Practice:
Agency Responses by Practice:
With regard to COOP plans in place on May 1, 2004, many of the 23
agencies reported using some of the sound practices in developing
plans, included identifying and validating essential functions, but few
provided documentation sufficient for us to validate their responses
(see table).
Yes Partially:
Did your agency-with doc. undoc.A with doc. undoc.A No:
1. Establish a structured COOP project work; [Empty];
[Empty];
[Empty];
[Empty];
[Empty].
group/committee that includes representatives;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
of all agency components, legal advisors, and;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
continuity experts?;
8;
12;
0;
1;
2.
1.A If yes, did the committee include or report;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
to a member of the agency's executive;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
management?;
4;
16;
0;
0;
0.
2. When determining the agency's essential;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
functions, determine the resources necessary to;
[Empty];
[Empty];
[Empty];
[Empty];
[Empty].
perform each function?;
2;
14;
1;
3;
3.
[A] The agency provided either no documentation or documentation
insufficient to support the response.
[End of table]
Did your agency-:
3. When determining the agency's essential functions, determine the
dependencies necessary to perform each function? 4. Develop a schedule
or project plan for critical stages in the continuity of operations
program effort? 5. Identify and rank plausible threats,
vulnerabilities, liabilities, and/or exposures through a risk
assessment? 6. Perform a risk and impact analysis for each essential
function-including prioritization of essential functions and
determination of minimum acceptance level of output and recovery time
objective for each function? 7. Develop and/or implement a strategy for
validating the continuity plan and the underlying essential functions?
8. Make any changes to its essential functions as a result of the
validation process?
Yeswith doc;
undoc.[A];
with doc;
Partiallyundoc.[A];
No.
0;
14;
0;
5;
4.
5;
11;
0;
2;
5.
4;
11;
0;
2;
6.
2;
9;
0;
4;
8.
1;
16;
0;
3;
3.
0;
10;
0;
1;
12.
Source: GAO analysis of agency continuity planning documents.
[A]The agency provided either no documentation or documentation
insufficient to support the response.
[End of table]
Objective 1: Essential Functions: Agency-Identified Essential Functions:
Agencies' inability to provide documentation adequate to support their
reported use of sound continuity planning practices raises concerns
that the practices may not have been followed thoroughly or
effectively. For example, it is unlikely that a thorough risk analysis
of essential functions could be performed without being documented.
Whether or not these practices were followed, the results were
inconsistent, and some of the functions identified were of questionable
importance. For example, although 43 of the 45 COOP plans in our review
identified at least one essential function, the number of functions in
each plan varied widely-ranging from 3 to 538. In addition, the
apparent importance of the functions was not consistent. For example, a
number of essential functions were of clear importance, such as:
* "conduct payments to security holders";
* "provide emergency staffing and compensation policy advice" and:
* "carry out a rapid and effective response to all hazards,
emergencies, and disasters." Other identified functions appeared vague
or of questionable importance:
* "champion decision-making decisions";
* "provide advice to the Under Secretary"; and:
* "produce speeches and articles for the Secretary and Deputy
Secretary."
Objective 1: Essential Functions: Guidance:
The high level of generality in FEMA's guidance on essential functions
contributed to the inconsistencies in agencies' identification of these
functions. As was the case during our 2002 review, the version of FPC
65 in place on May 1, 2004, defined essential functions as those that
enable agencies to provide vital services, exercise civil authority,
maintain safety, and sustain the economy during an emergency. The
document did not, however, define a process that agencies could use to
select their essential functions.
In June 2004, FEMA released an updated version of FPC 65, providing
additional guidance to agencies on each of the topics covered in the
original guidance, including an annex on essential functions. The annex
lists several categories that agencies must consider when determining
which functions are essential, including:
* functions that must continue with minimal interruption or cannot be
interrupted for more than 12 hours without compromising the
organization's ability to perform its mission and:
* functions assigned to the agency by federal law or by order of the
President.
The new guidance goes on to outline steps addressing the prioritization
of selected functions as well as the identification of resources
necessary to accomplish them and of interdependencies with other
agencies.
Objective 1: Essential Functions: White House Effort:
On January 10, 2005, the Assistant to the President for Homeland
Security issued a memorandum outlining additional guidance on essential
functions and initiated a process to identify and validate agency-level
functions. The memorandum noted that in the past many departments and
agencies had had difficulty clearly identifying and articulating their
essential functions. It attributed this difficulty, in part, to the
lack of a defined set of national-level essential functions to guide
agency continuity planning, resulting in multiple efforts to develop
agency essential functions for different specific purposes (e.g.,
planning for Year 2000 computer continuity, information technology
planning, and critical infrastructure planning). Further, it noted that
departments and agencies sometimes do not distinguish between a
"function" and the specific activities necessary to perform the
function.
To address these issues, the memorandum identified eight National
Essential Functions that are necessary to lead and sustain the country
during an emergency and, therefore, must be supported through
continuity capabilities:
Preserve our constitutional form of government.
Provide leadership visible to the nation and the world; maintain the
trust and confidence of the American people.
Defend the country against all enemies, foreign or domestic, and
prevent or interdict future attacks.
Maintain and foster effective relationships with foreign nations.
Protect against threats to the homeland and bring to justice
perpetrators of crimes or attacks against the nation, its citizens, or
its interests.
Provide rapid and effective response to and recovery from the domestic
consequences of an attack or other incident.
Protect and stabilize the nation's economy; ensure confidence in
financial systems.
Provide for critical federal government services that address the
national health, safety, and welfare needs of the nation.
Also, the memorandum asked major agencies to identify their Priority
Mission Essential Functions-those functions that must be performed to
support or implement the National Essential Functions before, during,
and in the immediate aftermath of an emergency. The document states
that generally priority functions must be uninterrupted or resumed
during the first 24 to 48 hours after the occurrence of an emergency
and continued through full resumption of all government functions.
When identifying their functions, agencies were asked to also identify
the National Essential Function that each priority function supports,
the time in which the priority function must be accomplished, and the
partners necessary to perform the priority function. The memorandum
asked agencies to reply by February 18, 2005.
The memorandum emphasized the need for the involvement of senior-level
agency officials, calling for each agency's functions to be first
approved by an official with agencywide responsibilities. The
memorandum then laid out a process by which the functions would be
validated by an interagency group within the Homeland Security Council.
The validated functions would then be used to support development of a
new continuity policy and would be used to develop and implement
improved requirements for capabilities, inform the annual budget
process, establish program metrics, and guide training and exercises
and other continuity program activities. The memorandum did not set any
time frames for these later steps.
Objective 1: Essential Functions: Practices Addressed in New Guidance:
Together, FEMA's revised guidance and the guidance from the White House
significantly address the best practices that we identified. For
example:
* Both documents call for agencies to identify dependencies necessary
to perform the functions.
* FEMA's guidance calls for agencies to prioritize their essential
functions and identify the resources necessary to perform them.
* The White House guidance calls on agencies to identify the recovery
time necessary for each function and outlines a process to validate the
initial list of functions.
If implemented effectively, the new guidance and the review process
conducted by the White House could result in more consistent
identification of essential functions across the executive branch. The
functions could then form the basis for better plans for continuing the
most critical functions following a disruption to normal operations.
However, without time frames for completing the outlined process, it is
unclear when the expected improvements will occur.
Objective 2: Compliance with COOP Guidance: Plans in Place on May 1,
2004:
When compared with our prior assessment, agency continuity plans in
place on May 1, 2004, showed improved compliance with FEMA's guidance
in two ways:
One agency and 9 component agencies that did not have documented
continuity plans in place at the time of our 2002 review had put such
plans in place by May 1.
For each of the topic areas outlined in the guidance, agencies
generally made progress in increasing compliance.
However, two major agencies did not have plans in place on May 1, 2004.
Neither agency had put a plan in place by December 2004-one planned to
have a plan finalized in early 2005, and the other did not have an
estimate of when its plan would be completed.
In addition, none of the plans that were in place on May 1 followed all
of FEMA's guidance.
The following sections describe agency compliance in each of the eight
planning areas of FPC 65. For each area, our assessments of three sets
of plans are listed for comparison purposes:
* the results from our review of plans in place in 2002, which included
34 plans covering 35 agencies and components;
* the results from our 2004 review for the 35 plans covering the
agencies and components included in our 2002 review; and:
* the results from all 45 agency and component plans in place on May 1,
2004.[Footnote 12]:
Objective 2: Compliance with COOP Guidance: Essential Functions:
Essential Functions:
Although most agency plans identified at least one essential function,
many COOP plans did not fully address other aspects of the guidance
related to essential functions, such as prioritizing the functions or
identifying interdependencies among them. If agencies do not prioritize
their essential functions and identify the resources necessary to
accomplish them, their plans will not be effective, as the other seven
topics of the continuity plan are designed around supporting these
functions.
Answers to All Essential Functions Questions in 2002 and 2004
Assessments:
[See PDF for image]
Source: GAO analysis of agency continuity planning documents.
Note: During our 2002 review, one plan covered two components
responsible for high-impact programs. The components responsible for
those programs had separate plans in 2004.
[End of figure]
Objective 2: Compliance with COOP Guidance Essential Functions:
Essential Functions: Responses by Question:
The following table summarizes the results of our analysis of agency
plans in place on May 1, 2004, according to the existing detailed
guidance in FPC 65 on essential functions. It compares the results of
our analysis of the 34 plans reviewed in 2002 to the 2004 results for
the 35 agencies included in plans reviewed in 2002 as well as the total
45 agency plans reviewed i n 2004.
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Identify the agency's essential functions?'; 2002 34; 25; 4; 5.
[Empty]; 2004 (35); 31; 2; 2.
[Empty]; 2004 45; 40; 3; 2.
Identify which essential functions must be continued; 2002 (34); 14; 3;
17.
under all circumstances?; 2004 (35); 28; 2; 5.
[Empty]; 2004 (45); 35; 2; 8.
Prioritize essential functions?; 2002 34; 13; 2; 19.
[Empty]; 2004 (35); 14; 3; 18.
[Empty]; 2004 45; 20; 4; 21.
Establish staffing and resource requirements needed; 2002 (34); 8; 20;
6.
to perform the essential functions?; 2004 (35); 10; 23; 2.
[Empty]; 2004 (45); 13; 30; 2.
[A]The analysis for this question addressed only whether essential
functions were named; it did not evaluate the functions chosen.
[End of table]
Essential Functions: Responses by Question (cont'd):
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Identify mission-critical systems and data necessary to; 2002 34; 7;
12; 15.
conduct essential functions?; 2004 35; 11; 17; 7.
[Empty]; 2004 (45); 14; 24; 7.
Integrate supporting activities/identify interdependencies; 2002 34; 6;
9; 19.
among the essential functions and functions or resources; 2004 (35); 8;
14; 13.
controlled b others?; 2004 45; 10; 15; 20.
[End of table]
Source: GAO analysis of agency continuity planning documents.
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Plans and Procedures:
Plans and Procedures:
FPC 65 calls for COOP plans to be developed and documented that provide
for the performance of essential functions under all circumstances.
Most agency continuity documents included the plans and procedures
outlined in FEMA's guidance. However, in those cases where plans and
procedures are not adequately documented, agency personnel may not know
what to do in an emergency.
Answers to All Plans and Procedures Questions in 2002 and 2004
Assessments:
2002 (34 plans); 66; 21.
[Empty]; [Empty]; [Empty].
2004 (35 plans); 74; 29.
[Empty]; [Empty]; [Empty].
2004 (45 plans); 87; 42.
[End of table]
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source: GAO analysis of agency continuity planning documents.
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Plans and Procedures:
Plans and Procedures: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Identify a roster of personnel to perform essential; 2002 34; 22; 6; 6.
functions?; 2004 (35); 24; 11; 0.
[Empty]; 2004 45; 28; 17; 0.
Identify procedures for employee advisories, alerts,; 2002 34; 19; 11;
4.
notification, and relocation instructions to the alternate; 2004 35;
21; 14; 0.
facilities?; 2004 45; 24; 20; 1.
Establish a goal of becoming operational within 12 hours; 2002 34; 25;
4; 5.
and maintaining that capability for 30 days?; 2004 35; 29; 4; 2.
[Empty]; 2004 45; 35; 5; 5.
[End of table]
Source: GAO analysis of agency continuity planning documents.
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Order of Succession:
Order of Succession:
Orders of succession ensure continuity by identifying individuals
authorized to act for agency officials in case those officials are
unavailable.
While most agency COOP documents adequately described the order of
succession to the agency head, fewer addressed other succession
planning procedures outlined in FPC 65. If orders of succession are not
clearly established, agency personnel may not know who has authority
and responsibility if agency leadership is incapacitated in an
emergency.
Answers to All Succession Questions in 2002 and 2004 Assessments 2002
(34 plans):
2004 (35 plans) 2004 (45 plans):
[See PDF for image]
[End of figure]
[See PDF for image]
[End of figure]
[See PDF for image]
[End of figure]
218:
[See PDF for image]
[End of figure]
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source. GAO analysis of agency continuity planning documents.
38:
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Order of Succession:
Order of Succession: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Establish an order of succession to the agency head; 2002 (34); 28; 4;
2.
position?; 2004 (35); 32; 3; 0.
[Empty]; 2004 (45); 39; 3; 3.
Establish orders of succession to other key leadership; 2002 (34); 19;
6; 9.
positions?; 2004 (35); 24; 6; 5.
[Empty]; 2004 (45); 28; 6; 11.
Include officials outside Washington, D.C., in the order of; 2002 (34);
19; 1; 11.
succession? (Three agencies did not have senior officials; 2004 (35);
27; 0; 4.
outside the local area who could serve in the order ofsuccession in
2002 and four did not in 2004.); 2004 (45); 31; 1; 9.
Describe orders of succession by position or title?; 2002 (34); 31; 2;
1.
[Empty]; 2004 (35); 32; 3; 0.
[Empty]; 2004 (45); 39; 3; 3.
Include the orders of succession in the agency's emergency; 2002 (34);
6; 4; 24.
vital records?; 2004 35; 16; 4; 15.
[Empty]; 2004 (45); 21; 4; 20.
[End of table]
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Order of Succession:
Order of Succession: Responses by Question (cont'd):
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Establish rules and procedures for resolving questions; 2002 34; 14; 3;
17.
regarding succession in emergencies?; 2004 35; 28; 0; 7.
[Empty]; 2004 (45); 33; 0; 12.
Define the conditions under which succession takes place; 2002 34; 9;
20; 5.
and how successors are to be relieved?; 2004 (35); 18; 14; 3.
[Empty]; 2004 45; 20; 17; 8.
Require orientation programs to prepare potential; 2002 (34); 0; 7; 27.
successors for their emergency duties?; 2004 35; 5; 9; 21.
[Empty]; 2004 45; 7; 9; 29.
[End of table]
Source: GAO analysis of agency continuity planning documents.
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Delegations of Authority:
Delegations of Authority:
To provide for rapid response to emergencies, FEMA's guidance calls for
agencies to pre-delegate authorities for making policy determinations
at all levels. Generally, these delegations define what actions those
individuals identified in the orders of succession can take in
emergencies.
We found that few agencies had fully documented delegations of
authority. If delegations of authority are not clearly established,
agency personnel may not know who has authority to make key decisions
in an emergency.
Answers to All Delegations of Authority Questions in 2002 and 2004
Assessments 2002 (34 plans):
2004 (35 plans) 2004 (45 plans):
[See PDF for image]
[End of figure]
15:
46:
17:
56:
[See PDF for image]
[End of figure]
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source. GAO analysis of agency continuity planning documents.
41:
[See PDF for image]
[End of figure]
Objective 2: Compliance with COOP Guidance Delegations of Authority:
Delegations of Authority: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Document the legal authority for officials (including those; 2002 (34);
8; 16; 10.
below the agency head) to make policy decisions during; 2004 (35); 8;
25; 2.
an emergency?; 2004 (45); 9; 30; 6.
Identify when emergency legal authorities begin and when; 2002 (34); 5;
20; 9.
they terminate?; 2004 (35); 7; 21; 7.
[Empty]; 2004 (45); 8; 26; 11.
Source: GAO analysis of agency continuity planning documents.
[End of table]
Objective 2: Compliance with COOP Guidance Alternate Facilities:
Alternate Facilities:
Alternate facilities provide a physical location from which to conduct
essential functions if the agency's usual facilities are unavailable.
Most agency COOP plans document the acquisition of at least one
alternate facility for use in emergencies, but few of those plans
demonstrate that the facilities are capable of meeting the agencies'
emergency operating requirements. If alternate facilities are not
provided or are inadequate, agency operations may not be able to
continue in an emergency.
Answers to All Alternate Facility Questions in 2002 and 2004 Assessment:
2002 (34 plans); 51; 48.
2004 (35 plans); 63; 69.
2004 (45 plans); 73; 88.
[End of table]
[See PDF for image]
[End of figure]
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source. GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Alternate Facilities:
Alternate Facilities: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Document the acquisition of alternate facilities?; 2002 34; 24; 6; 4.
[Empty]; 2004 35; 28; 7; 0.
[Empty]; 2004 (45); 31; 12; 2.
Identify alternate facilities both within and outside of the; 2002 34;
20; 11; 3.
local area?; 2004 (35); 26; 9; 0.
[Empty]; 2004 45; 31; 12; 2.
Document the facilities' capability to provide previously; 2002 (34);
2; 16; 15.
identified equipment and space for previously identified; 2004 35; 3;
28; 4.
staff? (One agency transferred operations rather thanrelocating staff
in 2002.); 2004 (45); 3; 36; 6.
Document the capability to provide interoperable; 2002 (34); 5; 15; 14.
communications with internal and external organizations,; 2004 35; 6;
25; 4.
critical customers, and the public?; 2004 (45); 8; 28; 9.
[End of table]
Source: GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Redundant Emergency
Communications:
Redundant Emergency Communications:
The success of agency operations at an alternate facility depends on
available and redundant communications with internal organizations,
other agencies, critical customers, and the public.
Most COOP documents identified some redundant emergency communications
capabilities, but few include emergency communications available for
vital electronic systems. If communications fail in an emergency,
essential agency operations may not be possible.
Analysis of All Emergency Communications Questions in 2002 and 2004
Assessments:
2002 (34 plans) 2004 (35 plans) 2004 (45 plans):
38:
51:
61:
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source. GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Redundant Emergency
Communications:
Redundant Emergency Communications: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Identify at least two independent channels for emergency; 2002 34; 25;
2; 7.
communications?; 2004 35; 33; 2; 0.
[Empty]; 2004 (45); 41; 4; 0.
Identify key internal and external contacts and how to; 2002 34; 10;
10; 14.
reach them?; 2004 (35); 16; 18; 1.
[Empty]; 2004 45; 18; 24; 3.
Identify how emergency communications channels will be; 2002 (34); 3;
4; 27.
used to access the agency's vital electronic systems?; 2004 35; 2; 15;
18.
[Empty]; 2004 (45); 2; 16; 27.
[End of table]
Source: GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Vital Records:
Vital Records:
FPC 65 states that agency personnel must have access to and be able to
use electronic and hard-copy records and information systems needed to
perform their essential functions.
About 38 percent of the continuity plans fully identified agencies'
vital paper and electronic records, while fewer documented the
procedures for protecting or updating them. If agency personnel cannot
access and use up-to-date vital records, they may be unable to carry
out essential functions.
Analysis of All Vital Records Questions in 2002 and 2004 Assessments
2002 (34 plans):
2004 (35 plans) 2004 (45 plans):
[See PDF for image]
[End of figure]
19:
63:
[See PDF for image]
[End of figure]
22:
77:
[See PDF for image]
[End of figure]
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source: GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Vital Records:
Vital Records: Responses by Question:
Did the COOP documentation-; Year (plans); Yes; Partially; No.
Identify the vital records needed to support the identified; 2002 (34);
8; 13; 13.
essential functions?; 2004 (35); 14; 15; 6.
[Empty]; 2004 45; 17; 19; 9.
Identify where and how agency personnel are to access; 2002 34; 2; 10;
22.
the vital records?; 2004 (35); 3; 21; 11.
[Empty]; 2004 45; 3; 26; 16.
Outline procedures for regularly pre-positioning and; 2002 34; 3; 15;
16.
updating the identified vital records?; 2004 35; 2; 27; 6.
[Empty]; 2004 (45); 2; 32; 11.
[End of table]
Source: GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Tests, Training, and
Exercises:
Tests, Training, and Exercises:
Tests, training, and exercises of continuity of operations capabilities
are essential to demonstrate and improve agencies' abilities to execute
their plans.
The interagency COOP exercise conducted by FEMA in May 2004 helped
improve compliance in this area. However, few agencies have documented
that they conducted internal tests, training, and exercises at the
recommended frequency before the FEMA exercise. If emergency procedures
are not tested and staff is not trained in their use, planned responses
to an emergency may not be adequate to continue essential functions.
Analysis of All Test and Training Questions in 2002 and 2004
Assessments:
2002 (34 plans) 0 31; [Empty].
2004 (35 plans) 47; 56.
57; 66.
[End of table]
2004 (45 plans):
129:
Yes:
Partial:
0 10 20 30 40 50 60 70 80 90 100 Percent:
-No:
Source: GAO analysis of agency continuity planning documents.
Objective 2: Compliance with COOP Guidance Tests, Training, and
Exercises:
Tests, Training, and Exercises: Responses by Question:
Did the COOP documentation show that the agency-; Year (plans); Yes;
Partially; No.
Conducted annual individual and team training for; 2002 34; 1; 11; 22.
COOP staff?; 2004 35; 1; 18; 16.
[Empty]; 2004 (45); 1; 21; 23.
Conducted annual internal agency testing and; 2002 (34); 3; 10; 21.
exercising of COOP plans and procedures, including; 2004 35; 1; 17; 17.
operations at the alternate facilit ies ?; 2004 45; 1; 21; 23.
Conducted quarterly testing of alert and notification; 2002 (34); 0;
10; 24.
procedures?; 2004 35; 4; 16; 15.
[Empty]; 2004 (45); 4; 19; 22.
Conducted refresher orientations for staffs arriving at; 2002 34; 0; 0;
33.
alternate facilities? (One agency transfers operations; 2004 (35); 16;
4; 15.
rather than relocating to an alternate facility.); 2004 45; 18; 4; 23.
Conducted joint agency exercises, where applicable; 2002 34; 1; 0; 29.
and feasible?; 2004 (35); 25; 1; 9.
[Empty]; 2004 45; 33; 1; 11.
[End of table]
Source: GAO analysis of agency continuity planning documents.
Note: In 2002, four agencies determined that interagency exercises were
not applicable. In 2004, all the agencies we reviewed and 13 of their
components participated in an interagency exercise run by FEMA in mid-
May 2004. Participation in this exercise was considered in our
assessment of the question on joint agency exercises.
Objective 2: Compliance with COOP Guidance Agency Responsibilities:
FEMA's guidance also assigns agency heads several specific continuity
of operations responsibilities, including developing, approving, and
maintaining agency contingency plans and procedures, as well as
developing plans to manage these activities. However, we found that
agency heads were not consistently fulfilling these responsibilities.
Specifically, most of the agencies we reviewed could not document
approval of their COOP plans by senior management. Of the 20 agency-
level plans,
* 6 were approved by the agency head or deputy,
* 2 were approved by the next level of official (i.e., assistant
secretary), * 2 were approved by a lower-level official (i.e., director
of security), and * 10 were unsigned.
Of the 25 component plans,
* 12 were approved by the component head or deputy, * 1 was approved by
a lower-level official, and:
[*] 12 were unsigned.
Objective 2: Compliance with COOP Guidance Agency Responsibilities:
In addition, only 3 of the 21 major agencies had current COOP
management plans in place on May 1, 2004. According to the guidance,
agencies should use such plans to develop and maintain their
contingency planning capabilities. The plans should outline the process
agencies use to designate essential functions and resources, define
short-term and long-term COOP goals and objectives, forecast budgetary
requirements, and establish planning milestones. Without such plans,
agencies will be hampered in their efforts to ensure that continuity
planning efforts are timely and cost-effective.
Objective 2: Compliance with COOP Guidance Limited Oversight:
During our prior review of 2002 plans, we found that insufficient
oversight by FEMA contributed to agencies' lack of compliance with the
guidance. Specifically, we noted that FEMA had not conducted an
assessment of agency contingency plans since 1999. As a result, we
recommended that FEMA conduct assessments of agency continuity plans
that include independent verification of agency-reported information.
In response DHS reported that it was developing a readiness reporting
system to assist it in assessing agency plans and planned to verify the
information reported by the agencies.
Although neither of these planned actions was completed by May 1, 2004,
FEMA has made subsequent efforts to improve its oversight. According to
FEMA officials, its readiness reporting system is due to be operational
by January 31, 2005, and will be fully certified 20 weeks later. They
added that once the system becomes fully operational, agencies will be
required to periodically provide updated information on their
compliance with FEMA's guidance. These officials also reported that the
agency had taken additional steps to improve readiness. Specifically,
they stated that the interagency exercise held in mid-May 2004
successfully activated and tested agency plans; they based this
assessment on reports provided by the agencies. Furthermore, FEMA has
begun planning for another interagency exercise in 2006. In addition,
as of November 2004, FEMA had provided training to 372 federal COOP
managers from 65 departments and agencies. FEMA officials stated that
because of these additional successful efforts to improve readiness,
they no longer planned to verify agency-reported readiness data.
Objective 2: Compliance with COOP Guidance Limited Oversight:
While the revised guidance, recent exercise, and ongoing training
should help ensure that agency continuity plans follow FEMA's guidance,
FEMA's ongoing ability to oversee agency continuity planning activities
will be limited by its reliance on agency-provided data. Without
verification of such data, FEMA lacks assurance that agency plans are
compliant and that the procedures outlined in those plans will allow
agencies to effectively continue to perform their essential functions
following a disruption.
Objective 3: Telework:
Telework, also referred to as telecommuting or flexiplace, has gained
widespread attention over the past decade in both the public and
private sectors as a human capital flexibility that offers a variety of
potential benefits to employers, employees, and society. In a 2003
report to Congress on the status of telework in the federal government,
the Director of the Office of Personnel Management (OPM) described
telework as "an invaluable management tool which not only allows
employees greater flexibility to balance their personal and
professional duties, but also allows both management and employees to
cope with the uncertainties of potential disruptions in the workplace,
including terrorist threats."1:
As we reported in an April 2004 report, telework is an important and
viable option for federal agencies in COOP planning and implementation
efforts, especially as the duration of an emergency event is extended.2
In a July 2003 GAO report, we defined 25 key telework practices for
implementation of successful federal telework programs.3:
1 U.S. Office of Personnel Management, Report to the Congress: The
Status of Telework in the Federal Government (Washington, D.C.: January
2003).
[2] GAO, Human Capital: Opportunities to Improve Federal Continuity
Planning Guidance, GAO-04-384 (Washington, D.C.: Apr. 20, 2004).
[3] GAO, Human Capital: Further Guidance, Assistance, and Coordination
Can Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.:
July 18, 2003).
Objective 3: Telework:
According to OPM's guidance on Washington, D.C., area closures, one of
the major benefits of a telework program is the ability of telework
employees to continue working at their alternative work sites during a
disruption to operations.' In recognition of the growing importance of
teleworkers to the continuity of agency operations, OPM states that
agencies may wish to modify their current policies concerning
teleworkers and emergency closures. OPM's guidance on emergency
decision-making also notes that agency COOP facilities cannot
accommodate enough key staff to facilitate maximum government
operations, and that telework provides access to resources that may not
be available otherwise.2:
In addition, to make effective use of telework, experts told us that
organizations should identify those employees who are expected to
telework during a disruption and communicate that expectation to them
in advance. Further, organizations should provide teleworkers with
adequate support in terms of tools, training, and guidance.
'U.S. Office of Personnel Management, Washington, DC, Area Dismissal or
Closure Procedures (Washington, D.C.: Dec. 4, 2003).
[2] U.S. Office of Personnel Management, Federal Managers'/Decision-
makers' Emergency Guide (Washington, D.C.: Mar. 17, 2003).
Objective 3: Telework Agency Responses:
Although not required to do so, one of the 21 agency continuity plans
in place on May 1, 2004, documented plans to address some essential
functions through telework. Two other agencies reported that they
planned to use telework to fulfill their essential functions, and eight
agencies reported that they planned for nonessential staff to telework
during a COOP event, but their continuity plans do not specifically
mention telework.
In addition, none of the agencies that are planning to use telework
during a COOP event documented that the necessary preparations had
taken place (these preparations are derived from the practices for the
development of an effective telework program that we identified
earlier'). These preparations include informing and training the staff,
ensuring that there is adequate technological capacity for telework,
providing technological assistance, and testing the ability to telework.
1 GAO, Human Capital: Further Guidance, Assistance, and Coordination
Can Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.:
July 18, 2003).
Objective 3: Telework Telework Practices:
Telework: Responses by Question:
The following tables summarize agency responses to our questions on the
use of telework in responding to disruptions to operations and related
preparations.
YeSa No:
Question Yes (no doc.) No response:
Does your agency have a telework policy?; 19; 3; 0; 1.
If yes, does the policy specifically address COOP events?; 1; 2; 19; 1.
Does the COOP plan specifically address telework?; 2; 1; 19; 1.
Does the agency coordinate its COOP and teleworkplanning processes?; 0;
5; 17; 1.
Was the agency's telework coordinator involved in COOPplanning?; 0; 6;
16; 1.
[End of table]
a Agencies provided a positive response but did not provide adequate
documentation to support their response.
Objective 3: Telework Telework Practices:
Telework: Responses by Question (cont'd):
Que:
Are atele:
tion; Yes; YeSa(no doc.); No; Noresponse.
ny of the COOP essential team members expected to; 1; 2; 19; 1.
ork in a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Were staff informed of their responsibility to telework; 1; 3; 18; 1.
during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Has the agency ensured that it has adequate; 0; 5; 17; 1.
technological capacity for staff to telework during a; [Empty];
[Empty]; [Empty]; [Empty].
COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Will your agency provide technological assistance to; 0; 5; 17; 1.
staff during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Did your agency train staff how to telework during a; 0; 3; 19; 1.
COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Has your agency tested the ability of staff to telework; 0; 2; 20; 1.
during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
[End of table]
a Agencies provided a positive response but did not provide adequate
documentation to support their response.
Objective 3: Telework Telework Practices:
Telework: Responses by Question (cont'd):
Que:
Are apurp:
tion; Yes; YeSa(no doc.); No; Noresponse.
ny personnel not designated essential for COOP; 0; 7; 15; 1.
ses expected to telework during an emergency?; [Empty]; [Empty];
[Empty]; [Empty].
Was staff informed of their responsibility to telework; 0; 3; 19; 1.
during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Has the agency ensured that it has adequate; 0; 7; 15; 1.
technological capacity for staff to telework during a; [Empty];
[Empty]; [Empty]; [Empty].
COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Will your agency provide technological assistance; 0; 5; 17; 1.
to staff during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Did your agency train staff how to telework during a; 0; 1; 21; 1.
COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Has your agency tested the ability of staff to; 0; 3; 19; 1.
telework during a COOP event?; [Empty]; [Empty]; [Empty]; [Empty].
Source: Analysis of agency responses to GAO questions.
a Agencies provided a positive response but did not provide adequate
documentation to support their response.
[End of table]
Objective 3: Telework Telework Practices:
In May 2004, OPM's guidance on Washington, D.C., area closures and
emergency planning (as mentioned earlier) were the only telework
guidance available to agency emergency planners. Planners now have
additional guidance from FEMA-the June 2004 version of its continuity
planning guidance mentions telework as one option that agencies should
consider when making plans for alternate facilities. However, neither
agency's guidance addresses the steps that agencies who choose to use
telework following a COOP event should take to ensure that they are
fully prepared. If agencies are not informed of the need for such
preparations, their future efforts to increase the use of telework may
not effectively contribute to the continuity of the agencies' essential
functions.
Conclusions:
Although agency COOP plans have shown improvement since our prior
assessment of 2002 plans, most plans in place on May 1, 2004, continued
to exhibit inconsistencies in the identification of essential functions
and significant lack of compliance with FEMA's guidance. Both FEMA's
revision to this guidance and a recently initiated White House effort
have the potential, if effectively implemented, to help agencies better
identify their essential functions and thus develop better continuity
plans. However, the lack of a schedule to complete the White House
effort makes it unclear when these improvements might take place.
Agencies' efforts to develop continuity plans could also be aided by
FEMA's efforts to develop a readiness reporting system, conduct a
governmentwide exercise, and train agency COOP planners, as well as by
any guidance or policies that result from the White House effort. At
this time, we do not believe that agencies should begin extensive
efforts to bring their plans into compliance with all of the current
FEMA guidance because it appears likely to be revised. However,
agencies that do not take some interim steps to address those
weaknesses that directly affect their ability to perform their
essential functions are placing their ability to perform those
functions at risk. In addition, if FEMA continues to base its oversight
activities on agency-reported data, its effectiveness will be limited.
Without more effective oversight, improvements in continuity plans
could continue to proceed slowly, and the risk will remain significant
that the public will not be able to rely upon the continued delivery of
essential programs and services following an emergency.
Conclusions:
Even though FEMA's continuity planning guidance in place in May 2004
did not address telework, one agency's continuity plan in place at that
time indicated that it was planning to use telework in response to an
emergency. In addition, 10 agencies reported that they planned to use
telework following a COOP event, but their plans were not clearly
documented. FEMA's inclusion of telework in its recently revised
continuity planning guidance could encourage other agencies to add
telework to their plans in the future. While some of the agencies that
plan to use telework during an emergency reported making related
preparations, the general lack of documentation to support their
responses leads us to believe that few agencies are likely to have
fully implemented the telework preparations we have previously found to
be effective. Should agencies fail to support their plans with adequate
preparations, the ability of their teleworking staff to contribute to
the agency's essential functions during a COOP event could be hampered.
Recommendations:
To ensure that agencies are adequately prepared to continue performing
essential functions following an emergency, we recommend that the
Assistant to the President for Homeland Security establish a schedule
for the completion of the recently initiated effort to validate agency
essential functions and refine federal continuity of operations policy.
We also recommend that the Secretary of Homeland Security direct the
Under Secretary for Emergency Preparedness and Response to:
* develop a strategy for short-term oversight that ensures that
agencies are prepared for a disruption in essential functions while the
current effort to identify essential functions and develop new guidance
is ongoing;
* develop and implement procedures that verify the agency-reported data
used in oversight of agency continuity of operations planning; and:
* develop, in consultation with OPM, guidance on the steps that
agencies should take to adequately prepare for the use of telework
during a COOP event.
Agency Comments and Our Assessment:
In written comments on a draft of this briefing, the Department of
Homeland Security's Under Secretary for Emergency Preparedness and
Response replied that DHS agrees that there has been improvement in
COOP plans, and attributed that improvement to a renewed emphasis by
DHS and the White House. The department also agreed with the need for
additional oversight, and noted that FEMA had begun conducting COOP
site assessments at departments and agencies to improve readiness.
The Under Secretary's letter drew attention to a number of actions
taken after the May 1, 2004, cutoff date for our assessment. These
actions include the May 2004 interagency exercise, the June 2004
release of the revised FPC 65, FEMA's COOP manager's training, and
initial planning for the next interagency exercise in 2006. These
actions are described in our briefing. However, we did not use the June
2004 guidance in our assessments because it was released after we began
our audit.
The Under Secretary wrote that it was unclear whether we had considered
classified information DHS provided about interagency communications in
our assessments. We considered this information in our assessments of
individual agency plans, and the briefing reflects the results.
Agency Comments and Our Assessment:
Finally, the Under Secretary pointed out that the readiness reporting
system FEMA is developing was not intended to be a COOP plan assessment
tool, and instead provides key officials with the ability to determine
plan status in near real time. We continue to believe that it is
important for FEMA to assess agency plans as part of its oversight
responsibilities. Regardless of the system's intended use, we believe
its capabilities, as described by FEMA, make it a valuable tool the
agency should use when exercising these responsibilities.
Attachment 1: Bibliography Published Literature on Continuity Planning:
Australian National Audit Office. Business Continuity Management.
Keeping the Wheels in Motion. January 2000.
Business Continuity Institute. Business Continuity Management. Good
Practice Guide. January 11, 2002.
DRI International. Professional Practices for Business Continuity
Planners. August 28, 2003.
Federal Emergency Management Agency. Emergency Management Guide for
Business and Industry.
Gartner, Inc. Management Update: Best Practices in Business Continuity
and Disaster Recovery. March 17, 2004.
Gartner, Inc. Management Update: Many Challenges Faced by Business
Continuity Managers in 2004. January 7, 2004.
GAO. Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19). August 1998.
Government Information Technology Agency for the State of Arizona.
Business Continuity/Disaster Recovery Plan. October 15, 2001.
Hiles, Andrew FBCI. Business Continuity. Best Practices. June 2000.
National Fire Protection Association. NFPA 1600 Standard on Disaster/
Emergency Management and Business Continuity Programs. January 16, 2004.
Office of Critical Infrastructure Protection and Emergency
Preparedness. Self-Help Advice for Businesses and Institutions: A Guide
to Business Continuity Planning.
Attachment 2: Major Agencies Reviewed:
Department of Agriculture Department of Commerce Department of
Education Department of Energy Department of Health and Human Services
Department of Homeland Security' Department of Housing and Urban
Development Department of Justice:
Department of Labor Department of State Department of the Interior
Department of the Treasury Department of Transportation Department of
Veterans Affairs:
Agency for International Development Environmental Protection Agency
General Services Administration National Aeronautics and Space
Administration National Science Foundation:
Nuclear Regulatory Commission Office of Personnel Management Small
Business Administration Social Security Administration:
1 The Department of Homeland Security did not exist at the reviewed in
2004 because it encompasses FEMA, which was an responsible for high-
impact programs, such as the Coast Guard.
Attachment 3: Component Agencies Reviewed, with High-Impact Program
Responsibilities:
Department Component Department of Agriculture Food and Nutrition
Service:
High-impact programs Child nutrition programs; food stamps; and special
supplemental nutrition program for women, infants, and children:
Food Safety and Inspection Service Department of Commerce National
Oceanic and Atmospheric Administration:
Food safety inspection Weather service:
Department of Education Department of Health and Human Services:
Patent and Trademark Office Office of Federal Student Aid Centers for
Disease Control and Prevention Center for Medicare and Medicaid
Services Health Resources and Services Administration a:
Patent and trademark processing Student aid:
Disease control and monitoring Medicare and Medicaid:
Organ transplants:
Department of Homeland Security:
Indian Health Service:
Citizenship and Immigration Service Customs and Border Protection:
Immigration and Customs Enforcement Federal Emergency Management Agency
U.S. Coast Guard:
Indian health services Immigration:
Immigration and cross-border inspections:
Immigration Disaster relief Maritime search and rescue:
Note: Components listed in italics did not have documented COOP plans
in place at the time of our 2002 review.
a The component agency responsible for organ transplants was
misidentified by agency officials during our 2002 review.
b Customs and Border Protection assumed the responsibility for cross-
border inspections from the U.S. Customs Service, which was included in
our 2002 review.
Attachment 3: Component Agencies Reviewed, with High-Impact Program
Responsibilities:
Department Department of Housing and Urban Development:
Department of Labor Department of State Department of the Interior
Department of the Treasury:
Department of Transportation:
Component:
Government National Mortgage Association Office of Community Planning
and Development:
Office of Housing:
Office of Public and Indian Housing Employment and Training
Administration Bureau of Consular Affairs:
Bureau of Indian Affairs Financial Management Service°:
Federal Aviation Administration:
High-impact programs Housing loans:
Community development block grants:
Section 8 rental assistance and mortgage insurance:
Public housing Unemployment insurance Passports:
Indian affairs programs Federal payments°:
Air traffic control system:
Department of Veterans Affairs:
Source: GAO.
Veterans Benefits Administration Veterans Health Administration:
Veterans' benefits Veterans' health care:
° The Treasury Department's Financial Management Service was not
identified as a high-impact program by OMB in 1999, but we included it
in our 2004 assessment because of its significant role in the
processing of federal payments.
Attachment 4: 38 High-Impact Programs and Responsible Agencies:
Agency Agriculture:
High-impact programs Food safety inspection Child nutrition programs
Food stamps:
Commerce:
Special supplemental nutrition program for women, infants, and children
Patent and trademark processing:
Weather service:
Education Student aid:
Energy Federal electric power generation and delivery Health and Human
Services Disease monitoring and warnings Indian health services:
Medicaid:
Medicare:
Organ transplants:
Child care:
Child support enforcement Child welfare:
Low income home energy assistance Temporary assistance for needy
families:
Agency High-impact programs:
Homeland Security Cross-border inspection services Disaster relief:
Immigration:
Maritime search and rescue:
Housing and Urban Development Community development block grants
Housing loans:
Mortgage insurance:
Section 8 rental assistance:
Public housing:
Interior Bureau of Indian Affairs programs:
Justice Federal prisons:
Labor Unemployment insurance:
Office of Personnel Management Federal employee health benefits Federal
employee life insurance Federal employee retirement benefits Social
Security Administration Social security benefits:
State Passport applications and processing:
Transportation Air traffic control system:
Veterans Affairs Veterans' benefits Veterans' health care:
Source: GAO.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
500 C Street, SW:
Washington, DC 20472:
FEMA:
February 22, 2005:
Ms. Linda Koontz:
Director, Information Management Issues:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Ms. Koontz:
Thank you for the opportunity to review and comment on your draft
briefing titled, Continuity of Operations (COOP): Agency Plans Have
Improved, but Better Oversight Could Assist Agencies in Preparing for
Emergencies, GAO-05-286C. The Department of Homeland Security (DHS)
recognizes its role as the federal government's lead agency for COOP
and has made significant strides toward ensuring the delivery of
essential government services in an emergency.
In general, we agree that Federal Department and Agency COOP plans have
significantly improved over the last two years. We believe this
improvement is due, in part, to a renewed emphasis on COOP planning,
training, and preparedness that has been led by the White House and
DHS. Because the latest GAO report was cut-off on May 1, 2004, we
would like to draw your attention to some significant COOP improvements
that have occurred and are not fully covered in your findings. After a
year long interagency training, planning and exercise development
process, FEMA conducted the first ever government-wide COOP exercise
from May 11 to 13, 2004, called Forward Challenge 04. This exercise
event involved 45 Departments and Agencies and over 300 sub-entities
mobilized to their alternate COOP locations, or other designated sites.
Approximately 3,500 to 4,000 players from these Departments and
Agencies participated deploying to more than 100 alternate site
locations. As a result of this exercise, many Departments and Agencies
have revised, updated, or finalized their COOP plans. Following closely
behind Forward Challenge 04, FEMA released an updated Federal
Preparedness Circular-65 (FPC-65), Executive Branch COOP, guidance
document. The revised FPC-65, for the first time, provides alternate
facility guidance prepared by the General Services Administration (GSA)
and human capital management guidance prepared by the Office of
Personnel Management (OPM). Unfortunately, your assessment did not take
into account the new guidance provided by FPC-65. Beginning in July
2004 and continuing to date, FEMA, GSA and OPM have partnered to
provide a COOP Manager's Training course to Departments and Agencies.
This train-the-trainer course, which is being conducted nationwide, has
provided training to more than 400 instructors from over 65 Departments
and Agencies. Finally, planning has already started on Forward
Challenge 06, another government-wide COOP exercise, which will build
upon the lessons learned from and successes we experienced during
Forward Challenge 04.
Your report suggests that increased oversight of Department and Agency
COOP planning and capability may improve individual programs. We agree
with that recommendation and have already begun COOP site assessments
of Departments and Agencies. The information developed from these site
visits will help us focus resources and preparedness initiatives to
ensure Departments and Agencies have viable COOP plans. Moreover, we
have used, and will continue to use, exercises such as the Forward
Challenge series as our primary means of assessment of COOP readiness.
Because Forward Challenge exercises are scheduled to occur biannually,
FEMA and Department and Agencies are able to use the year between
exercises to revise and update COOP procedures.
As you know, we facilitated a classified briefing for your staff on
redundant emergency communications available to Departments and
Agencies. This COOP communications plan is updated twice a year and
distributed to the Federal Executive Branch to ensure that redundant
and vital emergency communications are available. It is unclear whether
or not your report reflects this important communication plan that is
exercised and tested on a regular basis.
As a point of clarification, the Readiness Reporting System (RRS) that
you reference in the report and is in the final stages of development,
was never intended to serve as a Department and Agency COOP assessment
tool. Nor is the system designed to verify or validate Department and
Agency COOP plans. Rather, the RRS is designed and intended to be an
automated reporting system that provides key officials with the ability
to determine Department or Agency COOP status in near real time. This
capability does not currently exist in the Federal government and will
improve our ability to coordinate COOP activations and reporting
requirements. Data input is the responsibility of individual
Departments or Agencies and will be spot-checked by FEMA for accuracy.
We appreciate the GAO's recognition that the Federal government has
made improvements in its COOP program and are committed to working with
Departments and Agencies to ensure that viable COOP plans are in place
and regularly exercised. In so doing, and by providing robust COOP
training opportunities to Departments and Agencies, we are well
positioned for further improvements in overall COOP preparedness.
Sincerely,
Signed by:
Michael D. Brown:
Under Secretary Emergency Preparedness and Response:
(310731):
FOOTNOTES
[1] GAO, Continuity of Operations: Improved Planning Needed to Ensure
Delivery of Essential Government Services, GAO-04-160 (Washington,
D.C.: Feb. 27, 2004) and Continuity of Operations: Improved Planning
Needed to Ensure Delivery of Essential Services, GAO-04-638T
(Washington, D.C.: Apr. 22, 2004).
[2] Since the June 2004 version of FPC 65 was released after our cutoff
date of May 1, 2004, we assessed plans against the July 1999 version of
FPC 65.
[3] In addition to the 24 components selected for their high impact
programs, we evaluated the plan from the Department of the Treasury's
Financial Management Service because of its significant role in
processing federal payments.
[4] U.S. Office of Personnel Management, Washington, DC, Area Dismissal
or Closure Procedures (Washington, D.C.: Dec. 4, 2003).
[5] We consulted with experts on continuity planning from the Business
Continuity Institute and the Disaster Recovery Institute International,
as well as from five private sector businesses-the Gillette Company,
Lockheed Martin Corporation, Macy's West, Marsh & McLennan Companies,
Inc., and Science Applications International Corporation. We selected
the five businesses based on their experience and knowledge of human
capital or emergency management as it relates to continuity, based in
part on input from the National Academy of Public Administration, the
Private Sector Council, and FEMA.
[6]Two agencies had not yet developed plans, and one plan was not
assessed against FPC 65 because the agency identified no essential
functions.
[7] In March 1999, during its planning to address the Year 2000
computing issue, OMB identified a number of programs which it
determined to have a high impact on the public. The agencies
responsible for these programs are listed in attachment 4.
[8] GAO, Human Capital: Further Guidance, Assistance, and Coordination
Can Improve Federal Telework Efforts, GAO-03-679 (Washington, D.C.:
July 18, 2003).
[9] We identified key practices for preparing an effective telework
program from existing telework-related literature as well as other
sources, such as our work on human capital. GAO, Human Capital: Further
Guidance, Assistance, and Coordination Can Improve Federal Telework
Efforts, GAO-03-679 (Washington, D.C.: July 18, 2003).
[10]GAO, Continuity of Operations: Improved Planning Needed to Ensure
Delivery of Essential Government Services, GAO-04-160 (Washington,
D.C.: Feb. 27, 2004) and Continuity of Operations: Improved Planning
Needed to Ensure Delivery of Essential Services, GAO-04-638T
(Washington, D.C.: Apr. 22, 2004).
[11] GAO, Status of Key Recommendations GAO Has Made to DHS and Its
Legacy Agencies, GAO-04-865R (Washington, D.C.: July 2, 2004).
[12]This does not include the agency-level plan that identified no
essential functions for COOP purposes.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
