Department of Homeland
Security
US-CERT
Continuity of Operations (COOP)
Program Overview
Homeland
Security
For Official Use Only
FOUO / UNCLASSIFIED
1
Continuity of Operations (COOP) Defined
“An uninterrupted ability to provide services and support,
while maintaining organizational viability, before, during,
and after an event.”
Homeland
Security
FOUO / UNCLASSIFIED
2
What is not COOP?
•
Not designed to reproduce an entire function or section
100%
•
COOP is not an exercise!
• Exercises are scheduled events
• COOP is in reaction to a zero-day event
Homeland
Security
FOUO / UNCLASSIFIED
3
COOP ERG Members Must Be Prepared To “COOP” At Any
Time For A Variety of Hazards
SEVERE WEATHER/POWER OUTAGE
BUILDING DAMAGE/EARTHQUAKES
PANDEMIC/BIOLOGICAL
FIRE DANGERS
TERRORISM OR WAR
HURRICANES/TYPHOONS/TSUNAMIS
Homeland
Security
FOUO / UNCLASSIFIED
4
Federal Continuity: The Linkage Between ECG, COG and
COOP
•
Enduring Constitutional Government (ECG) – A
cooperative effort among the executive, legislative, and
judicial branches of the Federal Government, coordinated
by the President…to preserve the constitutional framework
under which the Nation is governed and the capability of all
three branches of Government, during a catastrophic
emergency, to execute their constitutional responsibilities
and to provide for orderly successions, appropriate
transitions of leadership, inter-operability, and support of
National Essential Functions (NEFs) – FCD-1
•
Continuity of Government (COG) – A coordinated effort
within each branch of government (e.g., the Federal
Government’s executive branch) to ensure that NEFs
continue to be performed during a catastrophic emergency –
FCD-1
•
Continuity of Operations (COOP) – An effort within
individual agencies to ensure they can continue to perform
their Mission Essential Functions (MEFs) and Primary
Mission Essential Functions (PMEFs) during a wide range
of emergencies, including localized acts of nature,
accidents, and technological or attack-related emergencies
– FCD-1
Homeland
Security
FOUO / UNCLASSIFIED
5
Mission Essential Functions
A COOP program is an effort to ensure organizational
MEFs can be performed at all times.
 National Essential Functions (NEF): Are those overarching functions of the Federal
Government required to lead and sustain the Nation, and will be the primary focus of
the Federal Government’s leadership during, and in the aftermath of, an emergency.
 Primary Essential Functions (PMEF): Are those agency (usually departmental level)
MEFs that must be performed to support or implement the performance of the
Nation’s NEFs before, during, and in the aftermath of an emergency.
 Mission Essential Functions (MEF): Are business functions that do not rise to the level
of being PMEFs themselves, but must be continued or resumed rapidly after a
disruption to enable the organization to provide vital services, and support the
continued delivery service and access to customers.
Homeland
Security
FOUO / UNCLASSIFIED
6
Mission Essential Functions Drive COOP Planning
Particularly, MEFs drive:
 The number of personnel on the COOP roster (including members of an Advance
Relocation Team).
 The number of workstations (IT Support) required at your Emergency Relocation Site
(ERS).
 The number of COOP ERG members who may be able to support continuity of MEFs
by teleworking at home.
 The types of information technology, critical systems, equipment, supplies, and other
services required to support deployed COOP ERG members.
Homeland
Security
FOUO / UNCLASSIFIED
7
COOP Planning Requirements
An Organization Must:
 Be capable of implementing a COOP plan with or without warning.
 Maintain the ability to continue MEFs at an Emergency Relocation Site as soon as possible
after an event, but usually not later than 12 hours after COOP plan activation, and be ready
to sustain performance of COOP for up to 30 days.
 Ensure succession orders and emergency delegations of authority are planned and
documented.
 Ensure the availability of, and access to, vital records and resources.
 Ensure the availability and redundancy of critical communications capabilities to support
connectivity between and among key leadership, internal elements, critical partners and the
public.
 Provide for reconstitution capabilities that allow for recovery from a catastrophic emergency
and resumption of normal operations.
 Identify, train and prepare personnel capable of relocating to a COOP location to perform
MEFs and assign them to a COOP Emergency Relocation Group (ERG), as either an A, B,
C, D or E Team member).
Homeland
Security
FOUO / UNCLASSIFIED
8
Key Elements of any COOP Plan
10 elements of a basic, viable continuity capability:
• Mission Essential Functions
• Vital Records Management
• Orders of Succession
• Human Capital
• Delegations of Authority
• Test, Training, & Exercise (TT&E)
• Continuity Facilities
• Devolution of Control and Direction
• Continuity Communications
• Reconstitution
Homeland
Security
FOUO / UNCLASSIFIED
9
COOP and ERG Member Responsibilities
All COOP and ERG Members are responsible for:
 Being familiar with the organizational COOP Plan and the specific MEFs they support;
 Being trained and capable of performing their MEF roles from the designated ERS;
 Being prepared to deploy immediately upon activation and able to perform their
organization’s MEFs within 12 hours of COOP Plan activation, or as directed for up to 30
days or until normal operations can be resumed;
 Being able to access the vital records, databases, and equipment
required to execute their MEFs;
 Traveling, at least quarterly, to their designated location to test their work station;
 Ensure personal contact information is current at all times;
 Having a personal Drive-Away Kit ready (in their vehicle) and a Family Readiness Plan in
place (see www.ready.gov); and
 Notifying their manager/supervisor and their component’s COOP POC immediately if
they are unable to support the COOP mission.
Homeland
Security
FOUO / UNCLASSIFIED
10
Readiness – Don’t Take It Lightly
Drive-Away Kits
Do you have a Business Drive-Away Kit prepared?
Do you have a Personal Drive-Away Kit prepared?
 Personal Drive-Away kits should include important
papers (I.D., Passports, Banking, etc)
Family Readiness
Do you have a Family Readiness Plan in place?
Family Readiness should include contact
information, medical records, medications.
(For information on family readiness planning go to:
http://www.ready.gov)
Homeland
Security
FOUO / UNCLASSIFIED
11
COOP Organizational Chart
Director/President/CFO
Deputy Director
Operations
Coordination
Future Operations
Resource
Management
Customer
Operations
Coordination
Recommendations
and Prevention
Program
Management
IT Security
Communication
Plans
Compliance and
Classification
Physical Security
Readiness
Technology
Solutions
Homeland
Security
FOUO / UNCLASSIFIED
12
Priority Information Requirements
PIR 1
Successful compromise of account or network.
PIR 2
Successful exfiltration of data.
PIR 3
Successful SQL injection.
PIR 4
Successful root compromise of network.
PIR 5
Successful compromise of any Executive Office of the President website or account..
PIR 6
Successful denial-of-service (natural or manmade) of any Department, Agency, or
critical asset, to include major infrastructure of any foreign government.
PIR 7
Newly discovered malware affecting three or more Departments or Agencies.
PIR 8
Confirmed 0-day exploit.
A 100% or significant increase in incident reports from a Department or agency when
compared to the average number of reported incidents.
PIR 9
PIR 10 Web defacement of Department, Agency, or major public sector company.
PIR 11 Malware impacting at least 100 workstations.
PIR 12 Confirmed loss of cyber PII data for at least 10,000 individuals.
PIR 13 Loss of power in US-CERT, NCCIC, DHS NOC, or DHS SOC
PIR 14 Nuclear, biological, chemical, or any other attack to any Department or Agency asset.
Homeland
Security
FOUO / UNCLASSIFIED
13
Director’s Critical Infrastructure Requirements
DCIR 1
Activation of all or a portion of the National Response Framework (NRF)
DCIR 2
Activation of USNORTHCOM Homeland Defense plans or other National Security Plans.
DCIR 3
DCIR 4
DCIR 5
DCIR 6
DCIR 7
DCIR 8
DCIR 9
DCIR 10
DCIR 11
DCIR 12
DCIR 13
DCIR 14
Emergency requirements to support CIKR owners and operators, Federal Agency, or State
government response to a cyber attack.
Issuance of a National Terrorism Advisory System (NTAS) alert.
Increase in Continuity of Government Condition (COGCON) levels from level 4 to level 3 or
higher (1 or 2).
Any major domestic or international terrorist attack against citizens or facilities with a
potential cyber component (this includes all major terrorist attacks).
Any major cyber incident or attack involving a well known corporation or service providing
entity that could generate public panic or escalate as a result of significant media coverage
or service interruption.
Any major cyber attack targeting a National Security Special Event (NSSE) or international
event sponsored by the or with significant representation.
When a Federal agency (including the Department of Defense declaring INFOCON 2, or 1),
undertakes emergency action to defend itself from a cyber attack such as isolating its
networks from the Internet.
A 50% or more reduction in US-CERT’s EINSTEIN sensor network.
Activation of the DHS COOP Plan or Component COOP Plan.
Significant disruption, degradation or threat to DHS networks and systems.
Any cyber or non-cyber events affecting, or that could affect US-CERT mission, operations
and/or leadership, to include leadership or US-CERT personnel on travel.
A cyber or non-cyber event that affects a critical infrastructure asset(s) or facility or
newsworthy reports that do not meet a PIR threshold (e.g., unconfirmed zero-day, political
upheaval/unrest). Cyber impact is not immediate, but the event could pose a cyber impact
and/or threat.
Homeland
Security
FOUO / UNCLASSIFIED
14
COOP Equipment
Operational Seats
 Operational seats should consist of a standard computer build
 Operating System
 Processor
 Memory
Support Equipment
(Tested Quarterly)





Printers (Color & BW)
Copiers
Fax Machines
Scanners
Shredders
 Safes (secure storage
 TV
 SVTC.
Note:
 Store everyday files on shared drives and not on your C Drive.
Homeland
Security
FOUO / UNCLASSIFIED
15
COOP Equipment
Connectivity
 Match your COOP connectivity as close as possible to your normal connectivity.
 Firewalls configured the same as your normal configuration.
 COOP networks should duplicate operational networks.





Switches
Hubs
Network Storage
Firewalls (configured as closely as possible)
Use telework where possible (remote login)
Homeland
Security
FOUO / UNCLASSIFIED
16
COOP Equipment
Types of Relocation Sites
 Hot Site – Fully operational site with as close as possible reproduction of your normal
operational facility. In a hot site, the equipment is on and operational at all time waiting
for personnel to log on.
 Warm Site – Operational site with as close as possible reproduction of your normal
operational facility. In a warm site, the equipment is in place, tested, and in a standby
mode. It may take a short period of time to get all the equipment
up and running once personnel arrive (4 to 8 hours).
 Cold Site – Equipment is in place and it may take up to 12 hours
to become fully operational.
Homeland
Security
FOUO / UNCLASSIFIED
17
Directives
•Executive Order (EO) 12656, Assignment of Emergency Preparedness
Responsibilities
•National Security Presidential Directive – 51 Homeland Security
Presidential Directive, National Continuity Policy
•National Continuity Policy Implementation Plan (NCPIP)
•Federal Continuity Directive (FCD)
•Federal Executive Branch National Continuity Program and
Requirements, February 2008
•Other related directives and guidance.
Homeland
Security
FOUO / UNCLASSIFIED
18
Operational Security and Prohibited Items/Activities
Operational Security (OPSEC)
 Unclassified – Location of your Emergency Operations Center (EOC).
 Unclassified – Route to your company EOC.
Prohibited Items/Activities
 Weapons/Firearms (LEOs authorized)
 No Photography
 Knives (blades longer then 2 ½ inches)
 Video Recorders
 Explosives
 No personal IT
 Illegal Drugs
 Alcoholic Beverages
Homeland
Security
FOUO / UNCLASSIFIED
19
US-CERT COOP Overview
•
•
•
24x7x365 Operations Center to management activities
that coordinate response and share information about
cybersecurity incidents.
Production and reporting of threat, vulnerability
information and mitigation strategies to include
situational updates.
Collaboration and coordination with partners and
customers across the federal government, state and
local, private sector and the international community.
Homeland
Security
FOUO / UNCLASSIFIED
20
US-CERT Responsibilities
•
•
Responsible for daily incident handling and operations on a 24x7x365 basis.
Creation of products and publications for the dissemination of information to
US-CERT’s constituents. Coordination of meetings and teleconferences for
the dissemination of information to the federal civilian government. COOP
planning and coordination.
Responsible for the collaboration and coordination with mission partners
and customers to support situational awareness, daily operations, crisis
operations and product development with:
–
–
–
–
–
–
•
Federal Department and Agencies
Cyber Centers and NCSC
Law Enforcement and Intelligence Community
Private Sector
International
State and Local
Support a consistent communication processes to promote the flow of
cybersecurity information into and out of US-CERT is an important part of
the US-CERT mission.
Homeland
Security
FOUO / UNCLASSIFIED
21
24X7 Integrated Operations Center
As Part of the 24/7/265 Operations Center, US-CERT maintains an
operational presence on the floor of the National Cyber
Collaboration and Integration Center (NCCIC).
Homeland
Security
FOUO / UNCLASSIFIED
22
Traffic Light Protocol
When should it be used?
Sources may use TLP: RED when
information cannot be effectively acted
upon by additional parties and could
lead to impacts on a party's privacy,
reputation, or operations if misused.
Sources may use TLP: AMBER when
information requires support to be
effectively acted upon but carries risks to
privacy, reputation, or operations if shared
outside of the organizations involved.
Sources may use TLP: GREEN when
information is useful for the awareness
of all participating organizations as well
as with peers within the broader
community or sector.
Sources may use TLP: WHITE when
information carries minimal or no risk of
misuse, in accordance with applicable
rules and procedures for public release.
TLP Color
RED
AMBER
GREEN
WHITE
How may it be shared?
Recipients may not share TLP: RED
information with any parties outside of the
specific exchange, meeting, or conversation
in which it is originally disclosed.
Recipients may only share TLP: AMBER
information with members of their own
organization, and only as widely as
necessary to act on that information.
Recipients may share TLP: GREEN information
with peers and partner organizations within
their sector or community, but not via publicly
accessible channels.
TLP: WHITE information may be distributed
without restriction, subject to copyright
controls.
Homeland
Security
FOUO / UNCLASSIFIED
23
US-CERT COOP Contact
Technical comments or questions:
US-CERT Security Operations Center
Email: soc@us-cert.gov
Phone: +1 888-282-0870
General questions or suggestions:
US-CERT Information Request
Email: info@us-cert.gov
Phone: 1-888-282-0870
US-CERT COOP
Email: jacquet.lewis@dhs.gov
Phone: 703-235-8534
Information is also available at http://www.us-cert.gov
Homeland
Security
FOUO / UNCLASSIFIED
24
NPPD COOP Program Points of Contact:
FS-ISAC
24/7 Ops Center, 1-800-732-2812
info@fsisac.com
NPPD:
Mick Mulligan, 703-235-5674
Michael.R.Mulligan@hq.dhs.gov
NCS:
Mike Lastrina, 540-542-5028
Mike.Lastrina@dhs.gov
Homeland
Security
FOUO / UNCLASSIFIED
25
Homeland
Security
FOUO / UNCLASSIFIED
26