<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:95423.wais]
CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS
REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
APRIL 22, 2004
__________
Serial No. 108-184
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
95-423 WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER,
CANDICE S. MILLER, Michigan Maryland
TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of
MICHAEL R. TURNER, Ohio Columbia
JOHN R. CARTER, Texas JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee ------ ------
PATRICK J. TIBERI, Ohio ------
KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
C O N T E N T S
----------
Page
Hearing held on April 22, 2004................................... 1
Statement of:
Brown, Michael, Under Secretary for Emergency Preparedness
and Response Directorate, U.S. Department of Homeland
Security................................................... 35
Kern, John, director, network continuity, AT&T Corp.......... 47
Koontz, Linda D., Director, Information Management Issues,
U.S. General Accounting Office............................. 8
Letters, statements, etc., submitted for the record by:
Brown, Michael, Under Secretary for Emergency Preparedness
and Response Directorate, U.S. Department of Homeland
Security, prepared statement of............................ 38
Cummings, Hon. Elijah E., a Representative in Congress from
the State of Maryland, prepared statement of............... 64
Davis, Chairman Tom, a Representative in Congress from the
State of Virginia, prepared statement of................... 4
Kern, John, director, network continuity, AT&T Corp.,
prepared statement of...................................... 49
Koontz, Linda D., Director, Information Management Issues,
U.S. General Accounting Office, prepared statement of...... 10
CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS
REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS
----------
THURSDAY, APRIL 22, 2004
House of Representatives,
Committee on Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 10:07 a.m., in
room 2154, Rayburn House Office Building, Hon. Tom Davis
(chairman of the committee) presiding.
Present: Representatives Tom Davis, Ose, Jo Ann Davis,
Blackburn, Maloney, Cummings, Tierney, Watson, Van Hollen,
Ruppersberger and Norton.
Staff present: David Marin, deputy staff director/director
of communications; Anne Marie Turner and John Hunter, counsels;
Robert Borden, counsel/parliamentarian; Drew Crockett, deputy
director of communications; John Cuaderes, senior professional
staff member; Teresa Austin, chief clerk; Brien Beattie, deputy
clerk; Corinne Zaccagnini, chief information officer; Robert
White, press secretary; Michael Yeager, minority deputy chief
counsel; Earley Green, minority chief clerk; and Jean Gosa,
minority assistant clerk.
Chairman Tom Davis. Good morning. A quorum being present,
the Committee on Government Reform will come to order. I would
like to welcome everyone to today's hearing on the status of
the Federal Government's continuity of operations plans.
Today on the House floor we are considering legislation
laying out the framework for how Congress would continue
operating in the event of a catastrophe. That's important. But
let's be honest. The real, tangible, day-to-day work of the
Federal Government doesn't happen here. It happens at agencies
spread across the Nation, and ensuring their continued
operation in the wake of a devastating tragedy should be
considered every bit as important.
Continuity of Federal Government operations planning became
essential during the cold war, to protect the continuity of
government in the event of a nuclear attack. COOP planning has
attracted renewed significance after the terrorist attacks of
September 11. Through a Presidential Decision Directive and a
Federal Preparedness Circular, Federal agencies are required to
develop viable continuity of operations plans for ensuring the
continuity of essential operations in emergency situations.
Although it is a classified document, PDD 67 reportedly also
designates the Federal Emergency Management Association [FEMA],
as the executive agency for formulating guidance on executive
departments' COOP plans, and coordinating and assessing their
capabilities. In July 1999, FEMA issued Federal Preparedness
Circular 65, FPC 65, which confirms its coordinating agency
role, contains criteria for agencies to develop their plans,
and designates the timelines for submission of agency plans.
Because of the critical nature of the ongoing threat of
emergencies, including terrorist attacks, severe weather, and
individual building emergencies, this committee requested the
GAO to evaluate contingency plans of several Federal agencies
and review FEMA's oversight of those agency COOP plans. And in
February 2004, GAO issued a report that found a wide variance
of essential functions identified by individual agencies. GAO
attributed this lack of uniformity to several factors: lack of
specificity about criteria to identify essential functions in
FPC 65; lack of review by FEMA of essential functions during
assessment of COOP planning; lack of testing or exercises by
FEMA to confirm the identification of essential functions by
agencies.
To remedy these shortcomings, GAO recommends that the
Secretary of the Department of Homeland Security direct the
Under Secretary for Emergency Preparedness and Response to
ensure that agencies develop COOP plans by May 1, 2004 and
correct deficiencies in individual plans. In addition, GAO
recommends that the Under Secretary be directed to conduct
assessments of COOP plans that include independent verification
of agency information, agencies' essential functions and their
interdependencies with other activities.
The committee is concerned about the seeming lack of
progress we have made in the area of Federal continuity of
operations. If September 11 was a wakeup call, then we haven't
fully heeded the message when it comes to our planning.
Although some progress has been made, and I commend Under
Secretary Brown for his leadership on this, we still have a
ways to go. We must do everything possible to address the COOP
inconsistencies that exist across the board. Identifying and
prioritizing essential functions with 100 percent compliance
and accuracy is a must. Even if agencies can accomplish this,
they still must be able to identify their key staffing
requirements, lines of succession, resources needed, and what
mission-critical systems and data must be protected and, in
many cases, be redundant.
Continuity of operations means more than keeping your Web
site up and running. What's really called for is a wholistic
approach, one that factors in people, places and things. What
is really needed is agility, because FEMA's role in COOP
oversight is key for agency success.
The committee will hear FEMA's assessment of the individual
agency plans. The committee will also assess FEMA's efforts to
ensure that the COOP directives are carried out by each agency.
This will include steps FEMA is taking to assess each of the
executive agencies' COOP plans, what interaction FEMA has had
and plans to have with those agencies about deficiencies in
those plans, what steps FEMA will take to ensure agency
compliance, and FEMA's assessment of the adequacy of Federal
Preparedness Circular 65, and steps it has taken to overcome
any deficiencies.
The committee will also hear from GAO about its assessment
of COOP planning and its recommendations for improvement and
will also hear how the private sector deals with this issue.
Finally, the committee has asked GAO to continue to monitor
Federal COOP planning to ensure that agencies are in compliance
with the latest executive and congressional guidance. The
committee expects to get an annual scorecard from GAO outlining
how agencies are performing with regard to the many facets of
COOP. This is an important issue and we'll be very aggressive
on our oversight.
We have three impressive witnesses before us to help us
understand the current and future state of Federal continuity
of operations planning, the expected problems and what we can
look forward to in ways of improvement. First we will hear from
the General Accounting Office, followed by the Department of
Homeland Security, and finally we will hear from AT&T which has
a mature COOP plan in place.
I want to thank all of our witnesses for appearing before
the committee and I look forward to hearing their testimony.
[The prepared statement of Chairman Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] T5423.001
[GRAPHIC] [TIFF OMITTED] T5423.002
[GRAPHIC] [TIFF OMITTED] T5423.003
Chairman Tom Davis. Are there any other Members who wish to
make opening statements at this point?
Ms. Watson.
Ms. Watson. Thank you very much Mr. Chairman.
In the event of a crisis, the American people immediately
turn to the Federal Government to provide basic services,
stability and direction. But we now have learned from the GAO
that many Federal agencies are woefully unprepared to continue
functioning in the wake of a catastrophe. It is distressing to
know that in the wake of an attack on America, the horror of
the initial attack might be compounded by the mayhem of a
government that cannot coordinate basic services. We need to
fix this.
And I think all of us have it indelible in our minds where
we were and what we were doing on September 11, myself
included, right here in this Capitol. And we knew not where to
go. We were running around like ants all over the place. We
knew not where to gather. I had to seek out directions. And we
have to be sure that we have these plans in place.
But this is only the tip of the iceberg. Even beyond this,
what is not addressed in this report or in this hearing is
continuity of operations at the State or at the local level. I
bring this issue up, Mr. Chairman, not to confuse the issue in
this hearing, which I understand focuses solely on the
continuity of operations and planning in the Federal executive
branch, but rather simply to illustrate the scope of the
problem that we face. Even once we get this problem sorted out
at the Federal level, we must ensure our States and our local
governments that they are prepared. Here we sit, 2\1/2\ years
after facing the mortal threat of September 11, and we still
cannot be assured that we are prepared to provide essential
government services in the wake of a disaster.
My colleagues and I want some answers. And I ask the
witnesses from FEMA, please tell us what you need to tell us,
and we will do our best to see that you get it. But we need to
hear from you, and we need to know what your plans are for real
progress and real answers, and on how you prepare to fix it.
And I'm sure you will find this Congress very supportive.
Thank you, Mr. Chairman.
Chairman Tom Davis. Thank you.
Any other Members wish to make opening statements? If not,
we will move to our first witness, Linda Koontz, the Director
of Information Management Issues of the General Accounting
Office, no stranger to this committee. As you know it's the
policy of the committee that all witnesses be sworn in before
they testify. So, Linda, if you'd rise with me and raise your
right hand.
[Witness sworn.]
Chairman Tom Davis. For the record, note we have--two of
your aides behind you also sworn in. Please proceed with your
testimony. You know the rules. We have the buttons, the lights
out here, 5 minutes and try to sum up. And thank you for being
with us again.
STATEMENT OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT
ISSUES, U.S. GENERAL ACCOUNTING OFFICE
Ms. Koontz. Thank you, Mr. Chairman and members of the
committee. I appreciate the opportunity to participate in the
committee's hearing on Federal continuity of operations
planning. As you know, events such as terrorist attacks, severe
weather, or building-level emergencies can disrupt the delivery
of essential government services. To minimize the risk of
disruption, Federal agencies are required to develop plans for
ensuring the continuity of essential services in emergency
situations.
The Federal Emergency Management Agency, now part of the
Department of Homeland Security, was designated executive agent
for continuity of operations planning and issued guidance in
July 1999. This guidance states that in order to have a viable
continuity of operations capability, agencies should identify
their essential functions. Identifying essential functions is
the first of eight elements of a viable capability and provides
the basis for subsequent planning steps.
Mr. Chairman, at your request, we assessed department and
agency-level continuity of operations plans at 23 major Federal
agencies and reported the results to you in February. In
summary, we found that, first, three departments did not have
plans in place as of October 1, 2002. Second, our assessment
raised serious questions about the adequacy of the essential
functions identified. Specifically, we found that 29 of the 34
plans that we reviewed identified at least one essential
function. However, these functions varied widely in number from
3 to 399, and included many that appeared to be of secondary
importance.
At the same time, the plans omitted many programs that OMB
had previously identified as having a high impact on the
public. Agencies did not list among their essential functions
20 of the 38 high-impact programs that have been previously
identified. For example, one department included, ``provided
speeches and articles for the Secretary and Deputy Secretary,''
among its essential functions, but did not include 9 of 10
high-impact programs. In addition, although many agency
functions rely on the availability of resources or functions
controlled by another organization, more than three-fourths of
the plans did not fully identify such dependencies.
Third, none of the agencies provided documentation
sufficient to show that they were complying with all aspects of
FEMA's guidance.
In our view, a number of factors contributed to these
government-wide shortcomings. FEMA's planning guidance does not
provide specific criteria for identifying essential functions,
nor does it address interdependencies. In addition, while FEMA
conducted an assessment of agency compliance with the guidance
in 1999, it has not conducted oversight that is sufficiently
regular and extensive to ensure that agencies correct
deficiencies identified. Further, in its assessment, FEMA did
not include a review of essential functions. Finally, FEMA did
not conduct tests or exercises to confirm that the identified
essential functions were correct.
In discussing our report, FEMA officials, while maintaining
that the government is prepared for an emergency, acknowledged
that improvements could be made. These officials told us that
they plan to conduct a government-wide exercise next month,
improve oversight by providing more detailed planning guidance,
and develop a system to collect data from agencies on their
readiness. However, these officials have not yet determined how
they will verify the agency-reported data, assess the essential
function and interdependencies identified, or use the data to
conduct regular oversight. In our report, we made several
recommendations to address these shortcomings.
In summary, Mr. Chairman, while most of the agencies
reviewed had continuity of operation plans in place, those
plans exhibited weaknesses in the form of widely varying
determinations about what functions are essential, and
inconsistent compliance with guidance that defines a viable
continuity of operations capability. Until these weaknesses are
addressed, agencies are likely to continue to base their plans
on ill-defined assumptions that may limit the utility of the
resulting plans, and, as a result, risk experiencing
difficulties in delivering key services to citizens in the
aftermath of an emergency.
Mr. Chairman, that concludes my statement. I would be happy
to answer any questions that you might have.
Chairman Tom Davis. Thank you.
[The prepared statement of Ms. Koontz follows:]
[GRAPHIC] [TIFF OMITTED] T5423.004
[GRAPHIC] [TIFF OMITTED] T5423.005
[GRAPHIC] [TIFF OMITTED] T5423.006
[GRAPHIC] [TIFF OMITTED] T5423.007
[GRAPHIC] [TIFF OMITTED] T5423.008
[GRAPHIC] [TIFF OMITTED] T5423.009
[GRAPHIC] [TIFF OMITTED] T5423.010
[GRAPHIC] [TIFF OMITTED] T5423.011
[GRAPHIC] [TIFF OMITTED] T5423.012
[GRAPHIC] [TIFF OMITTED] T5423.013
[GRAPHIC] [TIFF OMITTED] T5423.014
[GRAPHIC] [TIFF OMITTED] T5423.015
[GRAPHIC] [TIFF OMITTED] T5423.016
[GRAPHIC] [TIFF OMITTED] T5423.017
[GRAPHIC] [TIFF OMITTED] T5423.018
[GRAPHIC] [TIFF OMITTED] T5423.019
[GRAPHIC] [TIFF OMITTED] T5423.020
[GRAPHIC] [TIFF OMITTED] T5423.021
[GRAPHIC] [TIFF OMITTED] T5423.022
[GRAPHIC] [TIFF OMITTED] T5423.023
Chairman Tom Davis. Linda, let me just start. The bottom
line is, are agencies really prepared for the worst?
Ms. Koontz. Agencies do not have plans at this point that
are fully compliant with the requirements of FPC 65 and
therefore I'd have to conclude that there is no assurance that
they are prepared for an emergency.
Chairman Tom Davis. In fact, some of them are fairly
woefully prepared.
Ms. Koontz. That is correct.
Chairman Tom Davis. You report that 19 agencies failed to
identify their interdependence with other agencies and how
these interdependencies affect their essential functions. Was
GAO provided with an explanation as to why these agencies
didn't identify their interdependency in COOP plans?
Ms. Koontz. I don't--excuse me. I think part of the issue
that my staff is telling me that the requirement to identify
interdependencies, we think, would be a good practice. But that
requirement is not specifically outlined in FPC 65. So that is
most likely the reason.
Chairman Tom Davis. All right. Do you get the feeling some
of these agencies are just checking the box? This is just
another requirement that they have to do? This isn't really--
this isn't part of their mission, but it's paperwork they have
to turn in so it's kind of--they're not utilizing the
resources; they're putting them toward other missions in the
department?
Ms. Koontz. It's hard for me to comment on a specific
agency's motivation for what they do. But we have to say that
in some cases we saw what we thought looked like sort of a rote
or a template approach to the development of plans.
Chairman Tom Davis. Yes. I think one of the difficulties
is, both from the executive branch and from the legislative
branch, we put all of these different requirements on agencies,
and it's hard for them to sort out what their priorities are.
If they do them all, they'd never be able to get anything done.
And so as a result of that, sometimes nothing gets done.
One of the rules of this committee is to kind of highlight
shortcomings in some of these areas. This area, cybersecurity
area, again, another one similar, where agencies check boxes
but don't really make this mission-critical. And they may be
able to escape with this. This is one of those issues that, you
know, hopefully we will never see that kind of disaster and it
will never happen. But if it does, and we are not prepared, of
course the results then are worse by an exponential amount.
Ms. Koontz. And if I could add to that, the fact that FEMA
hasn't done the regular checking and oversight of the plans, I
think that created part of the situation that you see today. If
agencies realize that someone's going to be routinely looking
at these plans, I think that would provide greater incentive
for providing resources for this activity.
Chairman Tom Davis. And there is no requirement, is there,
that they send the plans to Congress? They send them up through
FEMA, right?
Ms. Koontz. No, sir.
Chairman Tom Davis. That might be something we can get
access to, that we look at to try to underscore the importance
of this. I mean, hopefully again, this is something if you
don't do it, it'll never happen, nobody will know the
difference. But if you have a disaster, there we are.
The report states that FEMA attributed its lack of
oversight of these plans in part to its limited number of
personnel responsible for guidance. Now, as a result of your
investigation, can GAO concur with FEMA the inadequate
personnel numbers significantly affected FEMA's ability to
conduct oversight?
Ms. Koontz. We didn't specifically evaluate the numbers of
staff that would be necessary for FEMA to conduct this
oversight activity. However, we do know that FEMA has, since we
completed our work, undertaken a rather large effort to get
many more people involved. So this should not be a problem
going forward.
Chairman Tom Davis. OK. Thank you very much.
Ms. Watson.
Ms. Watson. The Chair asked a question about if there was a
requirement to report to us, and I'd like you to describe what
you think we should know in advance so that as we go about
budgeting for whatever, there could be appropriate resources
there to address what might occur. We really need to start
looking ahead. We've had the shock of an experience that we
will never forget now. How do we--we're new at this, and I
understand that. We were caught in a blind spot. Unready. But
what is it going to mean in terms of resources to be ready? Do
you have a comment?
Ms. Koontz. A couple of parts to that question. I think in
terms of resources that, according to the report we saw from
OMB on combating terrorism that was published in September
2003, apparently it's not unusual for agencies to spend several
million dollars working on continuity of operations planning.
And indeed the President asked for over $100 million for this
purpose in 2004. I would have to followup to tell you what was
actually devoted, however.
In terms of reporting to Congress, I think that one of the
things that Mr. Davis has asked us to do is to set a baseline
of continuity of operations planning efforts, which we have
done with our first report. And in following up on that,
hopefully you'll be able to see the changes that take place
over time and to be able to influence those changes further.
Ms. Watson. Thank you.
Chairman Tom Davis. Thank you very much. Gentlelady from
Tennessee.
Mrs. Blackburn. Thank you, Mr. Chairman.
And thank you for taking the time to be here and visit with
us today. You mention in your report the Y2K efforts, and my
assumption--which I would like to know if it's correct or not--
is that where you have drawn your baseline, as working from the
efforts that were made there in preparation for Y2K, that helps
with your baseline?
Ms. Koontz. What we drew from the Y2K effort was the
previously identified list of 38 essential functions that were
identified specifically for that purpose. And we use this as an
example against which to evaluate plans to see if these
essential functions were present or not. We don't mean to imply
that this is the definitive list of essential functions, but we
felt it was one strong example of where the government had
already identified programs that had a high impact on the
public.
Mrs. Blackburn. OK. Now, have you required the different
agencies and departments to--going into those and looking at
that Y2K planning and into those agencies and programs, have
you required them to go on and give you the coordination with
State and local agencies for implementation of continuing
services as it affects those departments?
Ms. Koontz. We haven't yet looked at the issue of
coordination between the Federal and the State and local
governments.
Mrs. Blackburn. OK. What is the status of the agency's
information technology that is needed to oversee these
essential functions?
Ms. Koontz. Well, one of the aspects of any kind of
continuity planning would be to assure that your critical
infrastructure and your systems would be available in an
emergency, and this would also extend to what we call vital
records as well. In order to operate in an emergency situation,
one has to have access to the information that is needed for
decisionmaking. So these are all aspects of continuity of
operations planning. What we saw among the agencies was,
frankly, mixed preparedness in all these areas.
Mrs. Blackburn. Thank you.
Chairman Tom Davis. Thank you very much.
Ms. Norton.
Ms. Norton. Thank you very much, Mr. Chairman. Thank you
for calling this hearing. It is an interesting hearing coming
up today, especially since we have on the floor a continuity of
operations bill.
I'm confused even by the GAO report, because all the dates
I see goes back to 1999. You speak on the first page about
assessments of agency compliance conducted in 1999 and none
conducted since then. And again, at page 5, a reference to July
1999, and the assessments conducted to address any emergency or
situation that could disrupt normal operations, including
localized emergencies.
Well, I'm really wondering whether anything that goes back
to 1999 is relevant at all. That is to say, with the
intervention of September 11th, I'm not sure what FEMA would be
reviewing, if FEMA is reviewing plans that were set in motion
in 1999, when on page 5 of your own report you say it relates
to any emergency, including localized emergencies. I just
wonder whether they don't need to start all over again, whether
any plan that was prepared before September 11th is worth the
paper it's written on, whether or not we don't need fresh eyes
when we look at what a local emergency is when we look at
infrastructure. So I would like some sense from you whether you
think we can actually pick up from 1999 or whether we ought not
step back and essentially begin again.
Ms. Koontz. I can clarify a little bit. The requirements
first came into being in 1999, and agencies were required to
have a continuity of operations plan in place at this point for
that same year. It was also the same year that FEMA did an
assessment of plans and gave agencies feedback as to strengths
and weaknesses.
Ms. Norton. I think Oklahoma may have occurred by that
time, so I'm sure there was some sense that you could get, you
know, a large emergency. But go ahead.
Ms. Koontz. So that was the first round of plans. But I
wouldn't want to lead you to believe that none of those plans
have been updated since 1999. Some agencies have taken steps to
review their plans once or twice since then, but it varies
quite a bit across the board. Certainly anything that went back
to 1999 would need a significant reassessment before it could
be brought up to date, and indeed we found that regardless of
when the plan had been prepared, that most of them did not hit
the majority of the requirements. In fact, we found not a
single one that met all the requirements in their entirety. So
all of them need a significant relook at this point. But I just
wouldn't want you to believe that nothing has happened since
then.
Ms. Norton. Well, obviously, at the agency level one would
need to particularize what the emergency planning was. I have
no confidence that you begin by saying, hey, agencies, figure
out what to do. I don't understand why there shouldn't be some
overall--you talk in your report about the great disparities
among these agencies. Much of that is to be expected. But
without FEMA's guidance as to what constitutes a plan, what
else could you expect? So I don't see how we can go back and
criticize the agencies or even criticize FEMA for not going
back agency by agency.
My question is, why isn't there some general guidance as to
what minimally an agency should be doing, its plan should be,
with the agencies filling in the particulars, rather than this
kind of ground-up approach and then us criticizing the
agencies? Because somehow they are very different from agency
to agency, as if that isn't exactly what you should expect if
you haven't given agencies some idea of what continuity of
operation should be all about.
So, Mr. Chairman, I must say that I appreciate your calling
this hearing, but I think we are just going at it the entirely
wrong way to say to agencies out there, hey, you all come up
with what you should be doing to continue operations. Without
some general guidance as to ``these are the basics, now fill
in'' does not give me confidence, particularly here in the
National Capital Region, that if there were an emergency it
could be handled.
Chairman Tom Davis. Well, doesn't FPC 65 give out the basic
guidance?
Ms. Koontz. Yes. FPC 65 provides basic guidance on the
eight elements of a viable COOP capability.
Ms. Norton. And isn't that also from 1999?
Ms. Koontz. Yes, that is from 1999.
Ms. Norton. Well, that is my problem. I think the world has
changed since September 11, 2001, and that was before 1999.
That was after 1999.
Chairman Tom Davis. Ms. Koontz, any response?
Ms. Norton. I think that is a more radical critique than
the GAO report is what I'm trying to say.
Chairman Tom Davis. OK. Ms. Koontz.
Ms. Koontz. I would just say that one of the things that we
point out I think quite strongly in our report is that the
identification of essential functions is a very critical first
step in doing effective continuity planning. If you don't do
that right, it probably doesn't matter what do you after that
because you haven't figured out what it is you need to deliver
in an emergency.
But we also point out that the guidance to agencies,
although they have issued general guidance, it was not specific
enough to agencies for them to identify really what an
essential function was and get any consistency across agencies;
and that was compounded by the fact that FEMA was not doing the
regular kind of checking and oversight to provide their
expertise, to lend their expertise to the development of these
plans and provide their broad view of what was going on
government-wide. So I think our report does address some of the
issues that you're identifying here.
Ms. Norton. Well, thank you very much; and thank you Mr.
Chairman.
Chairman Tom Davis. Thank you very much.
Mrs. Davis.
Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman; and
thank you, Ms. Koontz, for being here.
You know, it seems to me that if we had the technology in
place for telecommuting that in the event of an attack here in
Washington, for instance, people could work at home. So I guess
my question is, have any of the agencies--when you reviewed
their plans, had they considered or included telecommuting in
their continuity of operations plans? Because that's been the
hardest thing. We've been--I mean, we have tried to get
agencies to allow telecommuting, and it seems as hard as
pulling teeth sometimes.
Ms. Koontz. Uh-huh. And using both the use of alternatives
facilities and the use of telecommuting could be a reasonable
strategy to use in continuity of operations planning, depending
on the kind of emergencies that we're talking about.
Mrs. Jo Ann Davis of Virginia. Well, if we had the agency
allowing the telecommuting now, it would be in place; and then
there would be an answer to some of the problems for some of
these agencies.
My other question--you know, I heard you say that if FEMA
or someone were doing reviews or what have you, then these
agencies might get off the stick, I guess, is what you meant.
And it bothers me a little bit, because are you saying then
that our agencies don't do what we tell them to do unless they
know we are going to check on them?
But my real question to you--I mean, that was just a side
note. It bothers me to hear that. But did agency personnel
responsible for developing the continuity of operation plans
indicate why they have not followed the guidelines that FEMA
gave them? I mean, the person in each agency who is
responsible, did they give you any feedback?
Ms. Koontz. Well, there are a couple of different classes
of things going on here.
I think, first, in some cases the guidance isn't very
clear; and so agencies maybe tried to implement it the best
they could, but it was predictably then inconsistent across the
government. So you have some of that going on.
In other cases, I think agencies told us that they had
prepared their plan. It had been reviewed by FEMA in 1999. They
thought the feedback they received was that plan was all right;
and, frankly, I think they were surprised in some instances
when we said, well, we don't think this meets the requirements
or the guidance of FPC 65.
So there was a couple of different kinds of things going on
there.
Mrs. Jo Ann Davis of Virginia. Sounds like a communication
problem, Mr. Chairman. It seems like we have that a lot in the
Federal Government. I don't know how we can fix that.
But thank you so much, and I would strongly suggest that we
push the telecommuting if we can.
Chairman Tom Davis. Great. I think Mrs. Davis' idea on the
telecommuting is something that for agencies here we need to do
more of. I mean, this committee will hold followup hearings on
that. Obviously, if an office gets devastated, people don't
need to be in the office in many cases to carry out their
duties.
Mr. Van Hollen.
Mr. Van Hollen. Nothing.
Chairman Tom Davis. No questions.
Mrs. Maloney.
No questions.
Thank you very much. This has been very helpful for us. We
may have some followup pending some of the others, but we
appreciate your oversight on this and your analysis.
Ms. Koontz. Thank you.
Chairman Tom Davis. Thank you very much.
We will proceed now to our second panel. I am going to
thank Under Secretary Michael Brown, the Honorable Michael
Brown, the Under Secretary for Emergency Preparedness and
Response Directorate from the U.S. Department of Homeland
Security, for being with us today. Why don't we take a minute
recess, but I'll wait for him to come in.
There he is. Mr. Secretary, thank you for being with us.
Why don't you stay--and I'll swear you in, our policy.
[Witness sworn.]
Chairman Tom Davis. Thank you very much for being with us
today.
We'll have some lights in front of you, the panel. After 4
minutes, an orange light will come up, giving you a minute to
make it 5. If you feel you need to go over it, we're not
pressed for time. We'll do that. But your entire testimony is
part of the record, and our questions have been based on that.
But thank you very much for being with us today, and thank
you for the job you're doing.
STATEMENT OF MICHAEL BROWN, UNDER SECRETARY FOR EMERGENCY
PREPAREDNESS AND RESPONSE DIRECTORATE, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Brown. Thank you, Mr. Chairman.
Chairman Tom Davis. You have to make sure the mic is on.
That's the toughest part of the whole thing.
Mr. Brown. I'm not used to coming in second. I guess you're
just ready. Go ahead and start then, right? OK.
Good morning, Chairman Davis and members of the committee.
My name is Michael D. Brown, and I am the Under Secretary for
Emergency Preparedness and Response.
Chairman Tom Davis. Mr. Brown the reason we have you second
is we have GAO first and we give you the last word.
Mr. Brown. Sure. Right.
Chairman Tom Davis. So it's really to your advantage to be
in that position.
Mr. Brown. Great.
Thank you for the opportunity to appear before you today to
discuss the Federal Emergency Management Agency's role in
supporting the Nation's Continuity of Operations and its
program.
FEMA was designated the lead agency for Continuity of
Operations for the Federal executive branch by Presidential
guidance on October 21, 1998. Among other things, this guidance
requires Federal agencies to develop Continuity of Operations
plans to support their essential functions. FEMA's leadership
role is to provide guidance and assistance to the other Federal
departments and agencies in this important area. We have taken
this responsibility very seriously and have worked hard to
provide this guidance.
As the program expert for the Federal executive branch COOP
activities, FEMA and the Department of Homeland Security have
made significant strides toward ensuring that COOP plans exist
at all levels of departments and agencies. This effort entails
our involvement with hundreds, if not thousands, of various
COOP plans and close coordination with the General Services
Administration.
We have aggressively developed working relationships across
the government--to include the legislative and judicial
branches--to expend our efforts at providing advice and
assistance to other Federal departments and agencies in the
COOP arena. We have established numerous interagency COOP
working groups at the headquarters and at the regional levels.
These working groups have opened communication channels across
the government regarding COOP plans and programs and have
helped organizations develop more detailed COOP planning in
order to leverage capabilities and to improve interoperability.
Moreover, we have developed new COOP testing, training and
exercise programs to help ensure that all departments and
agencies are prepared to implement their COOP plans.
Significantly in fact--FEMA tested its own COOP plan and
capabilities in December 2003 by conducting Exercise Quiet
Strength. This headquarters COOP activation involved the
notification and relocation of nearly 300 FEMA personnel on our
emergency relocation group, and it successfully demonstrated
our ability to perform FEMA's essential functions from an
alternate site under emergency conditions.
We are now leading the interagency Exercise Forward
Challenge scheduled for next month. This full-scale COOP
exercise will require departments and agencies in the National
Capital Region to relocate and operate from their alternate
facilities. Some 45 departments and agencies plan to
participate in Forward Challenge. A prerequisite for their
participation is for each department and agency to develop
their own internal Forward Challenge COOP exercise. As a
result, there will be approximately 45 separate but linked COOP
exercises conducted concurrently with the main Forward
Challenge event. Because of these internal exercises, Forward
Challenge preparation has cascaded across the country, with
departments and agencies as far away as Fort Worth and Seattle
participating.
Our support for COOP exercises and training is not limited
to the Washington, DC, area. Working with the Federal executive
boards, FEMA has conducted interagency COOP exercises in Denver
and Chicago; and additional exercises are scheduled in Kansas
City on April 29 and in Houston on June 14. To help facilitate
this effort, FEMA has developed a generic interagency COOP
exercise template that can be easily adapted for use in the
field.
Mr. Chairman, you have specifically asked me to address
what steps FEMA is taking to address each of the executive
agencies' COOP plans and what steps we are taking to address
deficiencies in those plans. Through our strong working
relationships and through new and ongoing COOP initiatives, we
are leading the government's COOP program to ensure improved
coordination and provide enhanced planning guidance. FEMA
established the Interagency COOP Working Group in the National
Capital Region comprised of 67 separate departments and
agencies. This working group includes the Library of Congress,
the GAO, U.S. Senate, the D.C. Department of Transportation,
the U.S. court systems and the Metropolitan Washington Council
of Governments. At the regional level, FEMA has used a phased
approach to establish COOP working groups with many of the
Federal executive boards and Federal executive associations
across the country.
In addition, we are revising the Federal preparedness
circular for COOP. The goal is to have a single-source document
that all departments and agencies can refer to for their COOP
programs. The new Federal preparedness circular incorporates
many of the GAO's recent recommendations for improvements. It
includes detailed information on how to identify essential
functions and discusses the importance of interdependencies
between departments and agencies.
Mr. Chairman, the ability of the Federal Government to
deliver essential government services in an emergency is of
critical importance. In June, we agreed that improved planning
was needed to ensure the delivery of essential services.
However, I unwaveringly believe the Federal Government is
currently poised to deliver those services in an emergency that
requires the activation of COOP plans.
Mr. Chairman, thank you for you time; and I'll be happy to
answer any questions you may have.
Chairman Tom Davis. Thank you very much.
[The prepared statement of Mr. Brown follows:]
[GRAPHIC] [TIFF OMITTED] T5423.024
[GRAPHIC] [TIFF OMITTED] T5423.025
[GRAPHIC] [TIFF OMITTED] T5423.026
[GRAPHIC] [TIFF OMITTED] T5423.027
[GRAPHIC] [TIFF OMITTED] T5423.028
Chairman Tom Davis. Just to start off, I was pronouncing it
COOP plans. You're pronouncing it the COOP plans. And the
reason I called it COOP is because chickens are in charge of
the COOP, and I didn't want anyone in the administration to cry
foul of what I was doing, which is eggsactly what they do. I
mean, obviously, we don't want any agency----
Mr. Brown. I can't compete with this humor.
Chairman Tom Davis [continuing]. We don't want the agencies
winging it on their COOP plans. So we will risk ruffling some
feathers here today. But I think it's fair to say the
administration's proposal so far are nothing to crow about.
But let me ask a few questions.
Mr. Brown. OK. Because I'm ready to fly the coop, so----
Chairman Tom Davis. Everybody acknowledges that the first
and most critical element of any COOP planning is the
identification of every essential function that an agency
performs and will attempt to maintain in case of an emergency.
But GAO reports that individual agencies' identification of
essential functions really vary widely. Can you just kind of
review in brief for us what steps FEMA has taken to assure that
these critical functions are accurately carried out by every
Federal agency?
Mr. Brown. Absolutely, Mr. Chairman. FEMA has a
coordination role and provides guidance and assistance, but it
is really up to the departments and the agencies themselves to
determine what's essential for their COOP plans.
We do such things as having a monthly forum through the
Interagency COOP Working Group for departments and agencies to
address those issues and insure best practices.
I also believe that the revised preparedness circular that
is soon to be released at the end of the fourth quarter will
provide better decisionmaking guidance to the departments and
agencies that will also ensure consistency across the Federal
Government.
Moreover, through a readiness reporting system that FEMA is
now implementing, we will be in a better position to provide
more accurate and timely information regarding each department
and agency's COOP activities.
But I believe it's important to note--particularly
important to note that, for the first time ever, as I said in
my oral statement, FEMA exercised its headquarters COOP plan.
It involved the actual notification and actual deployment of
our emergency relocation group to our alternate facility. This
is the first time ever that FEMA has done that. And that we
will now oversee for the first time ever a Federal Government-
wide COOP exercise that will allow us to establish a baseline
for future exercises that we want to have now on an annual
basis.
Chairman Tom Davis. I asked this question of the previous
panel. Are agencies prepared for the worst today? Or are we
getting there?
Mr. Brown. We are certainly getting there. And my
hesitation is not about preparedness. My hesitation, Mr.
Chairman, is about what is the worst--because the worst, in my
world, unfortunately, is, you know, the detonation, for
example, of a nuclear device or a dirty bomb or a bioterrorist
event which will result in catastrophic casualties and a
catastrophic disaster of proportions that will overwhelm all of
us. So that is the reason for my hesitation. I believe that
every department and agency has a very good, robust COOP plan
in place that we just now need to fine-tune.
Chairman Tom Davis. I mean, the experience of this
committee as we go through little emergencies that come across
the city--for example, recently we had tractor man. We had a
guy on a tractor hold up traffic and tie up this city for three
rush hours. And there was--the planning that took--there was no
planning. There was a division over really what the priorities
were to make sure that the person escaped--I mean, that he
wasn't injured and was apprehended, that no one was injured.
Nobody looked out for--and so some of this stuff gets very
contradictory as you start to have to go down the path and
decide what the priorities. You can't anticipate any and all
bad things that can happen.
Mr. Brown. No, but I think, based on the template that we
have put together or the revision of the Federal preparedness
circular, that we will be able to provide them with a template
that allows them to respond to any--almost any kind of
disaster.
Chairman Tom Davis. Ms. Norton's concern in the previous
panel was that we were dealing with a circular from the
executive that came--was a 1999 circular, before September 11.
On September 11 I can tell you we certainly weren't prepared on
Capitol Hill. I mean, we didn't know who to call. We were kind
of irrelevant to the process, though, basically. I mean, we
don't like to think of this that way, but the government went
on fine. Everybody--the military did their job. The police did
their job. Other agencies kicked in. It is a lot more important
than what happens here.
I guess my question is, as we look at different agencies we
see different levels of planning for this. That's not unusual.
What you usually find is we put so many requirements on these
different agencies and secretariats and the like that they have
to sort it out in some, take it more seriously than others. In
fact, some of them, how they plan is going to be more important
to the American people than others.
So as you look over this in terms of your planning and the
checklists and everything else, what are we doing to check on
this?
There was an allegation at GAO that maybe you didn't have
enough people to really implement this job. This is a
contingency planning, so it may never happen, and some agency
leaders, I think, think, well, I don't have to do this because
it'll never happen, and then I can put my resources somewhere
else and accomplish something that everybody--that I know will
happen. What's your reaction to that?
Mr. Brown. Let me--three things I want to respond to, Mr.
Chairman.
First of all, your comment about the ability of the Federal
Government--the ability of executive branch to be able to
actually COOP and respond in terms of an emergency. The good
news I believe out of this hearing should be that all of the
major departments and agencies--in fact, all the departments
and agencies have a COOP plan in place that we have reviewed
and we have looked at.
Do these need to be fine-tuned? Absolutely. Do we need to
continue to improve those? Absolutely. But there is no place in
the executive branch of the departments and agencies where
there is a lack of a COOP plan. So that's the good news.
GAO is correct in that we have been concerned about the
staffing levels. But one of the priorities that I have put in
since I have become the Under Secretary was to increase the
staffing in our national security office, coordination office
and we have increased the staff levels. Additionally, we have
received incredible support from President Bush and the
administration and in the 2005 budget there is a $12 million
increase, specifically for COOP activities.
Chairman Tom Davis. The other criticisms--one other
criticism that came out of the GAO report--I wouldn't call it
criticism, but one of their observations was that some of the
COOP reports that came in really didn't talk about how they
interact with other agencies, that they simply look at what
they did. And it was almost like a checklist, which, by the
way, is not uncommon. I'm not trying to be overly critical
here. I'm just trying to make sure that as we look forward we
can continue to improve.
Mr. Brown. And that is exactly one of the things that we
want to test in Exercise Forward Challenge. It's not just their
ability to pick up and move and go to their alternate sites,
but how do they interact, how are the interdependencies, how is
the interoperability of communications among the different
Departments and Agencies and where can we improve on that. So
you have identified exactly one of the areas that we intend to
push in the exercise.
I would just take this opportunity also to caution everyone
about the exercise, because it is my philosophy, and it is one
that I'm trying to push all the way through FEMA and the entire
departments, that we don't do exercises to make things look
good. We do exercises to push the envelope, to find out where
the vulnerabilities are, to find out where the weaknesses are
so that we can come back and improve upon them. So I fully
expect after Exercise Forward Challenge for us, the Interagency
Working Group to get back together and find places where
interdependencies didn't exist, and we need to improve those.
That's the purpose of the exercise.
Chairman Tom Davis. And you did provide information about
Exercise Quiet Strength, which was FEMA's December 2003,
exercise to test its headquarters COOP plan. But that is an
isolated exercise of one agency; and in reality, of course,
particularly with you all, an actual emergency would involve
government-wide functions. Is there an effort to test some of
that later on in the interaction of some of the agencies?
Mr. Brown. There absolutely is. But before we can go out
and be a good leader and convince all the other departments and
agencies to do this we have to show that we are willing to do
it, too. And since FEMA had never done this exercise I was very
pleased that we were able to pull it off and be as successful
as we were.
Chairman Tom Davis. Thank you very much.
Ms. Watson.
Ms. Watson. Thank you for being here and helping us get
our--wrap our minds around how comprehensive this emergency
preparedness and the planning might be.
I was just given a printout from the L.A. Times that this
is the third loss of power at the Los Angeles Airport in 10
days. When you think about Los Angeles Airport under the FAA
being one of the major ports on the west coast, it's very
troubling to know that a bird can stand on a wire, spread its
wings, make the connection and out the whole airport and all
the flights all the way, nationally and internationally--the
third time in 10 days.
My question is, in your interagency efforts, is it the FAA,
then, that would be able to take a look at all of our airports?
It seems to me that, you know, I can't really understand how a
bird could do this three times in 10 days and where our backup
systems are.
Mr. Brown. I assume it wasn't the same bird.
Ms. Watson. No. I think that bird has been--is toast. But,
you know, it just seems like this is a weak spot, a soft target
for terrorists. They can send a bird up, you know, and knock
out the whole system.
This is one of our major international ports. We are
Pacific rim, and I am very concerned about whether it reaches
over to the FAA and if the FAA will look at all of our
airports. Because it seems to me on September 11 it was--the
airport was the scene--the launching of a terrible disaster
that we've never had before and we were not prepared for. So in
looking at how we prepare I think something like this should be
a function of the FAA, and I would hope that Homeland Security
would certainly raise these issues and see if we can motivate
and activate FAA to take a look.
Mr. Brown. Yes, ma'am. I'll certainly pass that information
and the story along.
Ms. Watson. I'll give you a copy of this, if you would
like.
Mr. Brown. Right. I'll pass that on to Under Secretary
Libutti of the Information Analysis and Infrastructure
Protection Directorate in the Department, because they are
taking a significant review of all the critical infrastructure
in this country and how we can better protect those
vulnerabilities.
Ms. Watson. Sure. Thank you very much.
Chairman Tom Davis. Ms. Watson, thank you very much.
Mrs. Maloney, any questions?
Mrs. Maloney. No.
Chairman Tom Davis. Mr. Brown, thank you very much for
being here today. We look forward to continuing to work for you
as we develop these COOP plans. I will get my pronunciations
right, and we'll get you armed with some funds when you come
back here. But we could use--you know, we will look forward to
working with you as we continue to develop these.
I'd just ask one last question. There is some concern among
Members that maybe we ought to have these plans given to this
committee where we could oversee them when they come in as
well. Do you have any objection to that? We don't have to do
that legislatively necessarily, but, as you get the plan, share
them with us so we can stay abreast with what's going on.
Mr. Brown. We will certainly continue those discussions,
Mr. Chairman, and see if there isn't some way that we can have
you more attuned to what we're doing in terms of planning and
the processes.
Chairman Thomas. Again, this may--hopefully, this will be--
we're talking about events that never happen. We are talking
about plans that never need to be implemented. But should they
do that, all eyes will be on what we were doing in Congress.
Mr. Brown. I would be remiss if I didn't remind ourselves
that these COOP plans really go beyond just terrorist events.
We also prepared to COOP the executive branch during Hurricane
Isabel. There are many natural hazards which will cause us to
COOP also, not just a terrorist event.
Chairman Tom Davis. Plus the tractor man. Isolated
incidents.
Mr. Brown. Right.
Chairman Tom Davis. And we had another guy on the bridge--
just so I can get this off my chest--who was having a bad day
and held up traffic on the Woodrow Wilson bridge and clogged
traffic on the east coast for 5 hours. It took them 5 hours to
figure out--they talked him down, instead of shooting him off
with a bean bag, which is what they should have done right
away, I mean, because you have to look at the greater good of
some of this. It wouldn't have killed him, you know. He would
have gotten wet.
But these kinds of plans sometimes we don't think about
till they occur, and now that we have this agency we are
expecting all knowledge to rest with you all and solutions to
rest with you.
Mr. Brown. We take this very seriously, and we will do
everything we can to move it.
Chairman Tom Davis. We think you're doing great. Thanks for
being here.
Mr. Brown. Thank you, Mr. Chairman.
Chairman Tom Davis. We'll take a second and move to our
third witness, and we have John Kern from AT&T. He's the
Network Continuity Director for AT&T. This is a real-life
company that has to deal with these kind of issues every day.
This is part of their business, is dealing with emergency
contingencies and service.
Mr. Kern, if you'd rise with me. It's the policy of this
committee. We swear in.
[Witness sworn.]
Chairman Tom Davis. Please have a seat.
Your total testimony is in the record. We try to keep the
opening statements to 5 minutes, but if you need to take a
little longer, we are not in a hurry here. After 4 minutes, an
orange light will go on. That gives you a minute. And when the
red light goes on, that is it. Take what you need.
Thank you for being with us. I think you can add a lot to
our testimony today.
STATEMENT OF JOHN KERN, DIRECTOR, NETWORK CONTINUITY, AT&T
CORP.
Mr. Kern. My pleasure. Thank you.
Good morning, Mr. Chairman and members of the committee. My
name is John Kern. I am the Network Continuity Director for
AT&T. My team and I are responsible for business continuity,
disaster recovery and continuity of operation for our worldwide
network infrastructure.
Thank you for the opportunity to discuss with you today how
AT&T has implemented our continuity of operations plan. I will
suggest recommendations of how Federal agencies can implement
continuity, plans of their own that kind of fall in line with
some of the processes that we use.
The chart that is being displayed right now is an example
of our network continuity and business continuity program,
which is very similar to the COOP. We understand how important
the services that we provide to our customers, both the private
sector and the Federal Government services, like the government
emergency telecommunications services; and we spend a great
deal of energy and commitment to making sure that they can
operate under any circumstances. This is both for our physical
network and for cyber issues like security.
For example, we have basic level fire walls, intrusion
detection at a higher level, cyber security where things are
detected automatically and there is basic patterns that are
looked for in the network so we can protect our services for
our customers.
At a physical level, we have a dedicated team of people and
we have invested over $300 million in equipment to be able to
operate our network and continue our network under any
circumstances. It is unique in our industry. We have had 12
years of experience and expertise in developing this as part of
our continuity of operations plan.
The next one. One of the important things that was
discussed today is exercising. I agree with the former witness
that any plan that isn't tested really isn't a viable plan, and
the whole point of an exercise is to find areas to improve the
plan, to understand what can be done better the next time and
how to make the continuity operations plan a viable, executable
plan.
We realize it is a long process to do continuity of
operations and business continuity. It took a substantial
effort and discipline on our part to get this far in our plans
and commitment. We have been working with the GSA to provide
agencies with multiple suites of security services, and we look
forward to continuing to work with the GSA and your committee
to bring continuity of operations planning across the Federal
Government.
It is obvious that continuity of operations planning is
hard work. It requires investment. There is a cost to do it. In
some cases, though, there is a larger cost in not doing it. Not
having a continuity of operation plan that you could execute
could mean that for several days your agency or enterprise
isn't able to provide the basic service to your customers or
your constituents.
The government should consider leveraging capabilities that
have already been implemented in the industry, leveraging off
the expertise of AT&T. The government business is very
important, both to our customers, to the constituents of the
government, and we are basically here to help with your
continuity of operations plans. We have had a lot of benefit
from our relationship with the Federal Government, various
agencies, Department of Defense, FEMA, National Institute of
Science and Technology for standards. We are now kind of
offering what we have leveraged into those continuity of
operations plans to offer assistance to you, Mr. Chairman, and
to the committee and to the Federal Government.
Chairman Tom Davis. Thank you very much.
[The prepared statement of Mr. Kern follows:]
[GRAPHIC] [TIFF OMITTED] T5423.029
[GRAPHIC] [TIFF OMITTED] T5423.030
[GRAPHIC] [TIFF OMITTED] T5423.031
[GRAPHIC] [TIFF OMITTED] T5423.032
[GRAPHIC] [TIFF OMITTED] T5423.037
[GRAPHIC] [TIFF OMITTED] T5423.038
[GRAPHIC] [TIFF OMITTED] T5423.039
[GRAPHIC] [TIFF OMITTED] T5423.040
Chairman Tom Davis. You get a lot of real-world experience
in this. Every time there is a storm or something like that,
you have to deal with that.
Mr. Kern. Yes, sir.
I'm an operational level person. If there is a disaster on
my team, I go out in the field and do whatever we need to do to
make sure our network continues to operate under any
circumstances. We were heavily involved with our network
recovery efforts after the World Trade Center.
One thing I mentioned a little bit earlier was having that
discipline of a plan, the commitment to execute the plan and
even having the resiliency and reliability built in. But you
also need some flexibility in your plans. A good example, we
had never and I don't know of anybody envisioning somebody
crashing planes into a building the size of the World Trade
Center or the subsequent shutdown of the nationwide air traffic
control system. Our plans didn't call for that or didn't
counter that. But the flexibility we built into our disaster
recovery plans basically assumed that we would have regional
disruptions.
A hurricane going through south Florida might shut down
several airports. An earthquake in the West might shut down a
few airports. So we have our people and our equipment
regionally deployed so we can respond from anyplace. After the
World Trade Center, when the air traffic system shut down,
basically was a small inconvenience. We had people driving east
to New York versus normally getting on a plane.
Chairman Tom Davis. You have a lot of redundancy in your
system, don't you?
Mr. Kern. One of the things we do is we believe there is
that kind of continuity by design, not just assuming what is
going to happen in a disaster but how do you build that
reliability and resiliency into your network or the service or
infrastructure you need to provide your services for your
customers or constituents.
For example, just in providing power, I know I mentioned
the power outage at LAX. As far AT&T's offices were, we create
the communications that basically hub the transport for our
customers. We have three or four different levels of
reliability around power. We have separate power feeds from
separate substations. So, hopefully, the bird spreading its
wings across one power line wouldn't impact the other power
line.
We have dedicated generators in each building. We have
battery backup, and we have the ability to bring in portable
generators, kind of multiple layers of reliability and
resiliency. I would say that a power outage would never be
noticed by our customers because it is something we have built
into the system. We wouldn't have to recover from it. We have
planned for it and have built it into the network itself.
Chairman Tom Davis. One of the reasons we got you here
today is because you know how to do this business. You do it on
a practical basis. You are culturally a lot different than
government. You have a lot of real-world experience in this at
AT&T. Every time there is a massive storm, who knows, whatever
disaster. So government is dealing with theoretical exercises.
You are dealing with real-world experience; and nothing beats
experience, as you know.
They used to say the difference between education and
experience is education is when you read the fine print and
experience is when you don't. In this particular case, you get
your mistakes out already because you have a lot of experience
with that. The government doesn't.
So, second, you are in a competitive atmosphere. These are
not theoretical occurrences to you. These are occurrences that
if they happen and you can't satisfy your customers, they can
go to a competitor. In government's case, they have nowhere
else to go. It makes you respond differently.
If government would try to take some of those competitive
spirits you have--and try and tell the government and say this
is why you operate it differently or this is why you make it
more of a priority than government does. We try to do it in
government sometimes, but these agency heads, they have a lot
of pressure on them to perform under a lot of different
regulatory obligations and this is when it probably won't
happen, at least on their watch. You tend to push it aside, to
put your resources toward something that is a little more
current and a little more mission critical.
Mr. Kern. One of the things we had done to get past that--
because in the early days of our program we had similar issues
where the different organizational heads said I have more
important things to do. This type of disaster will never impact
us. One thing that we have set up as part of the process was
kind of the governance structure. What's the set of standards
and rules around what every organization in the government,
what every agency has to do?
Probably most importantly and one of the functions that we
perform that definitely would be a good idea for the government
is in our case it would be a business impact analysis. In the
case of the government, it might be an operations impact
analysis. Understand that across the entire enterprise and
government, what agencies are responsible working together to
provide certain key services and functions to the constituents
and then how do you address continuity of operations based on
those critical services, not just on an agency level.
The other piece we have introduced over the 12 years that
we've been doing this is the idea that this is part of a
person's function, this is part of their job. For us in private
enterprise, it goes to--the future funding they receive goes to
their pay, future promotions; and it is in a sense of how they
are graded. It's another important piece as a common report
card.
If you have checklists, it is one thing. The next layer
down is to look at what is the report card so that you know
that a level A from one agency means the same as grade A for
another agency and you do the exercises that the gentleman from
FEMA mentioned that are across multiple agencies, kind of
driven to a specific service.
Chairman Tom Davis. That is an excellent point.
Kind of mystifies me when you have an intelligence failure
in the government, nobody gets fired. You have it at AT&T. You
have a lot of people losing their jobs.
I am not arguing one is necessarily better than the other,
but we could use a little more of the AT&T culture sometimes in
government in staying ahead of the curve. But because we are
not in a competitive mode, we tend to be more reactive than
proactive.
You talk about incentives for your managers. There is no
incentive for getting this plan down and having a great
contingency plan. They are going to care more about current
operations and what are you doing currently. I think that is
the point you are making.
You also have to deal with a lot of changing technologies
in telecommunication at this point, the move to wireless.
Instead of interagencies, you have to work with your
competitors in some cases, your line-sharing. How does that
work?
Mr. Kern. The one issue is changes in technology, in some
cases, changes in technology presents a challenge and some
cases it presents a new opportunity. If you look at the
increase in wireless technology, in the past, if you had to go
to a physical place to connect into the network to get your job
done or to get your business accomplished, now you can
accomplish it wirelessly. In some cases, technology presents a
challenge, but in a lot of our cases, it just presents more of
an opportunity.
In the case of government, there is just more opportunity
to leverage what is already being developed in the private
industry to do a good COOP plan. If you imagine the wireless
lands and wireless cellular voice technology, it allows you to
set up your continuity of operations sites in places where you
would not be able to get land lines to.
As far as the question around the cooperation, one of the
things that we do through the Department of Homeland Security
there is a National Coordinating Center, and that is one place
in the industry where we can work together in the event of a
real disaster or an event that would impact the network, like
the power outage last summer, where we can get together to
coordinate our activities to make sure if there is any mutual
aid that makes sense where can we offer assistance where
another carrier might not have enough generators or enough
manpower to get a certain task done.
What places in the Federal Government offer that place of
coordination and command and control that the
telecommunications carriers get through the National
Coordinating Center is another question that kind of brings to
FEMA's role or not.
Chairman Tom Davis. Has anybody from the government come
and asked you, what do you do for your COOP planning? Anybody
consult with you and say you guys have to go through this? You
have been through a lot of natural disasters and the like.
Mr. Kern. Personally, I have had dealings with several
different agencies about their COOP plans, either reviewing
them, offering suggestions on things that could be done or, in
some cases, we will receive requests from government agencies
to understand how the services that we provide, something like
an ultra available, which is a way we can distribute technology
across a given metropolitan area to make sure you don't have a
point-to-point facility that is going to impact your ability to
operate your enterprises, this kind of gives you a ring of
capability, a place where you can operate your different
services. So we will have requests from agencies to provide
technology or to provide capability that they can use in their
COOP.
We have had all different flavors. I think the agency we
have dealt with the most has been the GSA where, again, part
FTS 2001, there was a whole level of specific security
applications that ranged for different levels of security that
agencies could use to implement security needs.
We are also working with the GSA on FTS Networx, which is
the next evolution of how do we not build in just the security
but the resiliency and reliability. Each agency does not have
the same need for the robustness, reliability, resiliency. How
do you have a four, five-tiered structure so that agencies can
get the reliability that they need to buy the resiliency to
allow them to operate their business without agencies that
don't need that same level of resiliency having in a sense pay
for a service they are not going to use.
Chairman Tom Davis. Thank you very much.
Ms. Watson.
Ms. Watson. I want to sincerely thank you for being here,
Mr. Kern.
I would hope that your researchers can look toward the
future. Everyone is saying, who would have ever thought an
airplane would hit a building? We heard it rumored around
before September 11. Now we know it is a reality. We need to
look toward the future with our technology. We just put an
apparatus on Mars, and they plan for it to go over rough
surfaces and pick things up and photograph things.
What I am hearing that frustrates me is that we are not
thinking progressively enough. I am very frustrated that we
have had our third outage, as I mentioned, in 10 days. Why are
we still depending on wires that go above the ground if a bird
can light on them and knock out the whole airport? Are we
thinking about the possibilities? We don't want a play on
words, as was raised with the last panel. We want to really get
people out ahead of these occurrences.
I think you could be very helpful, AT&T, in saying to our
agencies, look, we have a design here that might work so you
won't have to have this happen again; and then it is their
responsibility to take a look and investigate. I would hope
that you--and I know the competition is high, but come out
ahead of all the others with a way to avoid--and I think that
power outage can be avoided if we think more progressively and
more scientifically. Maybe we ought to contact NASA, because
apparently they have plans for all contingencies when they put
a spacecraft up. But I want to encourage you to impact on us in
government.
And I think the chairman was absolutely right. You know, we
don't have the experience, and we don't get into the business
of detecting things before they happen. We have not been in the
business of doing that. We can make policy afterwards.
But I do think we are going to have to go out to the
utilities, go out to private industry and say help and present
to us, to FEMA, to the COOP or COOP or whatever you want to
call it, you know, these are some things that government ought
to invest in.
So I want to thank you for coming, Mr. Kern. I really don't
have a question. It is more or less a recommendation to you to
come back to us.
Chairman Tom Davis. Ms. Watson, let me just say, to stick
with the puns and keep them on subject with the birds and the
wires, you can't do this on the cheep.
Mr. Kern. My opening remarks mentioned my extra kind of
capacity--I have seven acres in New Jersey. I have about nine
hens and a rooster, so I am familiar with coops both at a
business level and a personal level. But now that you throw
cheep into the bargain--we are definitely linked to assist the
government wherever we can. We have--over the 100 years that we
have been around as an enterprise, AT&T has developed a very
comprehensive set of standards around things like physical
infrastructure. How do you power an enterprise that is
important to you? How do you back that power up? What do you do
around cyber security, physical security? How do you have
continuity of operation plans that really take into effect
where you can bring your people to--impacts to things like
telecommuting, all the things we have great expertise at and
definitely willing to help the government wherever we can
either through our technology, our standards, our expertise or
the experience that we have really developed over, in some
cases, the last 12 years for business continuity but, in other
cases, 100 years in operating a rather large, a rather critical
infrastructure that provides the network service that everybody
relies on.
Ms. Watson. Mr. Chairman, if I could just take 1 more
minute. We are going to have a bill on the floor, the
Sensenbrenner bill. Reading the fine print--and this is where
policymakers comes in. We read the fine print. We don't go on
our experiences. It says that if there is an extraordinary
circumstance and the Speaker of the House of Representatives
announces vacancies, well, if the plane has succeeded in
hitting the Capitol, it might have wiped everyone out,
including the Speaker. If we are going to put law in the books,
we are going to have to think beyond the words here. So it
should be designated--someone who does the designating. Because
the Speaker and all the rest of us will probably perish if that
were to occur.
My point is we have to think differently than we have in
the past; and, as a policymaker, this becomes the law. You
know, it can be adjudicated in the courts. So how do we think
in a way that will address these unusual circumstances?
Those of you out in the field in terms of the way agencies
work and operations work and utilities work and so on have to
benefit--we have to benefit from your experience, and you have
to suggest to us. Now whether we make policy based on the input
is left up to us, but I really invite your recommendations.
With that, I want to thank you, Mr. Chairman.
Chairman Tom Davis. Ms. Watson, thank you very much.
Mr. Ruppersberger, do you have any questions.
Mr. Ruppersberger. I didn't hear your testimony. Thank you
for being here.
Just generally, though, in the event that there is a
catastrophe, it seems to me that in your field in
communications it is an essential function during an event,
after an event and then the months after the actual event. Do
you communicate or work closely with anyone in Homeland
Security as far as developing----
Mr. Kern. Yes.
Mr. Ruppersberger. As much you can, what is that
communication? Are they giving you the lead or are you helping
them as consultants? How would you describe where that is now?
Again, we know Homeland Security is new. What would you
like to see to make that function even better?
Mr. Kern. We have many roles with the Department of
Homeland Security. One of them and probably important to me is
the National Coordinating Center. It is the part of the
Department of Homeland Security where the carriers have a
common meeting ground to both plan around continuity and also
to respond to an event.
During the World Trade Center, we worked through the NCC--
at that time, it was part of the FCC--to understand where we
need to bring in equipment or where we needed to have people.
So the key function of the Department of Homeland Security for
us is that kind of coordination role.
Another one is if we consider--what we try to do is not
wait for the disaster but how do you get ahead and be proactive
and look at the events that are coming up that you might need
to worry about the impacts on your network or your people. I
look at national security events as a big concern when one is
declared by the government, understanding what is the real
risk, what is the impact to our network. Do we need to do
something different ahead of time to further harden our
network, to bring in additional people in a nearby area? That
is one area where the Department of Homeland Security
definitely takes the lead around coordinating, around the
contingency planning for national special security events; and
we work through them.
Mr. Ruppersberger. Are you coordinating your networks for--
using your own money. Do you use Federal money? Where are you
as it relates to money?
Mr. Kern. Right now, any of the planning that we do, any
contingency planning that we do, it's our own money. As far as
I know, we have not received any grants or funding to do our
disaster recovery work or to do any of the contingency work. It
is something that we have determined that is important to our
customers, to the services that we provide and our ability to
operate them under any event. We decided to undertake the
expense and risk to do that.
Mr. Ruppersberger. If an event occurs, another event in a
major metropolitan area, are you ready?
Mr. Kern. Yes. We have had our program for the last 12
years. We were prepared for September 11, not for that type of
event. But based on the structure and contingencies we had in
place we were able to respond and deploy equipment to meet the
needs from that disaster. Since September 11, we have increased
our capabilities and added more people to the process and we
are looking at things, some of the risks that are out there,
maybe have a higher probability, the more manmade, chemical,
biological attacks. We are participating in TOPOFF 3, which is
the WMD exercise that is going to be held in New Jersey,
Connecticut area next year. We have increased our capabilities
to respond to those new threats. If there is an event in this
country, we are prepared to respond.
Mr. Ruppersberger. What about your other major competitors?
Are they in the same position you're in, based on your
knowledge? I know you are going to say you're the best, but are
they close?
Mr. Kern. We don't spend any money looking to see what our
competitors are doing with investment money.
Mr. Ruppersberger. From a national security point of view,
in the event there is a catastrophe, are we able to provide the
communications needed? Because you are not the only game in
town.
Mr. Kern. Unfortunately, that question would be best left
to the competitors. I would say that none of our competitors
have the mobile recovery capability that we have developed, the
resiliency that we have developed, the multiple layers of
backup that we have developed. To my knowledge, none of our
competitors have taken their services as seriously as we have
and do not have that type of capability.
We have invested more than $300 million. We have 150 pieces
of mobile disaster recovery equipment dedicated to AT&T's
network, both private enterprise and the Federal Government.
To my knowledge--I have been in the telecommunication
industry for more than 28 years, and I have been in the
disaster recovery field for more than 7 years, and none of our
competitors have a mobile recovery capability to the extent
that we do and could not respond in the same fashion that we
can.
Chairman Tom Davis. Thank you very much.
I want to thank the Members for attending and thank our
panelists.
Mr. Kern, thank you very much. This has been very helpful
to us; and we wish you luck in your future endeavors as well.
Again, I want to thank our witnesses for attending. I would
like to add that the record will be kept open for 2 weeks to
allow witnesses to include any other information in the record.
The hearing is adjourned.
[Whereupon, at 11:30 a.m., the committee was adjourned.]
[Note.--The GAO report entitled, ``Continuity of
Operations, Improved Planning Needed to Ensure Delivery of
Essential Government Services,'' may be found in committee
files.]
[The prepared statement of Hon. Elijah E. Cummings and
additional information submitted for the hearing record
follow:]
[GRAPHIC] [TIFF OMITTED] T5423.033
[GRAPHIC] [TIFF OMITTED] T5423.034
[GRAPHIC] [TIFF OMITTED] T5423.035
[GRAPHIC] [TIFF OMITTED] T5423.036
<all>
�