RATES/PRICING INFORMATION
View DoD-approved rates for this service.
HOW TO ORDER
This service can be obtained by working with your Enterprise Services Directorate (ESD) Customer Management Executive (CME) team to complete a Service Request Form (SRF) that will identify the specifics of your requirement.
DISA provides regulatory-compliant remote recovery capability, or COOP, for our partners who purchase that service and document the requirement within their governing Service Level agreement (SLA). The standards and minimum requirements outlined in DoD Instruction (DoDI) 8500.2 include continuity-related Information Assurance (IA) controls. Those minimums form the foundation for the program as administered by DISA.
For mainframe processing, including IBM, Linux on System z *, and Unisys platforms, the cost of COOP/Service Continuity is included in the rates (*additional storage cost applies). For all server-based processing, the basic rates do not include this coverage. Our partners with server-based processing must “opt in” to the COOP program by specifically selecting and paying for the appropriate remote recovery protection. Standard storage solution programs used by DISA are designed to support internal DISA recovery efforts only.
It is DISA’s policy that COOP will only be offered for those applications where DISA already has the production processing requirement. DISA will not pursue or accept "COOP Only" arrangements for processing.
STANDARD FEATURES
COOP/Service Continuity consists of the policies, procedures, and programs that allow DISA, in concert with partner personnel, to provide an effective level of assurance that workloads will continue to process in accordance with regulatory requirements and documented obligations in SLAs. The continuity-related IA controls from DoDI 8500.2 are listed below and are satisfied by the COOP program as overseen by DISA.
| Control | Mitigation Strategy |
|---|
| Alternate Site Designation |
An alternate site is identified as a recovery location and has appropriate equipment and infrastructure to allow restoration of processing capability. |
| Protection of Recovery Assets |
Procedures exist to ensure the physical and technical protection of recovery infrastructure. |
| Data Backup Procedures |
Data is backed up according to the required frequency and stored off-site. |
| Disaster and Recovery Planning |
Plans and procedures exist to allow resumption within required time frames. |
| Enclave Boundary Defense |
Measures in place are similar to production site protections. |
| Scheduled Exercises and Drills |
Annual exercises are available upon partner request. |
| Identification of Essential Functions |
Where identified by the partner, mission essential functions and their supporting assets are considered in determining restoration priorities. |
| Maintenance Support |
Maintenance support for key IT assets can respond within required timeframes. |
| Power Supply |
Uninterruptible Power Supply (UPS) and emergency generator protection is in place. |
| Spares and Parts |
Maintenance spares and parts for key IT assets can be obtained within required timeframes. |
Backup Copies of Critical Software
|
Backup copies of critical software are maintained offsite. |
| Trusted Recovery |
Procedures exist to ensure a secure and verifiable recovery effort. |
For partners purchasing IBM and Unisys mainframe processing, there is an Assured Computing Environment (ACE) approach to providing COOP that will meet Mission Assurance Category (MAC) II requirements (processor and data) for remote recovery. This approach is included in the standard rates for those services. For Linux on System z on the IBM mainframe, the rate includes the processing capacity and capability; however, an additional charge for the storage component of the recovery infrastructure is required.
Server-based processing does not include COOP/Service Continuity in the basic rates and requires the partner to specifically select and pay for the desired and compliant coverage (see Optional Features).
DISA, in concert with partner personnel, will take the lead in developing, maintaining and updating recovery procedures. However, the creation of recovery procedures will only be accomplished for those applications for which DISA has a defined and documented recovery responsibility. Procedures designed to be used by an alternate provider or by the partner utilization of their own internal resources will have to be developed by those responsible for the recovery and familiar with the supporting infrastructure for the planned recovery.
DISA will allow auditors, working through the DISA Chief Information Officer (CIO) office, to review documentation associated with satisfying COOP-related IA controls. For security purposes, specific recovery documentation will not be distributed to the auditors; however, an audit artifact package will be provided as documented evidence of IA Control compliance.
When contracting with DISA for COOP/Service Continuity, the partner can request exercises of that coverage using the processes and/or environments that would be used for an actual recovery. The two primary types of exercises are tabletop and simulation. There is no additional charge to the partner to conduct these exercises; however, they are limited to no more than one per year. The first exercise for either new workloads or workloads that have undergone major updates or changes to the operating environment (OE) will be conducted as a tabletop. After that the partner will be eligible for a simulation every three years with tabletop exercises in between.
In a tabletop exercise, the personnel who would be involved in an actual recovery gather together and walk through the processes developed for that recovery. The time to complete a tabletop exercise will be dependent on the scope and coordination requirements associated with the exercise. Typically, these exercises are conducted within an hour. The minimum planning lead time before a tabletop can be conducted is 45 days.
In a simulation exercise, the application or applications in question are physically recovered at their pre-designated recovery site using the recovery procedures in the Business Continuity Plan (BCP) for the production site. The time to complete such an exercise will be dependent on the scope and coordination requirements associated with the exercise as well as the environment at the designated recovery site(s). Typically, these exercises will be two to three weeks in length. The minimum planning lead time before a simulation can be conducted is 90 days.
OPTIONAL FEATURES
There are six options available for server-based COOP/Service Continuity; five of these are standard options and one is an additional custom option.
The table below shows the five standard options known as Remote Recovery Combinations (RRCs). In order to have a recovery option that meets the COOP requirements detailed in DoDI 8500.2, appropriate selections must be made for both storage (data) recovery and server (processor) recovery.
| Option | MAC Level | Description | Storage Offering | Processor Offering | RTO/RPO |
|---|
| RRC 1 |
MAC III |
Remote recovery using tape-based data backups and shared processing capability at the default designated recovery site. Read more... |
Basic Remote |
Shared COOP |
Recovery Time Objective (RTO) = 5 Days
Recovery Point Objective (RPO) = 7 Days |
| RRC 1.2 |
MAC III |
Remote recovery using replication of data and shared processing capability at the default designated recovery site. |
Operational Remote |
Shared COOP |
RTO = 5 Days
RPO = 24 Hours |
| RRC 2 |
MAC II |
Remote recovery using replication of data as well as a dedicated, pre-configured processing capability at the designated recovery site. Read more... |
Operational Remote |
Dedicated COOP |
RTO & RPO =
24 Hours |
| RRC 3 |
MAC II |
Remote recovery using replication of data as well as a dedicated, pre-configured, and operational processing capability at the designated recovery site. Read more... |
High-Availability (HA) Remote |
Dedicated COOP |
RTO & RPO = 8 Hours |
| RRC 4 |
MAC I |
Remote recovery using near-synchronous replication of data as well as dedicated, pre-configured, and operational processing capability at the designated recovery site. Read more... |
Non-Disruptive Remote (Host-Based Replication Only) |
Dedicated COOP |
RTO = 30 Min
RPO = 1 Sec |
Custom COOP/Service Continuity (Option 6) is available to those where mission requirements for a particular application, or suite of applications, are not adequately addressed by any of the standard options identified above.
If the partner determines that the pre-defined approaches are not adequate or preferred, then a custom solution can be developed and implemented (Failover, Test and Development [T&D], partner-managed, etc.). Any solution of this type must be identified within the relevant SLA. In addition, any supporting documentation must be linked to, or referenced within, that SLA. For partner-managed solutions where the partner is responsible for facilitating their own exercises and maintaining their own documents to support regulatory requirements, they are still required to follow the Exercise Restrictions & Guidance policy with regard to scheduling and site coordination.
ADDITIONAL INFORMATION
DISA has standard performance level data available for our partners to view. Additional data can also be provided as requested. All performance data to be provided will be documented in the SLA which will be executed when the service is ordered.