CIS 608-301 - Week 2 Blog Post: Federal IT Contingency & Continuity Planning

Implementation of federal government contingency planning is primarily governed by NIST SP 800-34 (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010). Other documents including 800-53 for information security controls and federal policy also play a role. Organizations are required to identify any mission essential functions (MEFs) tied to continuance of critical federal government functions and ensure they are available if something happens at the organization to interrupt operations. This could be anything from a significant malware attack, fire, earthquake, significant weather event or a manmade accident or disaster. Once operations are interrupted, the site must execute its contingency plan to ensure operations can come back online within 12 hours (maximum tolerable downtime or MTD for MEFs) at the primary site or execute continuity of operations (COOP) at an alternate site ranging from 12 hours to 30 days if the event cannot be resolved at the primary site to restore all mission essential functions (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010).

So, how well is the federal government doing with managing IT continuity planning and COOP and is it being accomplished in a cost effective way? Judging from my experience, there are pockets of excellence but for the most part, ITCP and COOP are not effectively implemented or are simply too expensive for most sites to accomplish on increasingly small budgets (Sequestration anybody?).  Given that the maximum tolerable downtime for MEFs is 12 hours, the government must primarily be focused on the use of hot sites, which are sites with fully operational equipment and capacity to assume operations after loss of the primary system facility, and thus nearly double the cost of running an organizations IT department. There are also significant technological hurdles (e.g. data replication and reconstitution) to maintaining two sites that often present too great of a technological challenge for staff to overcome with limited resources, both in tools and labor. For a government that typically runs annual deficits on the order of $400 Billion up to $1 Trillion dollars, one would think that it would begin to understand the need to be cost-effective in its operations. Also, given recent data breaches at organizations such as OPM (Nakashima, 2015) as an indication of security challenges, one wonders if the federal government should be in the business of performing most IT functions at all. Perhaps the government would be better served looking into other solutions for its varied IT problems.

Thankfully, the federal government has actually been encouraging outsourcing of many services to the cloud over the past few years. The government set up an organization called “The Federal Risk and Authorization Management Program” (FedRAMP) to certify cloud vendors and their services (FedRAMP, 2015). FedRAMP approval is mandatory for federal agencies to leverage could services for all low and moderate risk impact level systems, though negotiations are possible for high risk impact systems. FedRAMP has certified multiple vendors and service offerings at this time and those include not only providing the IT service but also security services as well, thus reducing the burden of IT staff personnel on multiple fronts. Additionally, most cloud-based services are redundant to so if one site goes down, the service can be nearly instantaneously brought up at an alternate site in a transparent method and without significant additional cost. Finally, services in a cloud environment often scale to what is needed so IT departments are able to quickly respond to increased demand or decrease capacity (and cost) when not needed (Amazon Web Services, 2015). The bottom line is a much more efficient and potentially cost effective way of conducting IT operations and meeting organizational requirements such as with MEFs. 

Gartner (Leong, Toombs, & Gill, 2015) recently conducted a magic quadrant review of cloud infrastructure as a service (IaaS). Though limited in its approach and scope, it does provide some insight into the cloud market. The clear market leader of the survey was Amazon Web Services, which is FedRAMP certified. Microsoft was the only other organization to be rated in the leader quadrant on the survey. VMWare, Google, IBM (SoftLayer) and CenturyLink were all rated as visionaries in the field and a host of others were rated as niche players. The bottom line of this survey is that while many services have quickly come and gone, cloud services are growing and there are many players in the field that are investing heavily in their service offerings. Given that the federal government with its vast resources is in process of approving cloud vendors and actively encouraging agencies to enter into cloud solutions with industry, the cloud growth trend is likely to continue for some time, thus increasing competition while hopefully driving improvement in services and lowering costs. The federal government faces vast challenges in managing and securing IT as well as in meeting continuity goals but appears to be on the correct path in leveraging the vast knowledge and capabilities of industry in addressing those challenges.

Works Cited

Amazon Web Services. (2015). Amazon Web Services. Retrieved 6 18, 2015, from aws.amazon.com: http://aws.amazon.com/what-is-cloud-computing/

FedRAMP. (2015). FedRAMP. Retrieved 6 20, 2015, from Fedramp.gov: https://www.fedramp.gov/about-us/about/

Leong, L., Toombs, D., & Gill, B. (2015, 5 18). Gartner. Retrieved 6 20, 2015, from gartner.com: http://www.gartner.com/technology/reprints.do?id=1-2G2O5FC&ct=150519&st=sb

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

Swanson , M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, 5). NIST. Retrieved 6 20, 2015, from http://csrc.nist.gov/: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf