COAS-1

COAS-1 Alternate Site Designation

Overview

An alternate site is identified that permits the partial restoration of mission or business essential functions.

MAC / CONF	Impact	Subject Area
MACIII	Medium	Continuity

Details

Threat
Environmental disasters, organized disruptions, loss of utilities/services, equipment or system failures, and serious information security incidents are potential events that could disrupt mission or business essential functions. A recovery strategy should be developed to include an alternate site to mitigate the impact of disruptive events.

Guidance
This general implementation guidance is provided for IAMs/IAOs involved in the creation of a system or organizational Continuity of Operations (COOP) plan: 1. Identify an alternate site that has the capability to at least partially restore mission or business essential functions. 2. Establish a program to ensure comprehensive and effective continuity of essential functions during a broad spectrum of emergencies or situations that may disrupt normal operations (e.g., power failures, damage to facilities caused by storms, fires, flooding, etc.) 3. Ensure that the program includes a strategy to recover and perform partial system operations at the alternate facility for an extended period of time. 4. Partial restoration of mission or business essential functions at an alternate site shall be based on the results of a business impact analyses that identifies and ranks major information systems and mission-critical applications according to their operational priority and the maximum permissible outage for each. 5. Review the system contingency plan to ensure that the alternate site is able to support partial system operations as defined in the plan. 6. The contingency plan shall provide detailed procedures and capabilities to facilitate recovery and sustain functions at the alternate site. 7. The contingency plan shall define a strategy for computing needs to include hardware, software, communication lines, applications, and data. The plan should also include the operators, management, and technical support personnel that will implement the contingency plan. 8. The alternate site shall include HVAC capabilities and any specialized security equipment to sustain partial operations

Guidance

This general implementation guidance is provided for IAMs/IAOs involved in the creation of a system or organizational Continuity of Operations (COOP) plan:

1. Identify an alternate site that has the capability to at least partially restore mission or business essential functions.
2. Establish a program to ensure comprehensive and effective continuity of essential functions during a broad spectrum of emergencies or situations that may disrupt normal operations (e.g., power failures, damage to facilities caused by storms, fires, flooding, etc.)
3. Ensure that the program includes a strategy to recover and perform partial system operations at the alternate facility for an extended period of time.
4. Partial restoration of mission or business essential functions at an alternate site shall be based on the results of a business impact analyses that identifies and ranks major information systems and mission-critical applications according to their operational priority and the maximum permissible outage for each.
5. Review the system contingency plan to ensure that the alternate site is able to support partial system operations as defined in the plan.
6. The contingency plan shall provide detailed procedures and capabilities to facilitate recovery and sustain functions at the alternate site.
7. The contingency plan shall define a strategy for computing needs to include hardware, software, communication lines, applications, and data. The plan should also include the operators, management, and technical support personnel that will implement the contingency plan.
8. The alternate site shall include HVAC capabilities and any specialized security equipment to sustain partial operations

References

NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, June 2002
DoD Directive 3020.26, Defense Continuity Program, 08 September 2004
DoDI 3020.39, Integrated Continuity Planning for Defense Intelligence, 03 August 2001
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003, Enclosure D
CNSS Instruction 4009, May 2003, Reference B
NSTISSI 4013, National Training Standard for System Administrators in Information Systems Security, August 1997