The purpose of this paper is to discuss the United States Army’s contingency plan. In my paper, I will explain the importance of the contingency plan and all its components; the Incident Response plan, the Disaster Recovery plan, and the Business Continuity Process (COOP). This paper is designed to explain how the US Army develops their plans, procedures and how they implement them when a disaster does occur. Like with all organizations, there is always need for improvements. My paper will discuss how the Department of Defense can improve each of their plans.
Every company or business organization should have a contingency plan drafted in case of an emergency. A Contingency plan” prepares an organization, government or business to respond in the best possible manner to an unexpected crisis or emergency” (Reference, 2018). Management will decide in advance the resources, communications, and logistics that will be needed if a disaster happens. When writing a contingency plan, the goal is to make sure the business or operation can withhold any disaster that would occur. The plan should be simple so that anyone can understand it. Anything that is critical to your business is important to notate. It is very important for the manager to figure out triggers that could cause the disaster. When drafting a contingency plan it should answer three questions, what could happen, how the company will respond and how to prepare in advanced. It is important to figure out the risk that the business may face.
I decided to do my contingency plan on the United States Army Cyber Security Force. The mission of the Cyber Security Command is: “Our 19,000 Soldiers and civilians operate in a global footprint to achieve the command’s three strategic priorities: aggressively operate and defend the DOD information network; deliver effects against our adversaries; and design, build and deliver integrated capabilities for the future fight” (Headquarters Department of the Army, 2012, p. 5). The Army’s Information Technology Contingency Plan (ITCP) assures that the capability of the plan is in place for every type of emergency and prepares Army organizations for anything that could potentially interrupts normal operations. The IT contingency plan is consistent with federal laws, directives, policies, regulations and standards. There are three components of a contingency plan. Some examples of some reportable incidents that have occurred in the Army are:
- Unauthorized disclosure of Classified Information (spillage)
- Loss or Compromise of Personally Identifiable Information (PII)
- Receipt of Suspicious emails and phishing scams
In my paper, I will discuss the Army’s incident, disaster and business continuity process. This paper will discuss how the DOD implements each of the following plans.
An incident response plan deals with the identification, classification, response, and recovery from an incident. It assesses the likelihood of any damage. The incident response plan informs key decision makers and enable the organization to take coordinated action.
NSIT defines a computer incident within the federal government as,” a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices “(Office of the Chief Information Officer, 2013). There are five major types of incident reports: compromised computing resources, email-based abuse, copyright infringement reports, network and resource abuse, and resource misconfiguration and abuse. Commanders are ultimately responsible for ensuring that incorporating cybersecurity into command exercises, conducting cyber tabletop exercises to test incident response plans and conducting regular network penetration testing provides cybersecurity professionals valuable opportunities to improve the Army security posture. The establishment of Regional Cyber Centers (RCCs) improves our ability to defend the nation’s networks against these threats to the economy and national security. According to the DOD, “the department relies on over 2.5 million unclassified computer systems, 10,000 local area networks, and hundreds of long distant networks for mission – critical operations” (United States General Accounting Office, 2001, p. 8). Incident response activities are grouped into four categories:
Conducting security reviews of major systems and networks and disseminating vulnerability notifications are used to identify and correct security vulnerabilities before they can be exploited
Detection activities rely on automated techniques such as intrusion detection systems (IDS) and the logging capabilities of firewalls to systematically scan electronic messages and other data that transverse an organization’s network for signs of potential misuse.
Investigative and diagnostic activities
Investigative and diagnostic activities involve technical specialists who research cyber events and develop countermeasures and law enforcement personnel who investigate apparent attacks.
Event Handling and Response activities
Responding to actual events that could threated an organization’s systems and network –involve technical and system specialists who review data generated by intrusion detection systems and determine what needs to be done. This includes providing appropriate internal and external officials with critical information on events under way and possible remedies for minimizing operational disruption.
There are many ways the DOD should improve their IR plan. The Department wide resource planning and prioritization activities are not yet adequately coordinated to ensure that consistent and appropriate capabilities are available wherever they are needed.
Critical data from intrusion detection systems, sensors, and other devices used to monitor cyber events and attacks are not yet being fully integrated across the department so that potential intrusions can be better identified and tracked.
No department wide process has been established to periodically and systematically review systems and networks for security weaknesses on a prioritized basis and to use data from these reviews to improve overall security and configuration management practices. Compliance by individual units with department wide vulnerability alerts has not been consistently and comprehensively reported, leaving DOD unable to effectively track system and network repairs related to these alerts.
DOD has not yet developed department wide performance measures to assess incident response capabilities to better ensure mission readiness.
Recovery strategies provide a way to restore IT operations quickly and effectively following a service disruption. The strategies should address disruption impacts and allowable outage times identified in the Business Impact Analysis. The Business Impact Analysis (BIA) is a process that “predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies” (Homeland Security 2018).
Several alternatives should be considered when developing recovery strategy including cost, allowable outage time, security, and integration with larger, organization –level ITCPs and Coop Plans. A wide variety of recovery approaches may be considered. The right approach will come from the incident, type of systems, and its operational requirements. It is important to balance the costs of recovery with the length of time planned for recovery. To do this, the Army has a recovery strategy budget guide. A good recovery strategy:
- Addresses the potential impacts identified in the Business Impact Analysis
- Integrates the system architecture during the design and implementation phases of the system lifecycle.
- Includes a combination of methods to provide recovery capability over the full spectrum of incidents
In order for there to be a successful recovery, a backup policy should be put in place. A backup policy is required by both DOD and Federal statute. The most effective data backup policy designates the location of stored data, file-naming conventions, frequency of backup, and methods for transporting data offsite. All of the higher command has access and are able to use records and systems in conducting their essential functions.
The most effective data backup policy designates the location of stored data, file-naming conventions, frequency of backups, and methods for transporting data offsite. The protection and availability of electronic and hardcopy emergency operating records, documents references, records, and information systems, is needed at an alternate site. This is a critical element of having a successful contingency plan. The DOD personnel has access and will be able to use these records and systems in conducting their essential functions. The IT team is responsible for making sure that data is backed up on magnetic disk, tape, or optical disks. Agreements with hardware, software, and support vendors may be made for emergency maintenance service.
Plans should be in place that will allow government business to continue during emergency situations. Telework is a virtual resource solution that provides access to resources that may not be available when an emergency occurs. Agencies have the flexibility to use teleworkers in emergency situations. A viable ongoing telework program is the foundation that should be utilized to help facilitate preparedness. Also, activation criteria gives a baseline of degraded services provided by the IT system in which case the ITCP will be activated. This can give different scenarios in which would cause the IT systems to de disrupted. The ITCP system can develop activation standards focused on the potential impact level the system is at. The ITCP coordinator must then create an activation criteria in accordance with those levels. The DOD feels that it will be most beneficial to create a check list that describes minimum system functions if degraded unworkable. This would activate the ITCP.
Apart of the disaster plan, the Army’s IT team will need to implement their recovery strategies. Recovery strategies provide a way to restore IT operations quickly and effectively following a service disruption. The strategies address disruption impacts and allowable outage times. Several alternatives are considered when developing the recovery strategy including:
- Allowable outage Time
- Integration with larger, organization –level ITCPs and COOP plans.
The DOD test the contingency plan for the information system at least annually, using testing procedures in accordance with the appropriate requirement. This will determine the plan’s effectiveness and the organization’s readiness to execute the plan. Appropriate officials review the contingency plan test results and initiate corrective actions. Testing helps evaluate the ability of the recovery staff to implement the plan quickly and effectively.
One of the ways I think the Army can improve their disaster recovery is by utilizing the cloud. The cloud is a great way for data to be stored when a disaster does occur. Even when the data has disappeared from the system, anyone who has the right tokens can access the data they need, from anywhere. It will be an advantage to have cloud computing because it has a lot of flexibility. The more the army expands its data, the more storage they can get. Having cloud computing cuts down maintenance for the DOD. The cloud computing will take care of all the maintenance and updates. Lastly, information can be shared easier, without having so much email traffic. Any of the documents can be accessed using the cloud.
Business Continuity Process (COOP Program)
The business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. The Army’s Continuity Process is called the Army Continuity of Operations Program Policy and Planning (COOP). “AR 500-3 has the established responsibilities, policies, and planning guidance to ensure the effective execution of critical Army Missions and the continuation of mission essential functions under all circumstances” (Department of the Army, 2008). Continuity of Operations (COOP) is a United States federal government initiative, required by U.S. Presidential Policy Directive 40 (PPD-40), to ensure that agencies are able to continue performance of essential functions under a broad range of circumstances (Department of the Army, 2008). PPD-40 specifies certain requirements for continuity plan development.
The Army COOP program is a set of policies, plans, and procedures that support the Defense Continuity Program. It assures the ability that the Army can continue its organization under all circumstances including crisis, attack, recovery, and reconstitution across a wide range of potential emergencies. Developing a flexible COOP plan and its procedures for all possible events have become the new standard for the Army. “Army COOP plans are event neutral and consider capabilities, connectivity, and procedures that would provide Army organizations and leadership with the ability to ensure they continue to operate in all-hazards environments with minimum disruption, through and during the event, until normal operations are restored” (Department of the Army, 2008).
Some of the COOP Plans and Procedures Include:
- Support COOP plans of higher headquarters and supported organizations , as applicable
- Provide capability to execute with or without warning and during duty and non-duty hours
- Provide flexibility and responsiveness to anticipate any emergency or crisis that interrupts MEF
- Establish a decision process for determining appropriate any emergency actions for implementation of COOP plans
- Identify and prioritize MEFs necessary to execute during emergencies
Each organization or agency will prepare in its plan and procedures for actions to be taken by all of its soldiers, civilian employees, summer hires, interns, and contractors, should the COOP plan(s) of a higher headquarters be activated or executed (Department of the Army, 2012). Plans must be consistent with the same plans of the higher headquarters. COOP planning and implementation span three phases.
The first phase is the activation and relocation phase which can last from 0 to 12 hours. This phase starts with an unannounced COOP event or when an announcement is made of an approaching event. COOP plans must be executable with or without prior notice and during all hours. This phase includes alerting the correct personnel of the potential disaster. The second phase is the Alternate operating facility (recovery) phase. Actions in this phase enable the relocating staff to assume and start MEFs from the extreme reaction force. Priority is given to executing essential missions, logistics support, maintenance and restoration of law and order, military support to civil authorities, and damage and residual resource assessment and reporting. Lastly, is the Reconstitution (termination and return to normal operations) phase. Reconstitution actions concentrates on the restoration of command staffs, capabilities, and functions (Department of the Army 2012).
Copies of the ITCP plan are provided to the recovery personnel for storage at home and in office. A copy should also be stored at the alternate site and with backup media. By doing this, it ensures its availability and good condition in the event local plan copies can’t be accessed because of the disruption. The Army’s ITCP coordinator should record any changes to the plans using a record of changes form. The BIA should be reviewed periodically and updated with new information to identify new requirements or priorities.
Because the Army Coop plan changes depending on the situation, there are no specific improvements to be made. Every situation has a different way on how things are restored and handled. Improvement would come from how each team operates to bring back data that was lost. At the end of each restoration, an After-Action Review is conducted. This states the sustainments, improvements, and the things that went well throughout the disaster. This helps the higher up to determine what to do better when the next disaster occurs.
In conclusion, the US Army has a contingency plan and team in place for such disasters. By establishing specific processes for conducting threat intelligence research, security teams can more quickly determine whether a compromise has occurred, and if so, its scope and impact. Although the DOD has progressed in developing its incident response capabilities, they face challenges in several areas. These challenges include department wide planning, data collection and integration, vulnerability assessment procedures, compliance reporting, component-level response coordination, and performance management. Addressing these challenges would help DOD improve its incident response capabilities and keep up with dynamic and ever-changing nature of cyber-attacks.