[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS ======================================================================= HEARING before the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ APRIL 22, 2004 __________ Serial No. 108-184 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 95-423 WASHINGTON : DC ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER, CANDICE S. MILLER, Michigan Maryland TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of MICHAEL R. TURNER, Ohio Columbia JOHN R. CARTER, Texas JIM COOPER, Tennessee MARSHA BLACKBURN, Tennessee ------ ------ PATRICK J. TIBERI, Ohio ------ KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont (Independent) Melissa Wojciak, Staff Director David Marin, Deputy Staff Director/Communications Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel C O N T E N T S ---------- Page Hearing held on April 22, 2004................................... 1 Statement of: Brown, Michael, Under Secretary for Emergency Preparedness and Response Directorate, U.S. Department of Homeland Security................................................... 35 Kern, John, director, network continuity, AT&T Corp.......... 47 Koontz, Linda D., Director, Information Management Issues, U.S. General Accounting Office............................. 8 Letters, statements, etc., submitted for the record by: Brown, Michael, Under Secretary for Emergency Preparedness and Response Directorate, U.S. Department of Homeland Security, prepared statement of............................ 38 Cummings, Hon. Elijah E., a Representative in Congress from the State of Maryland, prepared statement of............... 64 Davis, Chairman Tom, a Representative in Congress from the State of Virginia, prepared statement of................... 4 Kern, John, director, network continuity, AT&T Corp., prepared statement of...................................... 49 Koontz, Linda D., Director, Information Management Issues, U.S. General Accounting Office, prepared statement of...... 10 CAN FEDERAL AGENCIES FUNCTION IN THE WAKE OF A DISASTER? A STATUS REPORT ON FEDERAL AGENCIES' CONTINUITY OF OPERATIONS PLANS ---------- THURSDAY, APRIL 22, 2004 House of Representatives, Committee on Government Reform, Washington, DC. The committee met, pursuant to notice, at 10:07 a.m., in room 2154, Rayburn House Office Building, Hon. Tom Davis (chairman of the committee) presiding. Present: Representatives Tom Davis, Ose, Jo Ann Davis, Blackburn, Maloney, Cummings, Tierney, Watson, Van Hollen, Ruppersberger and Norton. Staff present: David Marin, deputy staff director/director of communications; Anne Marie Turner and John Hunter, counsels; Robert Borden, counsel/parliamentarian; Drew Crockett, deputy director of communications; John Cuaderes, senior professional staff member; Teresa Austin, chief clerk; Brien Beattie, deputy clerk; Corinne Zaccagnini, chief information officer; Robert White, press secretary; Michael Yeager, minority deputy chief counsel; Earley Green, minority chief clerk; and Jean Gosa, minority assistant clerk. Chairman Tom Davis. Good morning. A quorum being present, the Committee on Government Reform will come to order. I would like to welcome everyone to today's hearing on the status of the Federal Government's continuity of operations plans. Today on the House floor we are considering legislation laying out the framework for how Congress would continue operating in the event of a catastrophe. That's important. But let's be honest. The real, tangible, day-to-day work of the Federal Government doesn't happen here. It happens at agencies spread across the Nation, and ensuring their continued operation in the wake of a devastating tragedy should be considered every bit as important. Continuity of Federal Government operations planning became essential during the cold war, to protect the continuity of government in the event of a nuclear attack. COOP planning has attracted renewed significance after the terrorist attacks of September 11. Through a Presidential Decision Directive and a Federal Preparedness Circular, Federal agencies are required to develop viable continuity of operations plans for ensuring the continuity of essential operations in emergency situations. Although it is a classified document, PDD 67 reportedly also designates the Federal Emergency Management Association [FEMA], as the executive agency for formulating guidance on executive departments' COOP plans, and coordinating and assessing their capabilities. In July 1999, FEMA issued Federal Preparedness Circular 65, FPC 65, which confirms its coordinating agency role, contains criteria for agencies to develop their plans, and designates the timelines for submission of agency plans. Because of the critical nature of the ongoing threat of emergencies, including terrorist attacks, severe weather, and individual building emergencies, this committee requested the GAO to evaluate contingency plans of several Federal agencies and review FEMA's oversight of those agency COOP plans. And in February 2004, GAO issued a report that found a wide variance of essential functions identified by individual agencies. GAO attributed this lack of uniformity to several factors: lack of specificity about criteria to identify essential functions in FPC 65; lack of review by FEMA of essential functions during assessment of COOP planning; lack of testing or exercises by FEMA to confirm the identification of essential functions by agencies. To remedy these shortcomings, GAO recommends that the Secretary of the Department of Homeland Security direct the Under Secretary for Emergency Preparedness and Response to ensure that agencies develop COOP plans by May 1, 2004 and correct deficiencies in individual plans. In addition, GAO recommends that the Under Secretary be directed to conduct assessments of COOP plans that include independent verification of agency information, agencies' essential functions and their interdependencies with other activities. The committee is concerned about the seeming lack of progress we have made in the area of Federal continuity of operations. If September 11 was a wakeup call, then we haven't fully heeded the message when it comes to our planning. Although some progress has been made, and I commend Under Secretary Brown for his leadership on this, we still have a ways to go. We must do everything possible to address the COOP inconsistencies that exist across the board. Identifying and prioritizing essential functions with 100 percent compliance and accuracy is a must. Even if agencies can accomplish this, they still must be able to identify their key staffing requirements, lines of succession, resources needed, and what mission-critical systems and data must be protected and, in many cases, be redundant. Continuity of operations means more than keeping your Web site up and running. What's really called for is a wholistic approach, one that factors in people, places and things. What is really needed is agility, because FEMA's role in COOP oversight is key for agency success. The committee will hear FEMA's assessment of the individual agency plans. The committee will also assess FEMA's efforts to ensure that the COOP directives are carried out by each agency. This will include steps FEMA is taking to assess each of the executive agencies' COOP plans, what interaction FEMA has had and plans to have with those agencies about deficiencies in those plans, what steps FEMA will take to ensure agency compliance, and FEMA's assessment of the adequacy of Federal Preparedness Circular 65, and steps it has taken to overcome any deficiencies. The committee will also hear from GAO about its assessment of COOP planning and its recommendations for improvement and will also hear how the private sector deals with this issue. Finally, the committee has asked GAO to continue to monitor Federal COOP planning to ensure that agencies are in compliance with the latest executive and congressional guidance. The committee expects to get an annual scorecard from GAO outlining how agencies are performing with regard to the many facets of COOP. This is an important issue and we'll be very aggressive on our oversight. We have three impressive witnesses before us to help us understand the current and future state of Federal continuity of operations planning, the expected problems and what we can look forward to in ways of improvement. First we will hear from the General Accounting Office, followed by the Department of Homeland Security, and finally we will hear from AT&T which has a mature COOP plan in place. I want to thank all of our witnesses for appearing before the committee and I look forward to hearing their testimony. [The prepared statement of Chairman Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] T5423.001 [GRAPHIC] [TIFF OMITTED] T5423.002 [GRAPHIC] [TIFF OMITTED] T5423.003 Chairman Tom Davis. Are there any other Members who wish to make opening statements at this point? Ms. Watson. Ms. Watson. Thank you very much Mr. Chairman. In the event of a crisis, the American people immediately turn to the Federal Government to provide basic services, stability and direction. But we now have learned from the GAO that many Federal agencies are woefully unprepared to continue functioning in the wake of a catastrophe. It is distressing to know that in the wake of an attack on America, the horror of the initial attack might be compounded by the mayhem of a government that cannot coordinate basic services. We need to fix this. And I think all of us have it indelible in our minds where we were and what we were doing on September 11, myself included, right here in this Capitol. And we knew not where to go. We were running around like ants all over the place. We knew not where to gather. I had to seek out directions. And we have to be sure that we have these plans in place. But this is only the tip of the iceberg. Even beyond this, what is not addressed in this report or in this hearing is continuity of operations at the State or at the local level. I bring this issue up, Mr. Chairman, not to confuse the issue in this hearing, which I understand focuses solely on the continuity of operations and planning in the Federal executive branch, but rather simply to illustrate the scope of the problem that we face. Even once we get this problem sorted out at the Federal level, we must ensure our States and our local governments that they are prepared. Here we sit, 2\1/2\ years after facing the mortal threat of September 11, and we still cannot be assured that we are prepared to provide essential government services in the wake of a disaster. My colleagues and I want some answers. And I ask the witnesses from FEMA, please tell us what you need to tell us, and we will do our best to see that you get it. But we need to hear from you, and we need to know what your plans are for real progress and real answers, and on how you prepare to fix it. And I'm sure you will find this Congress very supportive. Thank you, Mr. Chairman. Chairman Tom Davis. Thank you. Any other Members wish to make opening statements? If not, we will move to our first witness, Linda Koontz, the Director of Information Management Issues of the General Accounting Office, no stranger to this committee. As you know it's the policy of the committee that all witnesses be sworn in before they testify. So, Linda, if you'd rise with me and raise your right hand. [Witness sworn.] Chairman Tom Davis. For the record, note we have--two of your aides behind you also sworn in. Please proceed with your testimony. You know the rules. We have the buttons, the lights out here, 5 minutes and try to sum up. And thank you for being with us again. STATEMENT OF LINDA D. KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GENERAL ACCOUNTING OFFICE Ms. Koontz. Thank you, Mr. Chairman and members of the committee. I appreciate the opportunity to participate in the committee's hearing on Federal continuity of operations planning. As you know, events such as terrorist attacks, severe weather, or building-level emergencies can disrupt the delivery of essential government services. To minimize the risk of disruption, Federal agencies are required to develop plans for ensuring the continuity of essential services in emergency situations. The Federal Emergency Management Agency, now part of the Department of Homeland Security, was designated executive agent for continuity of operations planning and issued guidance in July 1999. This guidance states that in order to have a viable continuity of operations capability, agencies should identify their essential functions. Identifying essential functions is the first of eight elements of a viable capability and provides the basis for subsequent planning steps. Mr. Chairman, at your request, we assessed department and agency-level continuity of operations plans at 23 major Federal agencies and reported the results to you in February. In summary, we found that, first, three departments did not have plans in place as of October 1, 2002. Second, our assessment raised serious questions about the adequacy of the essential functions identified. Specifically, we found that 29 of the 34 plans that we reviewed identified at least one essential function. However, these functions varied widely in number from 3 to 399, and included many that appeared to be of secondary importance. At the same time, the plans omitted many programs that OMB had previously identified as having a high impact on the public. Agencies did not list among their essential functions 20 of the 38 high-impact programs that have been previously identified. For example, one department included, ``provided speeches and articles for the Secretary and Deputy Secretary,'' among its essential functions, but did not include 9 of 10 high-impact programs. In addition, although many agency functions rely on the availability of resources or functions controlled by another organization, more than three-fourths of the plans did not fully identify such dependencies. Third, none of the agencies provided documentation sufficient to show that they were complying with all aspects of FEMA's guidance. In our view, a number of factors contributed to these government-wide shortcomings. FEMA's planning guidance does not provide specific criteria for identifying essential functions, nor does it address interdependencies. In addition, while FEMA conducted an assessment of agency compliance with the guidance in 1999, it has not conducted oversight that is sufficiently regular and extensive to ensure that agencies correct deficiencies identified. Further, in its assessment, FEMA did not include a review of essential functions. Finally, FEMA did not conduct tests or exercises to confirm that the identified essential functions were correct. In discussing our report, FEMA officials, while maintaining that the government is prepared for an emergency, acknowledged that improvements could be made. These officials told us that they plan to conduct a government-wide exercise next month, improve oversight by providing more detailed planning guidance, and develop a system to collect data from agencies on their readiness. However, these officials have not yet determined how they will verify the agency-reported data, assess the essential function and interdependencies identified, or use the data to conduct regular oversight. In our report, we made several recommendations to address these shortcomings. In summary, Mr. Chairman, while most of the agencies reviewed had continuity of operation plans in place, those plans exhibited weaknesses in the form of widely varying determinations about what functions are essential, and inconsistent compliance with guidance that defines a viable continuity of operations capability. Until these weaknesses are addressed, agencies are likely to continue to base their plans on ill-defined assumptions that may limit the utility of the resulting plans, and, as a result, risk experiencing difficulties in delivering key services to citizens in the aftermath of an emergency. Mr. Chairman, that concludes my statement. I would be happy to answer any questions that you might have. Chairman Tom Davis. Thank you. [The prepared statement of Ms. Koontz follows:] [GRAPHIC] [TIFF OMITTED] T5423.004 [GRAPHIC] [TIFF OMITTED] T5423.005 [GRAPHIC] [TIFF OMITTED] T5423.006 [GRAPHIC] [TIFF OMITTED] T5423.007 [GRAPHIC] [TIFF OMITTED] T5423.008 [GRAPHIC] [TIFF OMITTED] T5423.009 [GRAPHIC] [TIFF OMITTED] T5423.010 [GRAPHIC] [TIFF OMITTED] T5423.011 [GRAPHIC] [TIFF OMITTED] T5423.012 [GRAPHIC] [TIFF OMITTED] T5423.013 [GRAPHIC] [TIFF OMITTED] T5423.014 [GRAPHIC] [TIFF OMITTED] T5423.015 [GRAPHIC] [TIFF OMITTED] T5423.016 [GRAPHIC] [TIFF OMITTED] T5423.017 [GRAPHIC] [TIFF OMITTED] T5423.018 [GRAPHIC] [TIFF OMITTED] T5423.019 [GRAPHIC] [TIFF OMITTED] T5423.020 [GRAPHIC] [TIFF OMITTED] T5423.021 [GRAPHIC] [TIFF OMITTED] T5423.022 [GRAPHIC] [TIFF OMITTED] T5423.023 Chairman Tom Davis. Linda, let me just start. The bottom line is, are agencies really prepared for the worst? Ms. Koontz. Agencies do not have plans at this point that are fully compliant with the requirements of FPC 65 and therefore I'd have to conclude that there is no assurance that they are prepared for an emergency. Chairman Tom Davis. In fact, some of them are fairly woefully prepared. Ms. Koontz. That is correct. Chairman Tom Davis. You report that 19 agencies failed to identify their interdependence with other agencies and how these interdependencies affect their essential functions. Was GAO provided with an explanation as to why these agencies didn't identify their interdependency in COOP plans? Ms. Koontz. I don't--excuse me. I think part of the issue that my staff is telling me that the requirement to identify interdependencies, we think, would be a good practice. But that requirement is not specifically outlined in FPC 65. So that is most likely the reason. Chairman Tom Davis. All right. Do you get the feeling some of these agencies are just checking the box? This is just another requirement that they have to do? This isn't really-- this isn't part of their mission, but it's paperwork they have to turn in so it's kind of--they're not utilizing the resources; they're putting them toward other missions in the department? Ms. Koontz. It's hard for me to comment on a specific agency's motivation for what they do. But we have to say that in some cases we saw what we thought looked like sort of a rote or a template approach to the development of plans. Chairman Tom Davis. Yes. I think one of the difficulties is, both from the executive branch and from the legislative branch, we put all of these different requirements on agencies, and it's hard for them to sort out what their priorities are. If they do them all, they'd never be able to get anything done. And so as a result of that, sometimes nothing gets done. One of the rules of this committee is to kind of highlight shortcomings in some of these areas. This area, cybersecurity area, again, another one similar, where agencies check boxes but don't really make this mission-critical. And they may be able to escape with this. This is one of those issues that, you know, hopefully we will never see that kind of disaster and it will never happen. But if it does, and we are not prepared, of course the results then are worse by an exponential amount. Ms. Koontz. And if I could add to that, the fact that FEMA hasn't done the regular checking and oversight of the plans, I think that created part of the situation that you see today. If agencies realize that someone's going to be routinely looking at these plans, I think that would provide greater incentive for providing resources for this activity. Chairman Tom Davis. And there is no requirement, is there, that they send the plans to Congress? They send them up through FEMA, right? Ms. Koontz. No, sir. Chairman Tom Davis. That might be something we can get access to, that we look at to try to underscore the importance of this. I mean, hopefully again, this is something if you don't do it, it'll never happen, nobody will know the difference. But if you have a disaster, there we are. The report states that FEMA attributed its lack of oversight of these plans in part to its limited number of personnel responsible for guidance. Now, as a result of your investigation, can GAO concur with FEMA the inadequate personnel numbers significantly affected FEMA's ability to conduct oversight? Ms. Koontz. We didn't specifically evaluate the numbers of staff that would be necessary for FEMA to conduct this oversight activity. However, we do know that FEMA has, since we completed our work, undertaken a rather large effort to get many more people involved. So this should not be a problem going forward. Chairman Tom Davis. OK. Thank you very much. Ms. Watson. Ms. Watson. The Chair asked a question about if there was a requirement to report to us, and I'd like you to describe what you think we should know in advance so that as we go about budgeting for whatever, there could be appropriate resources there to address what might occur. We really need to start looking ahead. We've had the shock of an experience that we will never forget now. How do we--we're new at this, and I understand that. We were caught in a blind spot. Unready. But what is it going to mean in terms of resources to be ready? Do you have a comment? Ms. Koontz. A couple of parts to that question. I think in terms of resources that, according to the report we saw from OMB on combating terrorism that was published in September 2003, apparently it's not unusual for agencies to spend several million dollars working on continuity of operations planning. And indeed the President asked for over $100 million for this purpose in 2004. I would have to followup to tell you what was actually devoted, however. In terms of reporting to Congress, I think that one of the things that Mr. Davis has asked us to do is to set a baseline of continuity of operations planning efforts, which we have done with our first report. And in following up on that, hopefully you'll be able to see the changes that take place over time and to be able to influence those changes further. Ms. Watson. Thank you. Chairman Tom Davis. Thank you very much. Gentlelady from Tennessee. Mrs. Blackburn. Thank you, Mr. Chairman. And thank you for taking the time to be here and visit with us today. You mention in your report the Y2K efforts, and my assumption--which I would like to know if it's correct or not-- is that where you have drawn your baseline, as working from the efforts that were made there in preparation for Y2K, that helps with your baseline? Ms. Koontz. What we drew from the Y2K effort was the previously identified list of 38 essential functions that were identified specifically for that purpose. And we use this as an example against which to evaluate plans to see if these essential functions were present or not. We don't mean to imply that this is the definitive list of essential functions, but we felt it was one strong example of where the government had already identified programs that had a high impact on the public. Mrs. Blackburn. OK. Now, have you required the different agencies and departments to--going into those and looking at that Y2K planning and into those agencies and programs, have you required them to go on and give you the coordination with State and local agencies for implementation of continuing services as it affects those departments? Ms. Koontz. We haven't yet looked at the issue of coordination between the Federal and the State and local governments. Mrs. Blackburn. OK. What is the status of the agency's information technology that is needed to oversee these essential functions? Ms. Koontz. Well, one of the aspects of any kind of continuity planning would be to assure that your critical infrastructure and your systems would be available in an emergency, and this would also extend to what we call vital records as well. In order to operate in an emergency situation, one has to have access to the information that is needed for decisionmaking. So these are all aspects of continuity of operations planning. What we saw among the agencies was, frankly, mixed preparedness in all these areas. Mrs. Blackburn. Thank you. Chairman Tom Davis. Thank you very much. Ms. Norton. Ms. Norton. Thank you very much, Mr. Chairman. Thank you for calling this hearing. It is an interesting hearing coming up today, especially since we have on the floor a continuity of operations bill. I'm confused even by the GAO report, because all the dates I see goes back to 1999. You speak on the first page about assessments of agency compliance conducted in 1999 and none conducted since then. And again, at page 5, a reference to July 1999, and the assessments conducted to address any emergency or situation that could disrupt normal operations, including localized emergencies. Well, I'm really wondering whether anything that goes back to 1999 is relevant at all. That is to say, with the intervention of September 11th, I'm not sure what FEMA would be reviewing, if FEMA is reviewing plans that were set in motion in 1999, when on page 5 of your own report you say it relates to any emergency, including localized emergencies. I just wonder whether they don't need to start all over again, whether any plan that was prepared before September 11th is worth the paper it's written on, whether or not we don't need fresh eyes when we look at what a local emergency is when we look at infrastructure. So I would like some sense from you whether you think we can actually pick up from 1999 or whether we ought not step back and essentially begin again. Ms. Koontz. I can clarify a little bit. The requirements first came into being in 1999, and agencies were required to have a continuity of operations plan in place at this point for that same year. It was also the same year that FEMA did an assessment of plans and gave agencies feedback as to strengths and weaknesses. Ms. Norton. I think Oklahoma may have occurred by that time, so I'm sure there was some sense that you could get, you know, a large emergency. But go ahead. Ms. Koontz. So that was the first round of plans. But I wouldn't want to lead you to believe that none of those plans have been updated since 1999. Some agencies have taken steps to review their plans once or twice since then, but it varies quite a bit across the board. Certainly anything that went back to 1999 would need a significant reassessment before it could be brought up to date, and indeed we found that regardless of when the plan had been prepared, that most of them did not hit the majority of the requirements. In fact, we found not a single one that met all the requirements in their entirety. So all of them need a significant relook at this point. But I just wouldn't want you to believe that nothing has happened since then. Ms. Norton. Well, obviously, at the agency level one would need to particularize what the emergency planning was. I have no confidence that you begin by saying, hey, agencies, figure out what to do. I don't understand why there shouldn't be some overall--you talk in your report about the great disparities among these agencies. Much of that is to be expected. But without FEMA's guidance as to what constitutes a plan, what else could you expect? So I don't see how we can go back and criticize the agencies or even criticize FEMA for not going back agency by agency. My question is, why isn't there some general guidance as to what minimally an agency should be doing, its plan should be, with the agencies filling in the particulars, rather than this kind of ground-up approach and then us criticizing the agencies? Because somehow they are very different from agency to agency, as if that isn't exactly what you should expect if you haven't given agencies some idea of what continuity of operation should be all about. So, Mr. Chairman, I must say that I appreciate your calling this hearing, but I think we are just going at it the entirely wrong way to say to agencies out there, hey, you all come up with what you should be doing to continue operations. Without some general guidance as to ``these are the basics, now fill in'' does not give me confidence, particularly here in the National Capital Region, that if there were an emergency it could be handled. Chairman Tom Davis. Well, doesn't FPC 65 give out the basic guidance? Ms. Koontz. Yes. FPC 65 provides basic guidance on the eight elements of a viable COOP capability. Ms. Norton. And isn't that also from 1999? Ms. Koontz. Yes, that is from 1999. Ms. Norton. Well, that is my problem. I think the world has changed since September 11, 2001, and that was before 1999. That was after 1999. Chairman Tom Davis. Ms. Koontz, any response? Ms. Norton. I think that is a more radical critique than the GAO report is what I'm trying to say. Chairman Tom Davis. OK. Ms. Koontz. Ms. Koontz. I would just say that one of the things that we point out I think quite strongly in our report is that the identification of essential functions is a very critical first step in doing effective continuity planning. If you don't do that right, it probably doesn't matter what do you after that because you haven't figured out what it is you need to deliver in an emergency. But we also point out that the guidance to agencies, although they have issued general guidance, it was not specific enough to agencies for them to identify really what an essential function was and get any consistency across agencies; and that was compounded by the fact that FEMA was not doing the regular kind of checking and oversight to provide their expertise, to lend their expertise to the development of these plans and provide their broad view of what was going on government-wide. So I think our report does address some of the issues that you're identifying here. Ms. Norton. Well, thank you very much; and thank you Mr. Chairman. Chairman Tom Davis. Thank you very much. Mrs. Davis. Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman; and thank you, Ms. Koontz, for being here. You know, it seems to me that if we had the technology in place for telecommuting that in the event of an attack here in Washington, for instance, people could work at home. So I guess my question is, have any of the agencies--when you reviewed their plans, had they considered or included telecommuting in their continuity of operations plans? Because that's been the hardest thing. We've been--I mean, we have tried to get agencies to allow telecommuting, and it seems as hard as pulling teeth sometimes. Ms. Koontz. Uh-huh. And using both the use of alternatives facilities and the use of telecommuting could be a reasonable strategy to use in continuity of operations planning, depending on the kind of emergencies that we're talking about. Mrs. Jo Ann Davis of Virginia. Well, if we had the agency allowing the telecommuting now, it would be in place; and then there would be an answer to some of the problems for some of these agencies. My other question--you know, I heard you say that if FEMA or someone were doing reviews or what have you, then these agencies might get off the stick, I guess, is what you meant. And it bothers me a little bit, because are you saying then that our agencies don't do what we tell them to do unless they know we are going to check on them? But my real question to you--I mean, that was just a side note. It bothers me to hear that. But did agency personnel responsible for developing the continuity of operation plans indicate why they have not followed the guidelines that FEMA gave them? I mean, the person in each agency who is responsible, did they give you any feedback? Ms. Koontz. Well, there are a couple of different classes of things going on here. I think, first, in some cases the guidance isn't very clear; and so agencies maybe tried to implement it the best they could, but it was predictably then inconsistent across the government. So you have some of that going on. In other cases, I think agencies told us that they had prepared their plan. It had been reviewed by FEMA in 1999. They thought the feedback they received was that plan was all right; and, frankly, I think they were surprised in some instances when we said, well, we don't think this meets the requirements or the guidance of FPC 65. So there was a couple of different kinds of things going on there. Mrs. Jo Ann Davis of Virginia. Sounds like a communication problem, Mr. Chairman. It seems like we have that a lot in the Federal Government. I don't know how we can fix that. But thank you so much, and I would strongly suggest that we push the telecommuting if we can. Chairman Tom Davis. Great. I think Mrs. Davis' idea on the telecommuting is something that for agencies here we need to do more of. I mean, this committee will hold followup hearings on that. Obviously, if an office gets devastated, people don't need to be in the office in many cases to carry out their duties. Mr. Van Hollen. Mr. Van Hollen. Nothing. Chairman Tom Davis. No questions. Mrs. Maloney. No questions. Thank you very much. This has been very helpful for us. We may have some followup pending some of the others, but we appreciate your oversight on this and your analysis. Ms. Koontz. Thank you. Chairman Tom Davis. Thank you very much. We will proceed now to our second panel. I am going to thank Under Secretary Michael Brown, the Honorable Michael Brown, the Under Secretary for Emergency Preparedness and Response Directorate from the U.S. Department of Homeland Security, for being with us today. Why don't we take a minute recess, but I'll wait for him to come in. There he is. Mr. Secretary, thank you for being with us. Why don't you stay--and I'll swear you in, our policy. [Witness sworn.] Chairman Tom Davis. Thank you very much for being with us today. We'll have some lights in front of you, the panel. After 4 minutes, an orange light will come up, giving you a minute to make it 5. If you feel you need to go over it, we're not pressed for time. We'll do that. But your entire testimony is part of the record, and our questions have been based on that. But thank you very much for being with us today, and thank you for the job you're doing. STATEMENT OF MICHAEL BROWN, UNDER SECRETARY FOR EMERGENCY PREPAREDNESS AND RESPONSE DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Brown. Thank you, Mr. Chairman. Chairman Tom Davis. You have to make sure the mic is on. That's the toughest part of the whole thing. Mr. Brown. I'm not used to coming in second. I guess you're just ready. Go ahead and start then, right? OK. Good morning, Chairman Davis and members of the committee. My name is Michael D. Brown, and I am the Under Secretary for Emergency Preparedness and Response. Chairman Tom Davis. Mr. Brown the reason we have you second is we have GAO first and we give you the last word. Mr. Brown. Sure. Right. Chairman Tom Davis. So it's really to your advantage to be in that position. Mr. Brown. Great. Thank you for the opportunity to appear before you today to discuss the Federal Emergency Management Agency's role in supporting the Nation's Continuity of Operations and its program. FEMA was designated the lead agency for Continuity of Operations for the Federal executive branch by Presidential guidance on October 21, 1998. Among other things, this guidance requires Federal agencies to develop Continuity of Operations plans to support their essential functions. FEMA's leadership role is to provide guidance and assistance to the other Federal departments and agencies in this important area. We have taken this responsibility very seriously and have worked hard to provide this guidance. As the program expert for the Federal executive branch COOP activities, FEMA and the Department of Homeland Security have made significant strides toward ensuring that COOP plans exist at all levels of departments and agencies. This effort entails our involvement with hundreds, if not thousands, of various COOP plans and close coordination with the General Services Administration. We have aggressively developed working relationships across the government--to include the legislative and judicial branches--to expend our efforts at providing advice and assistance to other Federal departments and agencies in the COOP arena. We have established numerous interagency COOP working groups at the headquarters and at the regional levels. These working groups have opened communication channels across the government regarding COOP plans and programs and have helped organizations develop more detailed COOP planning in order to leverage capabilities and to improve interoperability. Moreover, we have developed new COOP testing, training and exercise programs to help ensure that all departments and agencies are prepared to implement their COOP plans. Significantly in fact--FEMA tested its own COOP plan and capabilities in December 2003 by conducting Exercise Quiet Strength. This headquarters COOP activation involved the notification and relocation of nearly 300 FEMA personnel on our emergency relocation group, and it successfully demonstrated our ability to perform FEMA's essential functions from an alternate site under emergency conditions. We are now leading the interagency Exercise Forward Challenge scheduled for next month. This full-scale COOP exercise will require departments and agencies in the National Capital Region to relocate and operate from their alternate facilities. Some 45 departments and agencies plan to participate in Forward Challenge. A prerequisite for their participation is for each department and agency to develop their own internal Forward Challenge COOP exercise. As a result, there will be approximately 45 separate but linked COOP exercises conducted concurrently with the main Forward Challenge event. Because of these internal exercises, Forward Challenge preparation has cascaded across the country, with departments and agencies as far away as Fort Worth and Seattle participating. Our support for COOP exercises and training is not limited to the Washington, DC, area. Working with the Federal executive boards, FEMA has conducted interagency COOP exercises in Denver and Chicago; and additional exercises are scheduled in Kansas City on April 29 and in Houston on June 14. To help facilitate this effort, FEMA has developed a generic interagency COOP exercise template that can be easily adapted for use in the field. Mr. Chairman, you have specifically asked me to address what steps FEMA is taking to address each of the executive agencies' COOP plans and what steps we are taking to address deficiencies in those plans. Through our strong working relationships and through new and ongoing COOP initiatives, we are leading the government's COOP program to ensure improved coordination and provide enhanced planning guidance. FEMA established the Interagency COOP Working Group in the National Capital Region comprised of 67 separate departments and agencies. This working group includes the Library of Congress, the GAO, U.S. Senate, the D.C. Department of Transportation, the U.S. court systems and the Metropolitan Washington Council of Governments. At the regional level, FEMA has used a phased approach to establish COOP working groups with many of the Federal executive boards and Federal executive associations across the country. In addition, we are revising the Federal preparedness circular for COOP. The goal is to have a single-source document that all departments and agencies can refer to for their COOP programs. The new Federal preparedness circular incorporates many of the GAO's recent recommendations for improvements. It includes detailed information on how to identify essential functions and discusses the importance of interdependencies between departments and agencies. Mr. Chairman, the ability of the Federal Government to deliver essential government services in an emergency is of critical importance. In June, we agreed that improved planning was needed to ensure the delivery of essential services. However, I unwaveringly believe the Federal Government is currently poised to deliver those services in an emergency that requires the activation of COOP plans. Mr. Chairman, thank you for you time; and I'll be happy to answer any questions you may have. Chairman Tom Davis. Thank you very much. [The prepared statement of Mr. Brown follows:] [GRAPHIC] [TIFF OMITTED] T5423.024 [GRAPHIC] [TIFF OMITTED] T5423.025 [GRAPHIC] [TIFF OMITTED] T5423.026 [GRAPHIC] [TIFF OMITTED] T5423.027 [GRAPHIC] [TIFF OMITTED] T5423.028 Chairman Tom Davis. Just to start off, I was pronouncing it COOP plans. You're pronouncing it the COOP plans. And the reason I called it COOP is because chickens are in charge of the COOP, and I didn't want anyone in the administration to cry foul of what I was doing, which is eggsactly what they do. I mean, obviously, we don't want any agency---- Mr. Brown. I can't compete with this humor. Chairman Tom Davis [continuing]. We don't want the agencies winging it on their COOP plans. So we will risk ruffling some feathers here today. But I think it's fair to say the administration's proposal so far are nothing to crow about. But let me ask a few questions. Mr. Brown. OK. Because I'm ready to fly the coop, so---- Chairman Tom Davis. Everybody acknowledges that the first and most critical element of any COOP planning is the identification of every essential function that an agency performs and will attempt to maintain in case of an emergency. But GAO reports that individual agencies' identification of essential functions really vary widely. Can you just kind of review in brief for us what steps FEMA has taken to assure that these critical functions are accurately carried out by every Federal agency? Mr. Brown. Absolutely, Mr. Chairman. FEMA has a coordination role and provides guidance and assistance, but it is really up to the departments and the agencies themselves to determine what's essential for their COOP plans. We do such things as having a monthly forum through the Interagency COOP Working Group for departments and agencies to address those issues and insure best practices. I also believe that the revised preparedness circular that is soon to be released at the end of the fourth quarter will provide better decisionmaking guidance to the departments and agencies that will also ensure consistency across the Federal Government. Moreover, through a readiness reporting system that FEMA is now implementing, we will be in a better position to provide more accurate and timely information regarding each department and agency's COOP activities. But I believe it's important to note--particularly important to note that, for the first time ever, as I said in my oral statement, FEMA exercised its headquarters COOP plan. It involved the actual notification and actual deployment of our emergency relocation group to our alternate facility. This is the first time ever that FEMA has done that. And that we will now oversee for the first time ever a Federal Government- wide COOP exercise that will allow us to establish a baseline for future exercises that we want to have now on an annual basis. Chairman Tom Davis. I asked this question of the previous panel. Are agencies prepared for the worst today? Or are we getting there? Mr. Brown. We are certainly getting there. And my hesitation is not about preparedness. My hesitation, Mr. Chairman, is about what is the worst--because the worst, in my world, unfortunately, is, you know, the detonation, for example, of a nuclear device or a dirty bomb or a bioterrorist event which will result in catastrophic casualties and a catastrophic disaster of proportions that will overwhelm all of us. So that is the reason for my hesitation. I believe that every department and agency has a very good, robust COOP plan in place that we just now need to fine-tune. Chairman Tom Davis. I mean, the experience of this committee as we go through little emergencies that come across the city--for example, recently we had tractor man. We had a guy on a tractor hold up traffic and tie up this city for three rush hours. And there was--the planning that took--there was no planning. There was a division over really what the priorities were to make sure that the person escaped--I mean, that he wasn't injured and was apprehended, that no one was injured. Nobody looked out for--and so some of this stuff gets very contradictory as you start to have to go down the path and decide what the priorities. You can't anticipate any and all bad things that can happen. Mr. Brown. No, but I think, based on the template that we have put together or the revision of the Federal preparedness circular, that we will be able to provide them with a template that allows them to respond to any--almost any kind of disaster. Chairman Tom Davis. Ms. Norton's concern in the previous panel was that we were dealing with a circular from the executive that came--was a 1999 circular, before September 11. On September 11 I can tell you we certainly weren't prepared on Capitol Hill. I mean, we didn't know who to call. We were kind of irrelevant to the process, though, basically. I mean, we don't like to think of this that way, but the government went on fine. Everybody--the military did their job. The police did their job. Other agencies kicked in. It is a lot more important than what happens here. I guess my question is, as we look at different agencies we see different levels of planning for this. That's not unusual. What you usually find is we put so many requirements on these different agencies and secretariats and the like that they have to sort it out in some, take it more seriously than others. In fact, some of them, how they plan is going to be more important to the American people than others. So as you look over this in terms of your planning and the checklists and everything else, what are we doing to check on this? There was an allegation at GAO that maybe you didn't have enough people to really implement this job. This is a contingency planning, so it may never happen, and some agency leaders, I think, think, well, I don't have to do this because it'll never happen, and then I can put my resources somewhere else and accomplish something that everybody--that I know will happen. What's your reaction to that? Mr. Brown. Let me--three things I want to respond to, Mr. Chairman. First of all, your comment about the ability of the Federal Government--the ability of executive branch to be able to actually COOP and respond in terms of an emergency. The good news I believe out of this hearing should be that all of the major departments and agencies--in fact, all the departments and agencies have a COOP plan in place that we have reviewed and we have looked at. Do these need to be fine-tuned? Absolutely. Do we need to continue to improve those? Absolutely. But there is no place in the executive branch of the departments and agencies where there is a lack of a COOP plan. So that's the good news. GAO is correct in that we have been concerned about the staffing levels. But one of the priorities that I have put in since I have become the Under Secretary was to increase the staffing in our national security office, coordination office and we have increased the staff levels. Additionally, we have received incredible support from President Bush and the administration and in the 2005 budget there is a $12 million increase, specifically for COOP activities. Chairman Tom Davis. The other criticisms--one other criticism that came out of the GAO report--I wouldn't call it criticism, but one of their observations was that some of the COOP reports that came in really didn't talk about how they interact with other agencies, that they simply look at what they did. And it was almost like a checklist, which, by the way, is not uncommon. I'm not trying to be overly critical here. I'm just trying to make sure that as we look forward we can continue to improve. Mr. Brown. And that is exactly one of the things that we want to test in Exercise Forward Challenge. It's not just their ability to pick up and move and go to their alternate sites, but how do they interact, how are the interdependencies, how is the interoperability of communications among the different Departments and Agencies and where can we improve on that. So you have identified exactly one of the areas that we intend to push in the exercise. I would just take this opportunity also to caution everyone about the exercise, because it is my philosophy, and it is one that I'm trying to push all the way through FEMA and the entire departments, that we don't do exercises to make things look good. We do exercises to push the envelope, to find out where the vulnerabilities are, to find out where the weaknesses are so that we can come back and improve upon them. So I fully expect after Exercise Forward Challenge for us, the Interagency Working Group to get back together and find places where interdependencies didn't exist, and we need to improve those. That's the purpose of the exercise. Chairman Tom Davis. And you did provide information about Exercise Quiet Strength, which was FEMA's December 2003, exercise to test its headquarters COOP plan. But that is an isolated exercise of one agency; and in reality, of course, particularly with you all, an actual emergency would involve government-wide functions. Is there an effort to test some of that later on in the interaction of some of the agencies? Mr. Brown. There absolutely is. But before we can go out and be a good leader and convince all the other departments and agencies to do this we have to show that we are willing to do it, too. And since FEMA had never done this exercise I was very pleased that we were able to pull it off and be as successful as we were. Chairman Tom Davis. Thank you very much. Ms. Watson. Ms. Watson. Thank you for being here and helping us get our--wrap our minds around how comprehensive this emergency preparedness and the planning might be. I was just given a printout from the L.A. Times that this is the third loss of power at the Los Angeles Airport in 10 days. When you think about Los Angeles Airport under the FAA being one of the major ports on the west coast, it's very troubling to know that a bird can stand on a wire, spread its wings, make the connection and out the whole airport and all the flights all the way, nationally and internationally--the third time in 10 days. My question is, in your interagency efforts, is it the FAA, then, that would be able to take a look at all of our airports? It seems to me that, you know, I can't really understand how a bird could do this three times in 10 days and where our backup systems are. Mr. Brown. I assume it wasn't the same bird. Ms. Watson. No. I think that bird has been--is toast. But, you know, it just seems like this is a weak spot, a soft target for terrorists. They can send a bird up, you know, and knock out the whole system. This is one of our major international ports. We are Pacific rim, and I am very concerned about whether it reaches over to the FAA and if the FAA will look at all of our airports. Because it seems to me on September 11 it was--the airport was the scene--the launching of a terrible disaster that we've never had before and we were not prepared for. So in looking at how we prepare I think something like this should be a function of the FAA, and I would hope that Homeland Security would certainly raise these issues and see if we can motivate and activate FAA to take a look. Mr. Brown. Yes, ma'am. I'll certainly pass that information and the story along. Ms. Watson. I'll give you a copy of this, if you would like. Mr. Brown. Right. I'll pass that on to Under Secretary Libutti of the Information Analysis and Infrastructure Protection Directorate in the Department, because they are taking a significant review of all the critical infrastructure in this country and how we can better protect those vulnerabilities. Ms. Watson. Sure. Thank you very much. Chairman Tom Davis. Ms. Watson, thank you very much. Mrs. Maloney, any questions? Mrs. Maloney. No. Chairman Tom Davis. Mr. Brown, thank you very much for being here today. We look forward to continuing to work for you as we develop these COOP plans. I will get my pronunciations right, and we'll get you armed with some funds when you come back here. But we could use--you know, we will look forward to working with you as we continue to develop these. I'd just ask one last question. There is some concern among Members that maybe we ought to have these plans given to this committee where we could oversee them when they come in as well. Do you have any objection to that? We don't have to do that legislatively necessarily, but, as you get the plan, share them with us so we can stay abreast with what's going on. Mr. Brown. We will certainly continue those discussions, Mr. Chairman, and see if there isn't some way that we can have you more attuned to what we're doing in terms of planning and the processes. Chairman Thomas. Again, this may--hopefully, this will be-- we're talking about events that never happen. We are talking about plans that never need to be implemented. But should they do that, all eyes will be on what we were doing in Congress. Mr. Brown. I would be remiss if I didn't remind ourselves that these COOP plans really go beyond just terrorist events. We also prepared to COOP the executive branch during Hurricane Isabel. There are many natural hazards which will cause us to COOP also, not just a terrorist event. Chairman Tom Davis. Plus the tractor man. Isolated incidents. Mr. Brown. Right. Chairman Tom Davis. And we had another guy on the bridge-- just so I can get this off my chest--who was having a bad day and held up traffic on the Woodrow Wilson bridge and clogged traffic on the east coast for 5 hours. It took them 5 hours to figure out--they talked him down, instead of shooting him off with a bean bag, which is what they should have done right away, I mean, because you have to look at the greater good of some of this. It wouldn't have killed him, you know. He would have gotten wet. But these kinds of plans sometimes we don't think about till they occur, and now that we have this agency we are expecting all knowledge to rest with you all and solutions to rest with you. Mr. Brown. We take this very seriously, and we will do everything we can to move it. Chairman Tom Davis. We think you're doing great. Thanks for being here. Mr. Brown. Thank you, Mr. Chairman. Chairman Tom Davis. We'll take a second and move to our third witness, and we have John Kern from AT&T. He's the Network Continuity Director for AT&T. This is a real-life company that has to deal with these kind of issues every day. This is part of their business, is dealing with emergency contingencies and service. Mr. Kern, if you'd rise with me. It's the policy of this committee. We swear in. [Witness sworn.] Chairman Tom Davis. Please have a seat. Your total testimony is in the record. We try to keep the opening statements to 5 minutes, but if you need to take a little longer, we are not in a hurry here. After 4 minutes, an orange light will go on. That gives you a minute. And when the red light goes on, that is it. Take what you need. Thank you for being with us. I think you can add a lot to our testimony today. STATEMENT OF JOHN KERN, DIRECTOR, NETWORK CONTINUITY, AT&T CORP. Mr. Kern. My pleasure. Thank you. Good morning, Mr. Chairman and members of the committee. My name is John Kern. I am the Network Continuity Director for AT&T. My team and I are responsible for business continuity, disaster recovery and continuity of operation for our worldwide network infrastructure. Thank you for the opportunity to discuss with you today how AT&T has implemented our continuity of operations plan. I will suggest recommendations of how Federal agencies can implement continuity, plans of their own that kind of fall in line with some of the processes that we use. The chart that is being displayed right now is an example of our network continuity and business continuity program, which is very similar to the COOP. We understand how important the services that we provide to our customers, both the private sector and the Federal Government services, like the government emergency telecommunications services; and we spend a great deal of energy and commitment to making sure that they can operate under any circumstances. This is both for our physical network and for cyber issues like security. For example, we have basic level fire walls, intrusion detection at a higher level, cyber security where things are detected automatically and there is basic patterns that are looked for in the network so we can protect our services for our customers. At a physical level, we have a dedicated team of people and we have invested over $300 million in equipment to be able to operate our network and continue our network under any circumstances. It is unique in our industry. We have had 12 years of experience and expertise in developing this as part of our continuity of operations plan. The next one. One of the important things that was discussed today is exercising. I agree with the former witness that any plan that isn't tested really isn't a viable plan, and the whole point of an exercise is to find areas to improve the plan, to understand what can be done better the next time and how to make the continuity operations plan a viable, executable plan. We realize it is a long process to do continuity of operations and business continuity. It took a substantial effort and discipline on our part to get this far in our plans and commitment. We have been working with the GSA to provide agencies with multiple suites of security services, and we look forward to continuing to work with the GSA and your committee to bring continuity of operations planning across the Federal Government. It is obvious that continuity of operations planning is hard work. It requires investment. There is a cost to do it. In some cases, though, there is a larger cost in not doing it. Not having a continuity of operation plan that you could execute could mean that for several days your agency or enterprise isn't able to provide the basic service to your customers or your constituents. The government should consider leveraging capabilities that have already been implemented in the industry, leveraging off the expertise of AT&T. The government business is very important, both to our customers, to the constituents of the government, and we are basically here to help with your continuity of operations plans. We have had a lot of benefit from our relationship with the Federal Government, various agencies, Department of Defense, FEMA, National Institute of Science and Technology for standards. We are now kind of offering what we have leveraged into those continuity of operations plans to offer assistance to you, Mr. Chairman, and to the committee and to the Federal Government. Chairman Tom Davis. Thank you very much. [The prepared statement of Mr. Kern follows:] [GRAPHIC] [TIFF OMITTED] T5423.029 [GRAPHIC] [TIFF OMITTED] T5423.030 [GRAPHIC] [TIFF OMITTED] T5423.031 [GRAPHIC] [TIFF OMITTED] T5423.032 [GRAPHIC] [TIFF OMITTED] T5423.037 [GRAPHIC] [TIFF OMITTED] T5423.038 [GRAPHIC] [TIFF OMITTED] T5423.039 [GRAPHIC] [TIFF OMITTED] T5423.040 Chairman Tom Davis. You get a lot of real-world experience in this. Every time there is a storm or something like that, you have to deal with that. Mr. Kern. Yes, sir. I'm an operational level person. If there is a disaster on my team, I go out in the field and do whatever we need to do to make sure our network continues to operate under any circumstances. We were heavily involved with our network recovery efforts after the World Trade Center. One thing I mentioned a little bit earlier was having that discipline of a plan, the commitment to execute the plan and even having the resiliency and reliability built in. But you also need some flexibility in your plans. A good example, we had never and I don't know of anybody envisioning somebody crashing planes into a building the size of the World Trade Center or the subsequent shutdown of the nationwide air traffic control system. Our plans didn't call for that or didn't counter that. But the flexibility we built into our disaster recovery plans basically assumed that we would have regional disruptions. A hurricane going through south Florida might shut down several airports. An earthquake in the West might shut down a few airports. So we have our people and our equipment regionally deployed so we can respond from anyplace. After the World Trade Center, when the air traffic system shut down, basically was a small inconvenience. We had people driving east to New York versus normally getting on a plane. Chairman Tom Davis. You have a lot of redundancy in your system, don't you? Mr. Kern. One of the things we do is we believe there is that kind of continuity by design, not just assuming what is going to happen in a disaster but how do you build that reliability and resiliency into your network or the service or infrastructure you need to provide your services for your customers or constituents. For example, just in providing power, I know I mentioned the power outage at LAX. As far AT&T's offices were, we create the communications that basically hub the transport for our customers. We have three or four different levels of reliability around power. We have separate power feeds from separate substations. So, hopefully, the bird spreading its wings across one power line wouldn't impact the other power line. We have dedicated generators in each building. We have battery backup, and we have the ability to bring in portable generators, kind of multiple layers of reliability and resiliency. I would say that a power outage would never be noticed by our customers because it is something we have built into the system. We wouldn't have to recover from it. We have planned for it and have built it into the network itself. Chairman Tom Davis. One of the reasons we got you here today is because you know how to do this business. You do it on a practical basis. You are culturally a lot different than government. You have a lot of real-world experience in this at AT&T. Every time there is a massive storm, who knows, whatever disaster. So government is dealing with theoretical exercises. You are dealing with real-world experience; and nothing beats experience, as you know. They used to say the difference between education and experience is education is when you read the fine print and experience is when you don't. In this particular case, you get your mistakes out already because you have a lot of experience with that. The government doesn't. So, second, you are in a competitive atmosphere. These are not theoretical occurrences to you. These are occurrences that if they happen and you can't satisfy your customers, they can go to a competitor. In government's case, they have nowhere else to go. It makes you respond differently. If government would try to take some of those competitive spirits you have--and try and tell the government and say this is why you operate it differently or this is why you make it more of a priority than government does. We try to do it in government sometimes, but these agency heads, they have a lot of pressure on them to perform under a lot of different regulatory obligations and this is when it probably won't happen, at least on their watch. You tend to push it aside, to put your resources toward something that is a little more current and a little more mission critical. Mr. Kern. One of the things we had done to get past that-- because in the early days of our program we had similar issues where the different organizational heads said I have more important things to do. This type of disaster will never impact us. One thing that we have set up as part of the process was kind of the governance structure. What's the set of standards and rules around what every organization in the government, what every agency has to do? Probably most importantly and one of the functions that we perform that definitely would be a good idea for the government is in our case it would be a business impact analysis. In the case of the government, it might be an operations impact analysis. Understand that across the entire enterprise and government, what agencies are responsible working together to provide certain key services and functions to the constituents and then how do you address continuity of operations based on those critical services, not just on an agency level. The other piece we have introduced over the 12 years that we've been doing this is the idea that this is part of a person's function, this is part of their job. For us in private enterprise, it goes to--the future funding they receive goes to their pay, future promotions; and it is in a sense of how they are graded. It's another important piece as a common report card. If you have checklists, it is one thing. The next layer down is to look at what is the report card so that you know that a level A from one agency means the same as grade A for another agency and you do the exercises that the gentleman from FEMA mentioned that are across multiple agencies, kind of driven to a specific service. Chairman Tom Davis. That is an excellent point. Kind of mystifies me when you have an intelligence failure in the government, nobody gets fired. You have it at AT&T. You have a lot of people losing their jobs. I am not arguing one is necessarily better than the other, but we could use a little more of the AT&T culture sometimes in government in staying ahead of the curve. But because we are not in a competitive mode, we tend to be more reactive than proactive. You talk about incentives for your managers. There is no incentive for getting this plan down and having a great contingency plan. They are going to care more about current operations and what are you doing currently. I think that is the point you are making. You also have to deal with a lot of changing technologies in telecommunication at this point, the move to wireless. Instead of interagencies, you have to work with your competitors in some cases, your line-sharing. How does that work? Mr. Kern. The one issue is changes in technology, in some cases, changes in technology presents a challenge and some cases it presents a new opportunity. If you look at the increase in wireless technology, in the past, if you had to go to a physical place to connect into the network to get your job done or to get your business accomplished, now you can accomplish it wirelessly. In some cases, technology presents a challenge, but in a lot of our cases, it just presents more of an opportunity. In the case of government, there is just more opportunity to leverage what is already being developed in the private industry to do a good COOP plan. If you imagine the wireless lands and wireless cellular voice technology, it allows you to set up your continuity of operations sites in places where you would not be able to get land lines to. As far as the question around the cooperation, one of the things that we do through the Department of Homeland Security there is a National Coordinating Center, and that is one place in the industry where we can work together in the event of a real disaster or an event that would impact the network, like the power outage last summer, where we can get together to coordinate our activities to make sure if there is any mutual aid that makes sense where can we offer assistance where another carrier might not have enough generators or enough manpower to get a certain task done. What places in the Federal Government offer that place of coordination and command and control that the telecommunications carriers get through the National Coordinating Center is another question that kind of brings to FEMA's role or not. Chairman Tom Davis. Has anybody from the government come and asked you, what do you do for your COOP planning? Anybody consult with you and say you guys have to go through this? You have been through a lot of natural disasters and the like. Mr. Kern. Personally, I have had dealings with several different agencies about their COOP plans, either reviewing them, offering suggestions on things that could be done or, in some cases, we will receive requests from government agencies to understand how the services that we provide, something like an ultra available, which is a way we can distribute technology across a given metropolitan area to make sure you don't have a point-to-point facility that is going to impact your ability to operate your enterprises, this kind of gives you a ring of capability, a place where you can operate your different services. So we will have requests from agencies to provide technology or to provide capability that they can use in their COOP. We have had all different flavors. I think the agency we have dealt with the most has been the GSA where, again, part FTS 2001, there was a whole level of specific security applications that ranged for different levels of security that agencies could use to implement security needs. We are also working with the GSA on FTS Networx, which is the next evolution of how do we not build in just the security but the resiliency and reliability. Each agency does not have the same need for the robustness, reliability, resiliency. How do you have a four, five-tiered structure so that agencies can get the reliability that they need to buy the resiliency to allow them to operate their business without agencies that don't need that same level of resiliency having in a sense pay for a service they are not going to use. Chairman Tom Davis. Thank you very much. Ms. Watson. Ms. Watson. I want to sincerely thank you for being here, Mr. Kern. I would hope that your researchers can look toward the future. Everyone is saying, who would have ever thought an airplane would hit a building? We heard it rumored around before September 11. Now we know it is a reality. We need to look toward the future with our technology. We just put an apparatus on Mars, and they plan for it to go over rough surfaces and pick things up and photograph things. What I am hearing that frustrates me is that we are not thinking progressively enough. I am very frustrated that we have had our third outage, as I mentioned, in 10 days. Why are we still depending on wires that go above the ground if a bird can light on them and knock out the whole airport? Are we thinking about the possibilities? We don't want a play on words, as was raised with the last panel. We want to really get people out ahead of these occurrences. I think you could be very helpful, AT&T, in saying to our agencies, look, we have a design here that might work so you won't have to have this happen again; and then it is their responsibility to take a look and investigate. I would hope that you--and I know the competition is high, but come out ahead of all the others with a way to avoid--and I think that power outage can be avoided if we think more progressively and more scientifically. Maybe we ought to contact NASA, because apparently they have plans for all contingencies when they put a spacecraft up. But I want to encourage you to impact on us in government. And I think the chairman was absolutely right. You know, we don't have the experience, and we don't get into the business of detecting things before they happen. We have not been in the business of doing that. We can make policy afterwards. But I do think we are going to have to go out to the utilities, go out to private industry and say help and present to us, to FEMA, to the COOP or COOP or whatever you want to call it, you know, these are some things that government ought to invest in. So I want to thank you for coming, Mr. Kern. I really don't have a question. It is more or less a recommendation to you to come back to us. Chairman Tom Davis. Ms. Watson, let me just say, to stick with the puns and keep them on subject with the birds and the wires, you can't do this on the cheep. Mr. Kern. My opening remarks mentioned my extra kind of capacity--I have seven acres in New Jersey. I have about nine hens and a rooster, so I am familiar with coops both at a business level and a personal level. But now that you throw cheep into the bargain--we are definitely linked to assist the government wherever we can. We have--over the 100 years that we have been around as an enterprise, AT&T has developed a very comprehensive set of standards around things like physical infrastructure. How do you power an enterprise that is important to you? How do you back that power up? What do you do around cyber security, physical security? How do you have continuity of operation plans that really take into effect where you can bring your people to--impacts to things like telecommuting, all the things we have great expertise at and definitely willing to help the government wherever we can either through our technology, our standards, our expertise or the experience that we have really developed over, in some cases, the last 12 years for business continuity but, in other cases, 100 years in operating a rather large, a rather critical infrastructure that provides the network service that everybody relies on. Ms. Watson. Mr. Chairman, if I could just take 1 more minute. We are going to have a bill on the floor, the Sensenbrenner bill. Reading the fine print--and this is where policymakers comes in. We read the fine print. We don't go on our experiences. It says that if there is an extraordinary circumstance and the Speaker of the House of Representatives announces vacancies, well, if the plane has succeeded in hitting the Capitol, it might have wiped everyone out, including the Speaker. If we are going to put law in the books, we are going to have to think beyond the words here. So it should be designated--someone who does the designating. Because the Speaker and all the rest of us will probably perish if that were to occur. My point is we have to think differently than we have in the past; and, as a policymaker, this becomes the law. You know, it can be adjudicated in the courts. So how do we think in a way that will address these unusual circumstances? Those of you out in the field in terms of the way agencies work and operations work and utilities work and so on have to benefit--we have to benefit from your experience, and you have to suggest to us. Now whether we make policy based on the input is left up to us, but I really invite your recommendations. With that, I want to thank you, Mr. Chairman. Chairman Tom Davis. Ms. Watson, thank you very much. Mr. Ruppersberger, do you have any questions. Mr. Ruppersberger. I didn't hear your testimony. Thank you for being here. Just generally, though, in the event that there is a catastrophe, it seems to me that in your field in communications it is an essential function during an event, after an event and then the months after the actual event. Do you communicate or work closely with anyone in Homeland Security as far as developing---- Mr. Kern. Yes. Mr. Ruppersberger. As much you can, what is that communication? Are they giving you the lead or are you helping them as consultants? How would you describe where that is now? Again, we know Homeland Security is new. What would you like to see to make that function even better? Mr. Kern. We have many roles with the Department of Homeland Security. One of them and probably important to me is the National Coordinating Center. It is the part of the Department of Homeland Security where the carriers have a common meeting ground to both plan around continuity and also to respond to an event. During the World Trade Center, we worked through the NCC-- at that time, it was part of the FCC--to understand where we need to bring in equipment or where we needed to have people. So the key function of the Department of Homeland Security for us is that kind of coordination role. Another one is if we consider--what we try to do is not wait for the disaster but how do you get ahead and be proactive and look at the events that are coming up that you might need to worry about the impacts on your network or your people. I look at national security events as a big concern when one is declared by the government, understanding what is the real risk, what is the impact to our network. Do we need to do something different ahead of time to further harden our network, to bring in additional people in a nearby area? That is one area where the Department of Homeland Security definitely takes the lead around coordinating, around the contingency planning for national special security events; and we work through them. Mr. Ruppersberger. Are you coordinating your networks for-- using your own money. Do you use Federal money? Where are you as it relates to money? Mr. Kern. Right now, any of the planning that we do, any contingency planning that we do, it's our own money. As far as I know, we have not received any grants or funding to do our disaster recovery work or to do any of the contingency work. It is something that we have determined that is important to our customers, to the services that we provide and our ability to operate them under any event. We decided to undertake the expense and risk to do that. Mr. Ruppersberger. If an event occurs, another event in a major metropolitan area, are you ready? Mr. Kern. Yes. We have had our program for the last 12 years. We were prepared for September 11, not for that type of event. But based on the structure and contingencies we had in place we were able to respond and deploy equipment to meet the needs from that disaster. Since September 11, we have increased our capabilities and added more people to the process and we are looking at things, some of the risks that are out there, maybe have a higher probability, the more manmade, chemical, biological attacks. We are participating in TOPOFF 3, which is the WMD exercise that is going to be held in New Jersey, Connecticut area next year. We have increased our capabilities to respond to those new threats. If there is an event in this country, we are prepared to respond. Mr. Ruppersberger. What about your other major competitors? Are they in the same position you're in, based on your knowledge? I know you are going to say you're the best, but are they close? Mr. Kern. We don't spend any money looking to see what our competitors are doing with investment money. Mr. Ruppersberger. From a national security point of view, in the event there is a catastrophe, are we able to provide the communications needed? Because you are not the only game in town. Mr. Kern. Unfortunately, that question would be best left to the competitors. I would say that none of our competitors have the mobile recovery capability that we have developed, the resiliency that we have developed, the multiple layers of backup that we have developed. To my knowledge, none of our competitors have taken their services as seriously as we have and do not have that type of capability. We have invested more than $300 million. We have 150 pieces of mobile disaster recovery equipment dedicated to AT&T's network, both private enterprise and the Federal Government. To my knowledge--I have been in the telecommunication industry for more than 28 years, and I have been in the disaster recovery field for more than 7 years, and none of our competitors have a mobile recovery capability to the extent that we do and could not respond in the same fashion that we can. Chairman Tom Davis. Thank you very much. I want to thank the Members for attending and thank our panelists. Mr. Kern, thank you very much. This has been very helpful to us; and we wish you luck in your future endeavors as well. Again, I want to thank our witnesses for attending. I would like to add that the record will be kept open for 2 weeks to allow witnesses to include any other information in the record. The hearing is adjourned. [Whereupon, at 11:30 a.m., the committee was adjourned.] [Note.--The GAO report entitled, ``Continuity of Operations, Improved Planning Needed to Ensure Delivery of Essential Government Services,'' may be found in committee files.] [The prepared statement of Hon. Elijah E. Cummings and additional information submitted for the hearing record follow:] [GRAPHIC] [TIFF OMITTED] T5423.033 [GRAPHIC] [TIFF OMITTED] T5423.034 [GRAPHIC] [TIFF OMITTED] T5423.035 [GRAPHIC] [TIFF OMITTED] T5423.036