UI INTEGRITY PROFESSIONALDEVELOPMENT CONFERENCE

Contingency Plans A Federal Perspective

Contingency Plans A Federal Perspective

Paul Bankes IT Specialist

U.S. Department of Labor

bankes.paul@dol.gov

Contingency Plans A Federal Perspective

Synopsis History Lesson DOL OIG Report

• Risk vs Maturity Table• Request for Annual Update – status.

State Quality Service Plan• Appendix IV• Assurance Signature Page

UIPL 19-10• Supplemental Budget Request.

Pre-Y2K Automation Grants ($20M) Supplemental Budget Requests ($3+M)

Contingency Plans A Federal Perspective

2000 - Government Information Security Reform Act (GISRA), Public Law 106-398

2002 - Federal Information Security Management Act (FISMA), 44 U.S.C. § 3541

2002 – OIG IT Security Audit

UI Program

Funding

Contingency Plans A Federal Perspective

IT / IS SBRs SBRs (2004 – 2005)

• 2004 – IT $5,553,448 (72)• 2005s – IT $11,385,494;

IS $738,392 (106)

Total: $17,677,334

OIG Audits (2003 – 2004)

Contingency Plans A Federal Perspective

Contingency Plans A Federal Perspective

2008: OIG Report (23-08-004-03-315) on SWA IT Contingency Plans FINDING: While ETA required state workforce agencies

(SWAs) to develop and implement IT contingency plans as a condition of their grant agreements, it did not verify that the plans were developed or tested.

Enact a monitoring and review process to verify SWAs develop and test IT Contingency Plans necessary to sustain the UI program; and identify and address any weaknesses found in IT contingency plans.

Contingency Plans A Federal Perspective

Grant Agreement? State Quality Service Plan Assurance signature for Disaster Recovery Plan

Contingency Plans A Federal Perspective

2009: OIG Report (23-09-002-03-315) on SWA IT Contingency Plans FINDING: ETA did not ensure SWAs’ UI Tax and

Benefit Systems’ IT Contingency Plans were reliable. Conduct annual verification of SWAs’ IT contingency

plans for existence and reliability using risk-based approaches that consider the SWAs’ contingency planning maturity and likelihood of disasters.

Contingency Plans A Federal Perspective

NIST SP 800-34; “Contingency Planning Guide for Information Technology Systems”; http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf

IT Security CD and Manager’s Paper Supplied by USDOL.

Contingency Plans A Federal Perspective

List of 17 Plan Elements Purpose Damage Assessment Procedures

Applicability Detailed Recovery Procedures*

Scope Reconstitution Phase Procedures*

Record of Changes Contact information of CP teams*

System Description Vendor contact information

Line of Succession* Checklists for system recovery

Responsibilities Equip/System requirements lists

Activation Criteria Description/Direction to alternative sites

Documented Notification Procedures

OIG Report (NIST1 CP Data Elements)

1National Institute of Standards and Technology

Contingency Plans A Federal Perspective

NIST SP 800-34; “Contingency Planning Guide for Information Technology Systems”; http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf

CD – supplied by USDOL.

State Quality Service Plan (SQSP) 2009 Changes (Appendix IV) 2009 IT Security SBR

IT CP added

Contingency Plans A Federal Perspective

1st

2nd

SBR

High Risk

Low Risk

High MaturityLow Maturity

Contingency Plans A Federal Perspective

State Quality Service Plan (SQSP) (APPENDIX IV) – “INFORMATION TECHNOLOGY

SECURITY GUIDELINES”• IT Contingency Plan, • System Security Plan, and • Risk Assessment• Templates (NIST Guidance)

Contingency Plans A Federal Perspective

State Quality Service Plan (2011) By signing the SQSP Signature Page, a state certifies that

it will comply with the assurance listed in ET Handbook 336, 18th Edition, Change 2, and that the state will institute plans or measures to comply with the requirements.

Contingency Plans A Federal Perspective

UIPL 19-10 Unemployment Insurance (UI) Fiscal Year (FY) 2010

Supplemental Funding Opportunities to Improve UI Information Technology (IT) Contingency Plans and UI IT Security

$150,000 (CP and IV&V) Due May 14, 2010

Contingency Plans A Federal Perspective

UI IT Contingency Plan SWAs must address all the missing key elements in their

UI IT Contingency Plan as reported by the OIG SWAs must utilize the guidelines provided in NIST SP

800-34 to develop the UI IT Contingency Plan; The UI IT Contingency Plan IV&V must use the

guidelines provided in the NIST SP 800-34 to evaluate and certify the UI IT Contingency Plan; and

SWAs must submit a copy of the IV&V certification report to their respective RO upon completion.

Contingency Plans A Federal Perspective

IT / IS / CP SBRs SBRs (2004 – 2009)

• 2004 – IT $5,553,448 (72)• 2005s – IT $11,385,494;

IS $738,392 (106)• 2006s – IT $8,797,185 (112)• 2007 – IT $6,008,840 (79)• 2009 – IT/CP $9,378,904 (96)

Total: $41,862,263 (465)

Florida IT Dir. paraphrase “The SBR

process has built a security fortress for UI in the State of Florida”

Contingency Plans A Federal Perspective

“Preventing, detecting and recovering overpayments are top priorities for Unemployment Insurance (UI) Program administrators”

Contingency Plans A Federal Perspective

The year 2010 marks the 75th Anniversary of the UI Program. UI has advanced

• 1935 “Paper and pencil”• 2010 “High Speed Automation”

If your current UI system suffers a catastrophic failure; is your response:• 1935 or • 2010 or • 1934?