Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 62. Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Testing, Training and Exercise (TT&E) Process

10.8.62  Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Testing, Training and Exercise (TT&E) Process

Manual Transmittal

October 04, 2012

Purpose

(1) This transmits new Internal Revenue Manual (IRM) 10.8 Section 62, Information Systems Contingency Plan (ISCP) and Disaster Recovery (DR) Testing, Training and Exercise (TT&E) Program.

Background

This IRM defines test, training, and exercise processes to ensure Internal Revenue Service (IRS) information systems (IS) resources can be fully recovered in the event that IS contingency or disaster recovery plans must be activated.

This IRM defines requirements to ensure that systems and their associated ISCPs or DR plans and procedures are exercised and/or tested to determine the capability of the IRS to recover and restore its systems in the event of a disruption, disaster, or catastrophe.

Material Changes

(1) This is a new IRM.

(2) This IRM is a companion document to IRM 10.8.1, Information Technology (IT) Security Policy and Guidance and IRM 10.8.60, Information Technology (IT) Disaster Recovery Policy and Guidance.

(3) This policy supplements IRM 10.8.2,Information Technology (IT) Security - IT Security Roles and Responsibilities, with specific requirements for testing and exercising contingency plans.

(4) Effective July 1, 2012, the Modernization and Information Technology Services (MITS) organization changed its name to IRS Information Technology (IT). All instances of MITS within this IRM have been updated to IRS Information Technology (IT) organization to reflect the change. (Link to IT website communication is: http://it.web.irs.gov/ProceduresGuidelines/ITNameChange.htm)

Effect on Other Documents

This IRM affects no other policies.

Audience

This IRM shall be distributed to all personnel responsible for ensuring that adequate security is provided for IRS information and information systems. The policy applies to all employees, contractors, and vendors of the Service. The intended audience of this document includes Information Technology (IT) personnel, such as system administrators, security personnel, Business Operating Divisions (BODs), Authorizing Officials (AOs), and all other personnel and managers whose responsibilities include overseeing or providing direct system administration support of computing systems and networks.

Effective Date

(10-04-2012)

Terence V. Milholland
Chief Technology Officer

10.8.62.1  (10-04-2012)
Purpose

  1. This transmits Internal Revenue Manual (IRM) 10.8 Section 62, Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Testing, Training and Exercise (TT&E) Process.

  2. This IRM provides guidance to be used by the IRS to carry out its respective responsibilities in the Testing, Training, and Exercises (TT&E) process of ISCP and DR.

10.8.62.1.1  (10-04-2012)
Overview

  1. This IRM provides requirements and guidance to support the Service in implementing disaster recovery and contingency plan testing for all systems annually in accordance with all Federal Regulations (i.e., Treasury, FISMA, NIST, and OMB), including those cited below in this IRM's Exhibit 10.8.62-6.

  2. Under the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347), the head of each agency is responsible for ensuring that information security protections of the information systems are in place, including establishing an ISCP and DR planning and testing program to ensure system recovery is achievable after an event.

  3. Exercise and testing activities identified under FISMA and Treasury requirements for ISCP and DR testing are incorporated into the testing process described in this IRM. The process ensures that annual testing activities meet the FISMA reporting cycle of July 1 to June 30 each year.

10.8.62.1.2  (10-04-2012)
Scope

  1. The provisions in this policy apply to all IRS employees, as well as individuals and organizations having contractual arrangements with the IRS, who use or operate information systems containing IRS data to accomplish the IRS Mission.

  2. The intended audience of this document includes Information System personnel who have direct support of information systems and networks, such as, but not limited to, system administrators, security personnel, Business Operating Divisions (BODs), and Authorizing Officials (AOs), as well as Business personnel who have a role in the event that business applications and data are unavailable for use by the end user.

  3. The TT&E methodology described in this document can be applied to TT&E events built around any type of information system-related plan, including, but not limited to, contingency and disaster recovery plans.

10.8.62.1.3  (10-04-2012)
IRM Section Topics

  1. This IRM contains information on the following subject areas:

    • Authority

    • General Policy

    • Roles & Responsibilities

    • Management Controls

    • Operational Controls

    • Technical Controls

    • Risk Based Decisions

    • ISCP & DR Testing Checklist (see Exhibit 10.8.62-1)

    • ISCP Functional Exercise Methodology and Procedures (see Exhibit 10.8.62-2)

    • BOD ISCP & DR Testing Job Aid (see Exhibit 10.8.62-3)

    • Acronyms (see Exhibit 10.8.62-4)

    • Glossary (see Exhibit 10.8.62-5)

    • References (see Exhibit 10.8.62-6)

10.8.62.1.4  (10-04-2012)
Authority

  1. This IRM augments the management, operational, and technical controls as defined in IRM 10.8.1, Information Technology (IT)Security Policy and Guidance, and IRM 10.8.60, Information Technology (IT) Disaster Recovery Policy and Guidance to ensure Internal Revenue Service (IRS) information technology (IT) resources and business processes can be recovered.

10.8.62.2  (10-04-2012)
General Policy

  1. Per IRM 10.8.60, Information Technology (IT) Disaster Recovery Policy and Guidance and the guidance listed in the References section, the IRS shall exercise or test ISCPs and disaster recovery planning documents at least annually, for information systems prescribed by Public Law and the IRS.

  2. Each FISMA year, the Director of Security Risk Management (SRM) shall issue a program memorandum specific to ISCP and DR testing for that FISMA year. The memorandum shall include any changes in regulations and testing requirements/guidance.

10.8.62.2.1  (10-04-2012)
Roles and Responsibilities

  1. IRM 10.8.2,Information Technology Security Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. IRM 10.8.60 supplements IRM 10.8.2, and further defines roles and responsibilities related to the IRS DR Program.

  3. The supplemental roles and responsibilities identified below are specific to the TT&E processes defined by this policy.

10.8.62.2.1.1  (10-04-2012)
Security Risk Management (SRM) Organization

  1. Refer to IRM 10.8.60 for additional guidance on SRM program roles and responsibilities.

  2. SRM DR Test, Exercise, and Evaluation (DRTEE) personnel are responsible for:

    1. Implementing an effective TT&E program on behalf of the SRM. The program should include at a minimum the following components:
      i. Developing and preparing processes, templates, schedules, and procedures for exercises and tests;
      ii.With appropriate organizations, coordinating all ISCP and DR exercises and tests for FISMA-reportable assets in the FISMA master inventory;
      iii.Documenting ISCP and DR exercise and test results and lessons learned; and
      iv.Monitoring ISCP reviews and updates, including ensuring that the plan is updated within 90 days after the Authorizing Official (AO) signs the ISCP & DR Testing Checklist validating the performance of the annual tabletop and/or functional exercise, or as major changes are made to the application/system.

    2. Training BOD and IRS IT personnel annually in their responsibilities related to ISCP and DR tests and familiarizing them with the ISCP and DR test process.

    3. Developing and maintaining a master ISCP and DR Exercising/Testing Schedule for all FISMA-reportable assets in the FISMA master inventory.

    4. Coordinating with BODs and IRS IT to identify recovery and support personnel needed to participate in planned tests and exercises.

    5. Facilitating tabletop exercises of the ISCP to familiarize contingency personnel with the plan and recovery procedures within the plan and to identify inconsistencies and outdated information within the plan that could affect capabilities to support contingency operations.

    6. Ensuring that all contingency and recovery tests performed by the IRS meet all Federal requirements and follow the standard guidelines set forth by the Director of SRM.

    7. Coordinating with IRS IT personnel and BOD information system staffs to ensure that they perform the following tests for all FISMA-reportable applications and systems in the FISMA master inventory, or as directed in the annual SRM program memorandum:
      i.A functional exercise/test of the ISCP for a FISMA-reportable asset with a moderate availability rating or asset with a low availability rating that supports a Critical Business Process (CBP);
      ii. DR test of the ISCP/DR plan for a FISMA-reportable asset with a high availability rating or an asset deemed as a Critical Infrastructure Protection (CIP) asset.

    8. Validating that previous ISCP and DR related findings are reviewed prior to performance of tests and exercises to ensure that testing activities address corrective actions taken for resolution of the findings.

    9. Collaborating with BOD and IRS IT personnel to create DR test cases, scenarios, milestones, and summarize all in the DR test plan.

    10. Validating that a documented process is in place for creating system and application backup files.

    11. Validating that a documented process is in place for storing backup files in an alternate offsite location by either electronically transferring them to that designated location or by creating tapes to ship to the alternate offsite storage facility.

    12. Developing and maintaining scorecard/metrics to keep BOD personnel, Security Program Management Offices (PMOs), and Associate Chief Information Officers (ACIOs) informed about the status of ISCP exercising/testing progress.

    13. Collaborating with IT representatives to define and document the evidence and artifacts needed to validate test activities.

    14. Uploading completed exercise/test documents to Trusted Agent FISMA (TAF) system, uploading the updated ISCPs to TAF and to the Tool Suite Command Center (TSCC), and entering the completed test date notated on the ISCP/DR Testing Checklist in the appropriate area in TAF.

    15. Maintaining and updating ISCP and DR test processes, templates, and procedures.

10.8.62.2.1.2  (10-04-2012)
IRS Information Technology Services (IT) Operations

  1. IRS IT operations provides support for all IRS information technology with only documented exceptions. During the ISCP and DR exercises and tests IRS IT shall:

    1. Support the activities that relate to exercises and tests of the ISCP and procedures.

    2. Perform system backup, rebuild, recovery, reconstitution, cutover, relocation, etc., for systems supported and/or owned by IRS IT.

    3. Provide documented backup procedures to include information about the backup frequency, encryption of backup media, offsite storage, and timelines for receipt of backup media from offsite storage during normal working hours and after hours.

    4. Perform ISCP exercises and DR tests annually for applications and systems supported and/or owned by IRS IT.

    5. Provide resources for ISCP and DR exercises and tests annually for applications and systems supported and/or owned by IRS IT, including staffing and procuring funded backup solutions and equipment for DR tests.

    6. Complete the ISCP & DR Testing Checklist (TAF artifact) (see Exhibit 10.8.62-1) to report the results of all functional exercises, recovery tests, and operational recoveries of production servers that host applications in the FISMA master inventory.

    7. Provide annual recommendations for updates to the ISCP Functional Exercise Methodology and Procedures (see Exhibit 10.8.62-2).

    8. Facilitate planning meetings between various IRS IT and BOD areas in preparation for scheduled DR tests.

    9. Create the schedule of daily exercise activities and milestones chart in preparation for scheduled DR tests.

    10. Coordinate with appropriate areas in creation of DR test scenario and scope.

    11. Coordinate with KISAM project office and Enterprise Service Desk for support and use of KISAM test system during DR tests.

    12. Coordinate with appropriate areas (Cybersecurity, BODs, AD, etc.) to develop a DR test schedule to include necessary FISMA assets.

    13. Facilitate post DR test meetings with test participants to review issues and resolutions to determine if any followup actions are required by appropriate areas.

    14. Work with appropriate areas to close action items that appear on the Vulnerabilities Matrix.

  2. The appropriate IRS IT organizations responsible for supporting the ISCP shall review, update, exercise, and/or test the ISCP at least annually (or as significant changes occur).

  3. Information system resources owned by Contractors or Vendors on behalf of the IRS and by BODs shall also be compliant with the IRS IT requirements identified within this IRM.

10.8.62.2.1.3  (10-04-2012)
Business Operating Division (BOD) Information System Owners

  1. The BOD/Information System Owner is responsible for:

    1. Ensuring that applications’ ISCP is exercised and tested annually. (For step-by-step procedures see the BOD ISCP & DR Testing Job Aid, Exhibit 10.8.62-3.)

    2. Ensuring that the most current version of the ISCP is kept in the TAF authoritative repository for FISMA documentation, and that the current plan is used during all ISCP exercises and tests.

    3. Reviewing the most current version of the Plan of Action and Milestones (POA&M) prior to performing exercises or tests to identify ISCP- and DR-related issues, both open and recently closed, for inclusion in the current exercise or test to determine if the annual ISCP tests could provide a closing action for the finding.

    4. Completing the ISCP & DR Testing Checklist (see Exhibit 10.8.62-1) prior to tabletop exercises and ensuring that tabletop participants each receive a copy of the completed Checklist for use during the exercise.

    5. Participating in tabletop exercises (described in the ISCP & DR Testing Checklist (the Checklist) to ensure that applications’ ISCPs are kept current and accurate and participants validate roles and procedures documented in the plans.

    6. Providing annual recommendations for updates to the ISCP test methodology and templates.

    7. Ensuring that the application's/system's AO receives and reviews the results, summary findings, and ISCP changes after tabletop and functional exercises. The AO shall validate that tabletop and functional exercises are completed by signing and dating the ISCP & DR Testing Checklist. The BOD shall then ensure that the changes from the Checklist are incorporated into the ISCP within 90 calendar days from the date the AO signed the Checklist, or June 1, whichever comes first.

    8. Forwarding to the SRM DRTEE staff the completed exercise documentation for uploading into TAF.

    9. Performing the activities normally performed by IRS IT during ISCP exercises and tests for BOD-owned applications that are not supported by IRS IT.

  2. Information system resources owned by Contractors or Vendors on behalf of the IRS should also be compliant with the IRS IT requirements identified within the IRS IT Operations section in this IRM.

10.8.62.2.1.4  (10-04-2012)
Information System Contingency Plan (ISCP) Coordinator

  1. The ISCP Coordinator, having selected and implemented the backup and system recovery strategies, must designate appropriate teams to implement the strategy.

10.8.62.3  (10-04-2012)
Management Controls

  1. The IRS shall implement management security controls to mitigate risk of IT applications and electronic information loss in order to protect the organization’s mission (see IRM 10.8.1 for general information and computer security management control requirements).

  2. See IRM 10.8.1 for Management Controls.

10.8.62.4  (10-04-2012)
Operational Controls

  1. The IRS shall implement operational security controls, which are primarily implemented and executed by personnel responsible for each information system (see IRM 10.8.1 for general information and computer security operational control requirements).

10.8.62.4.1  (10-04-2012)
Contingency Planning

  1. In addition to the Contingency Planning requirements defined in IRM 10.8.1, the following sections for contingency planning and disaster recovery test, training, and exercising requirements shall be applied.

10.8.62.4.1.1  (10-04-2012)
ISCP and DR Test, Training and Exercises (TT&E) Requirement

  1. All IRS applications and systems listed in the FISMA master inventory are required to undergo a tabletop exercise of the ISCP annually for all categories of potential impact on availability.

  2. In addition to an annual tabletop exercise, applications, and systems with moderate potential impact on availability and those that support critical business processes (CBPs) also require that a functional exercise (described in the Functional Exercises section) be performed annually.

  3. Applications and systems that are CIP assets or that have high potential impact on availability, in addition to the annual tabletop exercise, must also undergo testing (described in DR Tests section) which is equivalent to a DR activity such as a cutover test or complete restoration of the system.

  4. All annual testing and exercises must be completed during the July 1 through June 30 timeframe each year in order to meet IRS FISMA reporting requirements.

  5. For each TT&E activity conducted, the results shall be documented in the ISCP & DR Testing Checklist testing artifact with all changes identified in the exercise to be updated in the ISCP.

10.8.62.4.1.1.1  (10-04-2012)
Test, Training, and Exercises (TT&E) Program

  1. A TT&E program is an organized approach to coordinate and streamline activities that must occur when recovering and restoring applications, data, and/or systems during and after a major or minor disruption. The ISCP & DR Testing Checklist is an IRS internal document designed to assist BODs and support staffs in navigating through TT&E events. The Checklist shall be included in the training sessions scheduled prior to all testing and exercise events. See Exhibit 10.8.62-1 for the Checklist Template at the end of this document.

  2. Exercises and tests offer different ways of ensuring that ISCPs provide viable and actionable procedures to recover or restore IRS systems and applications to their original state in the event of a disruption.

  3. Refer to NIST SP 800-84, Test, Training, and Exercise (TT&E) Program for IT Plans and Capabilities, for guidance on establishing an effective ISCP TT&E program and the various methods and approaches for conducting TT&E activities.

  4. All tests and exercises shall include some kind of determination of the effects on the organization’s operations and provide for a mechanism to update and improve the plan as a result.

  5. The depth and rigor of ISCP TT&E activities increases with the FIPS 199 availability security objective. Refer to the ISCP templates (FIPS 199 low, moderate, high) in NIST SP 800-34 for details for conducting TT&E activities appropriate to their respective impact level.

    • For low-impact systems, a tabletop exercise is sufficient on an annual basis. The tabletop should follow a scenario that simulates a disruption, include points of contact whose roles appear in the ISCP, be attended by the business and system owners or responsible authority, and be facilitated by DRTEE personnel. In the event the low-impact system supports a critical business process (CBP), a functional exercise shall be required annually, as in the case of the moderate-impact system.

    • For moderate-impact systems, a functional exercise should be conducted annually. The functional exercise should include an element of system recovery from backup media and is performed by IRS IT or BOD IT personnel on behalf of the BODs.

    • For high-impact systems or Critical Infrastructure Protection assets, a full-scale end-to-end or DR test should be conducted annually. The full-scale DR test should include a system failover to the alternate location. This could include additional activities such as full notification and response of key personnel to the recovery location, recovery of a server or database from backup media or setup, and processing from a server at an alternate location. The test should also include a full recovery and reconstitution of the information system to a known state.

10.8.62.4.1.1.2  (10-04-2012)
Information System Contingency Plan (ISCP)

  1. The ISCP shall provide procedures and capabilities for recovering a system or application in the event of an information system disruption. The plan shall address the resources, roles, responsibilities, and procedures for restoration of information systems and recovery of business applications and processes after a disruption.

10.8.62.4.1.1.3  (10-04-2012)
Disaster Recovery Keystroke Procedures

  1. The disaster recovery keystroke procedures located within the ISCP are an information system-focused part of the plan that applies to major, usually catastrophic, events that deny access to the normal facility or information system for an extended period of time. The plan is designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency.

  2. The purpose of the disaster recovery keystroke procedures is to provide detailed step-by-step procedures to facilitate recovery of capabilities at an alternate site; the scope is information system-focused and limited to major disruptions with long-term effects.

10.8.62.4.1.1.4  (10-04-2012)
Exercises

  1. As defined in NIST SP 800-84:

    1. An exercise is a simulation of an emergency designed to validate the viability of one or more aspects of an ISCP.

    2. Personnel with roles and responsibilities in a particular ISCP plan meet to validate the content of a plan through discussion of their roles and responses to emergency situations, execution of responses in a simulated operational environment, or other means of validating responses that do not include using the actual operational environment.

    3. Exercises are scenario-driven, such as a power failure in one of the organization’s computing centers or a fire causing certain systems to be damaged, with additional situations often being presented during the course of an exercise.

    4. Exercises help to identify gaps and inconsistencies within ISCPs and procedures, as well as cases where personnel need additional training or when training needs to be changed. The deficiencies identified in exercises are documented as part of the exercise process.

10.8.62.4.1.1.5  (10-04-2012)
Tabletop Exercises

  1. Tabletop exercises are discussion-based exercises only and do not involve deploying or recovering systems, equipment, or other resources. Personnel meet to discuss their roles during an emergency and their responses to a particular emergency situation. In exercising ISCP personnel also identify outdated information or procedures in the plan that need to be updated and corrected.

  2. The objectives of any tabletop exercise are to validate the content of the ISCP and related policies and procedures, validate participants’ roles and responsibilities as documented in the plan, and validate the interdependencies documented in the plan.

10.8.62.4.1.1.6  (10-04-2012)
Functional Exercises

  1. Functional exercises allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment. A functional exercise is designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of a plan (e.g., backup procedures, communications, emergency notifications, information system equipment setup).

  2. Functional exercises vary in complexity and scope, from validating specific aspects of a plan (e.g., backup retrieval, reading backup data, and validation of offsite storage) to exercising all plan elements in a simulation.

  3. Functional exercises allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner.

10.8.62.4.1.1.7  (10-04-2012)
Tests

  1. In the context of DR, a test is the method used to evaluate the organization's readiness and ability to recover a system from varying degrees of non-functioning to its original functional state by following authorized ISCP/DR keystroke procedures. Components of tests are listed in these sections, such as using quantifiable metrics to validate the operability of an information system or system component in an operational environment specified in an ISCP.

    Note:

    The term test is reserved for testing system hardware/software/OS recovery capability or system components; it is not used to describe exercising plans.

  2. Tests are used to measure the effectiveness and suitability of the processes and procedures contained in ISCPs related to the systems being tested and to evaluate compliance with an information system contingency. In the event of a disaster or disruption the goal is to be able to use tested ISCPs to ensure that following documented operational procedures and plans will result in successful recovery of business applications and systems.

  3. The scope of tests can range from individual system components or systems to comprehensive tests of all systems and components that support an ISCP. Examples of tests are:

    1. Component tests - Restoring a system by retrieving backup data from offsite storage and loading the data to test the usability of the data.

    2. System tests - Restoring multiple components such as the operating system, database, and system software by using data stored offsite.

  4. A test is conducted in as close to an operational environment as possible, testing components, or systems used to conduct daily operations.

  5. If feasible, an actual test of the components or systems used to conduct daily operations for the organization can be used to comply with the TT&E program’s annual requirement to test.

  6. Tests that result in components or systems malfunctioning or becoming inoperable could indicate problems in personnel training or in DR plans and procedures.

  7. Each information system component shall be tested to confirm the accuracy of individual recovery procedures.

  8. Each information system shall have a contingency plan that addresses the following areas, as applicable:

    • Notification procedures

    • System recovery on an alternate platform from backup media

    • Internal and external connectivity

    • System performance using alternate equipment

    • Restoration of normal operations

    • Other planned tests (where coordination is identified, i.e., Continuity of Operations Plan (COOP), Business Continuity Plan (BCP))

  9. Additional test plan requirements:

    1. The test plan shall include a schedule detailing the timeframes for each test and test participants.

    2. The test plan shall clearly delineate scope, scenario, and logistics.

    3. The scenario chosen may be a worst-case incident or an incident most likely to occur.

    4. It should mimic reality as closely as possible.

10.8.62.4.1.1.8  (10-04-2012)
Training

  1. Training refers to informing personnel of their roles and responsibilities within a particular information system plan and teaching them skills related to those roles and responsibilities, thereby preparing them for participation in exercises, tests, and actual emergency situations related to the information system plan.

  2. The scheduling of training sessions will be coordinated closely with the schedules for ISCP tabletop exercises, functional exercises, and DR tests.

  3. Training sessions will emphasize studying and understanding the following documents in preparation for participating in each test or exercise:

    1. ISCP – Participants will be able to answer questions about the purpose of the plan, system recovery procedures, specific application processes, recovery roles and responsibilities, notification procedures, and all appendices included in the plan.

    2. ISCP & DR Testing Checklist (see Exhibit 10.8.62-1) – Participants will gain knowledge of the purpose of the Checklist, how to complete it, and the procedures for its use during the scheduled exercises and tests of the ISCP.

    3. ISCP and DR Exercise/Testing Schedule – Participants will gain knowledge of the contents of the schedule, how and why it is created, and how it is vetted. The schedule ensures that every application and system in the FISMA master inventory is included in exercise and testing activities required under FISMA and that the dates are acceptable.

    4. FISMA Contingency Plan Computer Controls – Participants will gain knowledge of the Contingency Plan family of security controls (NIST 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations) and how exercising and testing of plans will address deficiencies in compliance with those controls.

  4. Recovery personnel shall be trained on the following plan elements:

    • Purpose of the plan

    • Cross-team coordination and communication

    • Reporting procedures

    • Security requirements

    • Team-specific processes (Activation and Notification, Recovery, and Reconstitution Phases)

    • Individual responsibilities (Activation and Notification, Recovery, and Reconstitution Phases).

10.8.62.4.1.2  (10-04-2012)
ISCP & DR Exercise and Testing

  1. Two weeks before each new FISMA reporting cycle begins (July 1), the DRTEE Staff shall solicit comments from BOD and IRS IT POCs to evaluate the lessons learned from the previous ISCP and DR test period to ensure that the test process continues to be viable, cost-effective, resource efficient, and compliant with new regulations. The ISCP & DR Testing Checklist template and ISCP template will be reviewed and revised as necessary.

  2. DRTEE Staff will work with appropriate Organizations to develop a testing schedule each year to exercise or test the ISCP, for all the applications and systems found in the FISMA master inventory.

  3. The DRTEE Staff will facilitate all tabletop exercises for each FISMA reporting cycle. During the Security Assessment and Authorization (SA&A) process, DRTEE personnel will collaborate with the CPO to ensure that the ISCP testing schedule is in sync with the SA&A process and the Security Control Assessment schedule.

  4. The schedule will be reviewed by IRS IT and BOD personnel to ensure that ISCP tabletop exercises, functional exercises, and DR tests are scheduled to coordinate each application, or more than one application if requested on a case-by-case basis, using the following keys:

    1. Platform

    2. System

    3. BOD

    4. Site

  5. DRTEE will present the revised ISCP & DR Testing Checklist template, ISCP template, the previous POC lists, and the new ISCP and DR Exercise/Testing Schedule to the Security PMO Council to initiate the annual exercise and testing activities. The Council will vet the schedule and the POC list with their respective organizations and will coordinate errors, questions, and changes with the DRTEE Staff through the *IT IT DR Mailbox. When the information is finalized and approved by the Council, DRTEE will use the approved schedule and POC lists to begin the new testing cycle.

  6. The approved schedule is published, distributed, and followed to perform ISCP and DR exercises and tests. The schedule includes:

    1. A designated DRTEE Staff member as the Facilitator for each tabletop exercise.

    2. Changes as submitted by BOD and IRS IT authorized personnel, documented by DRTEE, and distributed when updated.

    3. Modifications as needed during the annual FISMA reporting cycle.

  7. DRTEE will enter the approved scheduled dates in TAF for every application and system listed in the FISMA master inventory.

  8. Changes in dates of scheduled exercises or tests will be coordinated through the IRS IT and BOD Security PMOs who will coordinate with DRTEE to establish a new date. DRTEE will update the schedule with the new exercise/test date. However, no tests will be scheduled after April 30 of each FISMA reporting cycle and all tests will be completed by June 1 to facilitate loading of all completed test packages in TAF by the FISMA reporting deadline of June 30.

  9. DRTEE will schedule and present training for all BOD and IRS IT participants to ensure that they are ready to participate in the exercise. DRTEE will answer any questions the POCs may have about the exercise/test process or the Checklist.

10.8.62.4.1.2.1  (10-04-2012)
ISCP & DR Testing Checklist

  1. The Checklist is a three part form that allows BODs and Support Organizations to document multiple exercise/test activities on one form to create one authoritative source to standardize and simplify the archival process.

  2. Part A of the Checklist is the Tabletop Exercise, Part B is the Functional Exercise, and Part C is the DR Test or Production Operational Recovery which documents DR Testing activities. See Exhibit 10.8.62-1 for a copy of the Checklist.

  3. The ISCP & DR Testing Checklist provides a step-by-step process to guide participants through the most pertinent sections of the ISCP. The Checklist provides an area to document changes for each section in the ISCP and changes to procedures that may be needed. The Checklist also provides areas to document the results from functional exercises and DR tests, if applicable.

  4. The Checklist standardizes the walkthrough process for all applications and systems, and ensures that all testing activities and ISCP changes are noted and documented in the Checklist. The completed Checklist is then uploaded into TAF as the validated artifact with supporting documentation after the AO has been briefed and DRTEE receives the Checklist signed by the AO.

  5. The Checklist is used to train personnel in their contingency roles and responsibilities with respect to their application or system.

  6. Completion of the Checklist documenting performance of the required exercises and/or tests provides the artifact in TAF to validate that the following family of controls, if appropriate, are met (Reference NIST 800-53, Revision 3, Recommended Security Controls for Federal Information Systems):

    1. CP-2 Contingency Plan – The ISCP is pulled from TAF and distributed to each participant for the tabletop exercise validating that the plan exists.

    2. CP-3 Contingency Training – The requirements, roles and responsibilities, and recovery procedures are discussed as the ISCP is exercised during the tabletop exercise.

    3. CP-4 Contingency Plan Testing and Exercises – Use of the ISCP & DR Testing Checklist to annotate the results of the exercise/test, including entering the completed test date and the AO’s signature and date, provides evidentiary documentation that the plan was exercised and tested.

    4. CP-6 Alternate Storage Site – As the tabletop exercise is performed, the ISCP is reviewed and discussed to ensure that information about backup procedures and an alternate storage site is identified and included in the plan. If backup procedures or alternate storage sites are not in place, a summary finding is annotated on the Checklist to document this issue.

    5. CP-7 Alternate Processing Site – During tabletop exercises, the Application Test Plan shall be reviewed to determine if an alternate processing site, based on the criticality of the application, is a viable option. In the event the infrastructure does not recover at a site where a disruption has occurred, the application Business Owner would have to plan accordingly. Establishment of an alternate processing site could provide a DR solution.

    6. CP-8 Telecommunication Services – Tabletop exercises for IRS IT systems and business applications not supported by IRS IT will include discussions about the telecommunication infrastructure and its DR capabilities, backup procedures, and validation that a DR plan exists for its recovery.

    7. CP-9 Information System Backup – Discussions during tabletop exercises will focus on the ISCP to ensure that backup procedures are documented and implemented. The procedures will include information about the backup frequency, encryption of backup media, offsite storage, and timelines for receipt of backup media from offsite storage during normal working hours and after hours. If backup procedures have not been implemented, a summary finding is annotated on the checklist to document this issue.

    8. CP-10 Information System Recovery and Reconstitution – Tabletop discussions for this control will focus on the information in Section 5 of the ISCP to validate that procedures are in place to recover and reconstitute IRS IT systems and applications.

  7. Each BOD will be responsible for identifying a Data Collector who will be responsible for documenting the exercise and/or testing activities as they occur and populating the appropriate parts of the Checklist with the description of the activities.

  8. The ISCP & DR Testing Checklist will be used as an artifact in TAF to document all tabletop exercises, functional exercises, and DR tests that are scheduled.

10.8.62.4.1.3  (10-04-2012)
Conducting Exercises and Tests

  1. The following sections provide procedures and guidance for performance of the activities for the testing and exercising portions of the TT&E Program.

10.8.62.4.1.3.1  (10-04-2012)
Tabletop Exercises

  1. DRTEE will schedule and present training for all BOD and IRS IT participants to prepare them for the current FISMA Cycle ISCP exercises and tests. DRTEE will answer any questions the POCs may have about the test process or the Checklist.

  2. Based on the approved testing schedule and IRS IT/BOD POC list, the assigned DRTEE Facilitator will send the standard conference call invitation to all participating POCs 10 days prior to the day of the exercise. The assigned DRTEE Facilitator shall attach the ISCP and DR Testing Checklist template to the invitation so that the Data Collector (who is assigned by the BOD Security PMO or AO POC as delegated by the AO) can populate the Checklist.

  3. Using the most current version of the ISCP and POA&M stored in TAF the Data Collector populates items 1 through 7 and Part A on the Checklist, and if necessary meets with appropriate BOD or IRS IT personnel to complete this task. When exercising and discussing the ISCP, the Data Collector and BOD or IRS IT personnel should capture noteworthy changes prior to the tabletop. This promotes a more efficient exercise and discussion regarding how to recover the application/system.

  4. After the Checklist is populated, and at least 5 work days prior to the tabletop, the Data Collector shall forward the checklist and the current ISCP to all recipients, including the DRTEE Facilitator. If assistance is needed, the Data Collector should notify the Facilitator or the designated DRTEE Contacts noted in the invitation.

  5. During the tabletop exercise, the Data Collector is responsible for capturing on the Checklist all changes, observations, lessons learned, and summary findings that result from the tabletop discussions. The Date Exercise Completed block must be entered with the date the tabletop was performed.

  6. The Data Collector then has 7 work days to update the Checklist with the result of the exercise. The Facilitator will coordinate with the Data Collector as needed to provide guidance and to compare notes taken during the exercise.

  7. After the Checklist update is completed, the Data Collector shall send it to the *IT IT DR Mailbox with a copy to the BOD Security PMO. DRTEE shall enter it in the test tracking log and forward it to the assigned DRTEE Facilitator, who shall review the Checklist to ensure that all information has been recorded. If the Checklist is complete and no modifications are needed, the DRTEE Facilitator shall record the date and next steps in the test tracking log. If Checklist corrections are needed, the Facilitator will coordinate with the Data Collector to ensure that the modifications are made.

  8. Depending on the required exercises or tests, the DRTEE Facilitator can hold the Checklist until all other testing has been completed and can be documented in Part B or Part C of the Checklist. If no other testing is required, the DRTEE Facilitator shall send the Checklist back to the Data Collector and the BOD Security PMO within 7 work days for final signature (digital signature is acceptable) by the AO or the AO Designee.

  9. The AO or AO Designee has a 30 calendar day maximum timeframe for signing the Checklist unless the June 1 deadline is less than 30 days, then the checklist is due on June 1. The AO or Designee should return the signed Checklists to DRTEE as soon as possible to avoid delays in uploading the completed test packages into TAF prior to the end of the FISMA reporting cycle.

  10. After the AO has signed the Checklist, DRTEE shall submit it to the *IT IT DR Mailbox, and the designated DRTEE Staff member shall load the Checklist and all supporting documentation into TAF.

  11. BOD and IRS IT organizations have 90 calendar days from the signature date of the AO on the Checklist, or June 1, whichever comes first, to revise the ISCP with the changes identified in the tabletop exercise. After changes are made, the BOD/IRS IT designated POC shall send the revised ISCP to the *IT IT DR Mailbox for upload into TAF by the designated DRTEE Staff member. If no changes were noted, the existing version of the ISCP will remain in TAF unchanged.

10.8.62.4.1.3.2  (10-04-2012)
Functional Exercises

  1. Functional exercises are performed by IRS IT personnel or by the BOD’s information system personnel when the application is not supported by IRS IT. During the performance of the functional exercises, IRS IT personnel or BOD information system personnel will complete the ISCP & DR Testing Checklist Part B as they go through the exercise. (See Exhibit 10.8.62-1.)

  2. See Exhibit 10.8.62-2, ISCP Functional Exercise Methodology and Procedures. This exhibit provides step-by-step procedures for a backup retrieval and sampling pull for functional exercise activities. All functional exercises will be conducted using the approved procedures in Exhibit 10.8.62-2.

  3. As the production environment implements new technologies, strategies, and procedures, IRS IT and SRM shall assess when to modify Exhibit 10.8.62-2 procedures to ensure that functional exercises can be performed to accommodate the updated production environment.

  4. During the functional exercise, the IRS IT or BOD information system personnel will take screen prints of the backup tool index header and tape or server listing to validate the method used to backup system files and/or application data files. Take additional screen prints to validate that the data on the backup media is readable. The IRS IT or BOD information system personnel will also provide evidence in the form of routing sheets, logs, or e-mail requests proving the length of time needed between the request for backup data from offsite storage and the receipt of that data at the test site.

  5. IRS IT or BOD information system personnel shall also provide evidence to validate that documented backup procedures are in place including information about the backup frequency, encryption of backup media, offsite storage site, and timelines for receipt of backup media from offsite storage during normal working hours and after hours.

  6. If no documented procedures describe the backup process, annotate the Summary Findings section in Part B of the Checklist to document this issue. Annotate the Summary Findings section if the backup tapes are corrupted or if evidence cannot captured for the exercise.

  7. At the end of the functional exercise, the IRS IT or BOD information system personnel shall update the Checklist with results from the exercise. The IT personnel performing the exercise will submit the populated Checklist and supporting evidentiary documentation to DRTEE at *IT IT DR Mailbox within 10 work days from the completion of the exercise.

  8. DRTEE will ensure that the populated Checklist received from the IT personnel who performed the functional exercise is consolidated with the Tabletop Exercise Checklist. DRTEE will meet with the BOD POCs and the AO POC to share with them the Checklist showing the results of the completed exercises in preparation for the AO signature.

  9. The AO POC will present the completed test package to the AO for review of the exercise results, the summary findings, and final validation. The AO shall sign and date the Checklist and the AO POC shall return the signed Checklist to DRTEE at *IT IT DR Mailbox for final action.

  10. Upon receipt of the signed Checklist and supporting documentation from the AO POC, DRTEE shall upload the Checklist into TAF as the validated artifact along with all supporting documentation.

10.8.62.4.1.3.3  (10-04-2012)
DR Tests

  1. IRS is required to perform DR tests on all applications with a High Availability Impact and for CIP assets. These tests are designed to evaluate IRS readiness to cutover, relocate, restore, or rebuild IRS systems/applications.

  2. DR tests involve activities such as performing cutovers from one platform or system to another, relocation of systems/applications, or recovery of platforms and their hosted applications. As DR tests are performed on systems, sites, or platforms, hosted applications can benefit from these tests through coordination of the application ISCP review and the DR test activities.

  3. IRS IT personnel perform DR tests unless IRS IT does not support the application. The BOD’s information system personnel perform DR tests when the application is not supported by IRS IT. During the performance of the DR Test IRS IT personnel or BOD information system personnel shall complete the ISCP & DR Testing Checklist Part C, and Test Case templates as they go through the test. (See Exhibit 10.8.62-1.)

  4. The DRTEE Staff will coordinate with IRS IT organizations to identify components, systems, and/or comprehensive tests to be planned based on FISMA, Treasury, and NIST requirements, and IRS executive-level priorities.

  5. Production operational recoveries can also be considered in meeting FISMA and DRTEE program requirements. The Service may also consider combining tests with planned operational activities, such as restoring a backup, moving a server from one room to another, upgrading or patching operating systems or applications, or changing hardware components (e.g., swapping hard drives, replacing a failed power supply). The results of this collaboration will define the scope and objectives for the tests.

  6. The DRTEE Staff will collaborate with designated BOD POCs to determine if the tests identified in collaboration with IRS IT are compatible with the priorities and processing timeframes of the Business Unit. DRTEE will coordinate with BODs to determine the level of involvement required from the BOD POCs.

  7. The DRTEE Staff shall create a test schedule based on IRS and FISMA requirements, FISMA timeframes, and business processing priorities.

  8. The DRTEE Staff will coordinate the following activities with IRS IT and BOD POCs to ensure that the Test Case Template, Test Activities Worksheet, ISCP & DR Testing Checklist, Summary Report, and all testing documentation is completed before, during, and after testing. DRTEE will:

    1. Coordinate with the designated IRS IT organization to ensure that population of the Test Case Template by the IRS IT and BOD POCs with pertinent information about the test such as scope detail, objectives, recovery personnel, support personnel, and test activities is performed.

    2. Ensure that IRS IT POCs identify the files needed to be transmitted in preparation for the tests and determine the date for transmission of data via IRS approved protocols.

    3. Coordinate with Enterprise Computing Center (ECC) Security Management Office (SMO) personnel to reserve a conference room to hold meetings before, during, and after planned test activities as needed.

    4. Coordinate with stakeholders to ensure that pre-test activities are completed.

    5. Facilitate the creation of procedures to terminate the test in case operational issues necessitate it.

    6. Coordinate with IRS IT and BOD POCs to ensure that all test participants including end users are familiar with the test termination procedures.

    7. Coordinate with IRS IT POCs to ensure that BOD end users are not adversely affected during planned test activities.

    8. Coordinate with IRS IT POCs at the end of the test to ensure that test deactivation procedures are completed.

    9. Review and evaluate the completed Test Case Template, worksheets, findings, corrective actions, and all test evidentiary documentation.

    10. Populate a test Summary Report to include findings, corrective actions, lessons learned, and summarize test worksheet results.

    11. Facilitate post test meetings as needed to go over Summary Report, lessons learned, and corrective actions.

10.8.62.4.1.4  (10-04-2012)
Annual FISMA Reporting Cycle Activities

  1. The following sections describe the activities needed to capture the results of the TT&E Program. Reporting and testing artifact control are critical to the successful completion of the exercise and testing process each year and are performed on a regular basis throughout the FISMA Reporting Cycle.

10.8.62.4.1.4.1  (10-04-2012)
Scorecard

  1. For the purposes of reporting on the progress of exercises and testing, DRTEE shall maintain at least two specific scorecards. One scorecard will document the progress of the ISCP tabletop and functional exercises, and a separate scorecard will provide the status of the DR tests.

10.8.62.4.1.4.2  (10-04-2012)
Trusted Agent FISMA (TAF)

  1. DRTEE shall input all activities and documentation into TAF in a timely manner. All changes to the application or system must be recorded in TAF. DRTEE shall document changes identified during the testing process in the ISCP & DR Testing Checklist artifact or in the ISCP. As these artifacts are created and/or updated, update the Contingency Planning (CP) fields in TAF with completion dates.

  2. Documentation for all activities and all actions performed must be completed in a timely manner. The results of each exercise/test must be fully documented using the ISCP & DR Testing Checklist and then uploaded into TAF.

  3. The following TAF documentation and TAF CP fields are uploaded and updated after exercise/testing is completed:

    • Revised ISCP, if applicable

    • Tested Artifact (ISCP & DR Testing Checklist)

    • Tested Contingency Plan Artifact (evidentiary documents)

    • Last CP Test Date (date test/all tests were completed)

    • Next CP Test Date (one year from last CP Test Date)

    • Last CP Completion Date (date signed of updated/revalidated ISCP)

    • Next CP Revision Date (one year from last CP Completion Date)

    • CP Status equals Tested (when contingency testing is complete).

10.8.62.4.1.5  (10-04-2012)
Risk Based Decisions

  1. The IRS will allow risk based decisions (formerly deviations) to its own IT security policies based on suitable justification and a thorough assessment of evident and potential risks.

  2. Refer to IRM 10.8.1 for guidance on risk based decisions.

  3. Go to the Cybersecurity Website for risk based decision guidance.

10.8.62.5  (10-04-2012)
Technical Controls

  1. The IRS shall implement technical security controls and ensure the design of information systems that process, store, or transmit all information shall include, at a minimum, the technical security requirements discussed in this IRM (see IRM 10.8.1 for general information and computer security technical control requirements)

  2. See IRM 10.8.1 for Technical Controls.

Exhibit 10.8.62-1 
ISCP & DR Testing Checklist

The ISCP & DR Testing Checklist as an artifact for Trusted Agent FISMA (TAF) to record changes to the content of the Information System Contingency Plan ( ISCP) based on information gathered during Testing, Training, & Exercise (TT&E) activities documented in Parts A, B, and C of this Checklist. Completion and documentation of these TT&E activities also provide evidence that the requirements in the NIST 800-53 family of controls for Contingency Planning Class are met: CP-2 Contingency Plan, CP-3 Contingency Training, and CP-4 Contingency Plan Testing and Exercise. For the latest information, refer to http://mits.web.irs.gov/Cybersecurity/Divisions/SRM/default.htm

Exhibit 10.8.62-2 
ISCP Functional Exercise Methodology and Procedures

This guidance focuses on the methodology and procedures for performing functional exercises. For the latest information, refer to:http://mits.web.irs.gov/Cybersecurity/Divisions/SRM/default.htm

Exhibit 10.8.62-3 
BOD ISCP & DR Testing Job Aid

This Information System Contingency Plan (ISCP) Exercise and Testing job aid has been prepared for use by all Business Operating Divisions (BODs) to inform BOD participants about the activities required to perform ISCP tabletop and functional exercises and DR testing during the current FISMA reporting cycle. For the latest information, refer to http://mits.web.irs.gov/Cybersecurity/Divisions/SRM/default.htm

Exhibit 10.8.62-4 
Acronyms

Acronyms
ACIO Associate Chief Information Officer
AO Authorizing Official
BCP Business Continuity Plan
BOD Business Operating Division
CBP Critical Business Process
CIO Chief Information Officer
CIP Critical Infrastructure Protection
COOP Continuity of Operations Plan
CP Contingency Planning
CPO Certification Program Office
DR Disaster Recovery
DRTEE DR Testing, Exercise, and Evaluation
FISMA Federal Information Security Management Act
IRM Internal Revenue Manual
IRS Internal Revenue Service
IS Information System
ISCP Information System Contingency Plan
IT Information Technology
MITS Modernization Information Technology Services; changed to IRS IT July 1, 2012
MSEL Master Scenario Events List
NIST National Institute of Standards and Technology
POA&M Plan of Actions and Milestones
POC Point of Contact
PMO Program Management Office
SA&A Security Assessment and Authorization
SAMC Situation Awareness Management Center
SP Special Publication
SRM Security Risk Management
TAF Trusted Agent FISMA
TSCC Tool Suite Command Center
TT&E Test, Training, and Exercise

Exhibit 10.8.62-5 
Glossary

After Action Report - A document containing findings and recommendations from an exercise or a test.

Comprehensive Test - A test of all systems and components that support a particular IT plan, such as a contingency plan or computer security incident response plan.

Event - The suite of test or exercise activities.

Exercise - A simulation of an emergency designed to validate the viability of one or more aspects of an IT plan.

Functional Exercise - A functional exercise is designed to exercise the roles and responsibilities of specific team members, procedures, and assets involved in one or more functional aspects of a plan (e.g., backup procedures, communications, emergency notifications, IS equipment setup).

Master Scenario Events List (MSEL) - A chronologically sequenced outline of the simulated events and key event descriptions that participants will be asked to respond to during an exercise.

Plan - In the context of this policy, the capitalized term, "Plan" , refers to any of the various IT plans, including Technical Contingency Plan Documents, Continuity of Operations Plans, and any equivalent planning documents.

Scenario - A sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.

Tabletop Exercise - A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.

Test - In the context of DR, a test is the method used to evaluate the organization's readiness and ability to recover a system from varying degrees of non-functioning to its original functional state by following authorized ISCP/DR keystroke procedures.

Testing, Training, and Exercise (TT&E) Event - An event used to support the maintenance of an IT plan by allowing organizations to identify problems related to an IS plan and implement solutions before an adverse situation occurs.

Exhibit 10.8.62-6 
References

This IRM is based on guidance provided in the following regulations:

  • E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002 (FISMA)

  • Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated Information Resources, November 2000

  • Public Law 100-235, Computer Security Act of 1987

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, Rev 1, May 2010, Contingency Planning Guide for Federal Information Systems, (Errata page - Nov. 11, 2010)

  • NIST Special Publication (SP) 800-35, Guide to Information Technology Security Services, October 2003

  • NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach, February 2010

  • NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 3, May 2010

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010

  • NIST Special Publication (SP) 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes), August 2008

  • NIST Special Publication (SP) 800-84, Test, Training, and Exercise (TT&E) Program for IT Plans and Capabilities, September 2006

  • Homeland Security Presidential Directive/HSPD-20, National Continuity Policy, May 2007

  • Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003

  • Department of Homeland Security (DHS), National Response Plan, May 2006

  • Treasury Information Technology Security Program, Treasury; Directive Publication (TD P) 85-01, Department of the Treasury Information Technology (IT) Security Program


More Internal Revenue Manual