Part 10. Security, Privacy and Assurance
Chapter 6. Continuity Operations
Section 2. Continuity Plan Requirements
10.6.2 Continuity Plan Requirements
Manual Transmittal
March 21, 2022
Purpose
(1) This transmits revised IRM 10.6.2 Continuity Plan Requirements, catalogue number 71637B.
Material Changes
(1) General Legal Services of Chief Counsel has been added as an Essential Supporting Activity for the Mission Essential Activities.
(2) Other Business Priorities has been renamed Deferred Business Processes
(3) The FEMA Continuity Certification program and IRS links are listed 10.6.2.5.
(4) Continuity Plan storage is now controlled by SCR-CO:CO.
(5) Added tables for categories of processes.
(6) Sections added to conform to Publishing requirements.
(7) Editorial changes for consistency.
Effect on Other Documents
This updates IRM 10.6.2 Continuity Plan Requirements, dated March 11, 2020.
Audience
IRM 10.6.2 applies to all areas in the IRS responsible for planning Continuity Operations documents.
Effective Date
(03-21-2022)
Pablo F. Meléndez
Chief, Business Continuity Operations Officer, Deputy Chief of Staff Office C:CoS:DCoS;
IRS Continuity Coordinator
Program Scope and Objective
(1) Purpose:
This IRM describes the requirements the Service must meet in order to have viable Continuity Plan(s).
This IRM is part of the group of IRMs 10.6.1 Introduction to Continuity Planning, 10.6.3 Test and Exercise, 10.6.4 Incident Management Program, and 10.6.5 Annual Certification Requirements.
(2) Audience. These procedures apply to IRS employees who are responsible for developing Business Unit Continuity Plans including:
Members of SCR Continuity Operations;
Members of Headquarters Continuity Operations (COOP) Teams;
National Continuity Points of Contact (NCPOCs).
(3) Policy Owner. The IRS Continuity Coordinator is the Business Continuity Operations Officer of the Deputy Chief of Staff Office of the Commissioner’s Complex.
(4) Program Owner. The Program Manager of Continuity of Operations of the Senior Commissioner’s Representatives within the Deputy Chief of Staff Office.
(5) Stakeholders. All Continuity Planners.
Background
(1) Continuity planning is a good business practice and is part of the fundamental mission of IRS as a responsible and reliable public institution that serves the public.
(2) Continuity planning applies to a wide range of potential emergencies or threats, including natural disasters, accidents, technological failures, workplace violence, terrorism, and public health emergencies, epidemics and pandemics. Some of these hazards may produce emergencies that render a single facility unusable for a period of time, such as a local water main break or hazardous material incident. Others may result in more severe and widespread emergencies, such as a major national or regional disaster.
(3) The primary goal of the IRS continuity planning efforts is to ensure the continuation of IRS Mission Essential Functions (MEFs), the Essential Supporting Activities for the MEF (ESAs), and Business Process Priorities (BPPs). This is accomplished through the development of comprehensive plans, procedures, and provisions for alternate facilities, personnel, resources, interoperable communications, and Essential Records.
(4) Continuity planning prepares the IRS for disaster mitigation, response, and recovery and for the IRS to maintain viability of its IRS MEFs, ESAs, and BPPs during and following an emergency or continuity event.
(5) The IRS has maintained continuity capability under a variety of names, including Business Resumption Plan, Business Continuity Plan, and Business Recovery Plan. The Department of Homeland Security standardized terminology across the Federal Government to Continuity Plan.
(6) The IRS continuity capability and the ability to perform essential functions continuously depends on IRS leadership, trained personnel, communications, facilities, and other assets necessary to conduct IRS MEFs, ESAs, and BPPs.
Authority
(1) Federal Continuity Directive 1 (FCD-1), Federal Executive Branch National Continuity Program and Requirements, dated January 17, 2017, provides direction to Federal Executive Branch departments and agencies for use in developing contingency plans and programs for continuity. FCD-1 may be found at Federal Continuity Directive 1 - January 17, 2017 (fema.gov).
(2) Federal Continuity Directive 2 (FCD-2), Federal Executive Branch National Continuity Program and Requirements, dated June 13, 2017, provides additional direction to Federal Executive Branch departments and agencies for use in developing contingency plans and programs for continuity as described in FCD-1 Appendix D. FCD-2 may be found at Federal Continuity Directive 2: Federal Executive Branch Mission Essential Functions and Candidate Primary Mission Essential Functions Identification and Submission Process (fema.gov).
Continuity Program Responsibilities
(1) The Commissioner designates the Continuity Coordinator for the IRS.
(2) Within the IRS Commissioner’s Complex, Chief of Staff, the Senior Commissioner’s Representative - Continuity Operations (SCR-CO:CO) is responsible for management of the IRS Continuity Program on behalf of the agency Continuity Coordinator.
(3) Management of the Continuity Program within the business units (BUs) is the responsibility of National Continuity Points of Contact (NCPOCs) for each BU. NCPOCs are responsible for managing and coordinating continuity plan and program-related activities within their BUs, including completion of plan updates and completion of annual test, training and exercise requirements established by SCR-CO:CO.
Program Reports
(1) The Senior Business Unit (BU)Executive will annually certify completion and timeliness of the BU’s Continuity Plan(s) and associated Annexes, along with any outstanding Corrective Actions (See IRM 10.6.3 Test and Exercise Program).
(2) SCR-CO:CO will evaluate annually the Continuity Plan(s) and associated Annexes resident in the centralized storage area for quality and completeness of required information.
(3) SCR-CO:CO will report to each BU the results of the evaluations.
(4) The timeliness of each BU annual review will be compiled into a summary report for the SCR Monthly Measures:
Number expected to be evaluated per month;
Number evaluated per month.
(5) Portions of these evaluations may be included in the Annual IRS Certification to the Department of the Treasury (Treasury) (see IRM 10.6.5Annual Certification Requirements).
Terms
(1) Mission Essential Functions (MEFs) - Limited set of agency-level functions that must be continued throughout or resumed as soon as possible after a disruption of normal activities. These are functions that enable an organization to accomplish its mission as required by statute or regulation. Once identified, mission essential functions (MEFs) serve as key continuity planning factors to determine appropriate staffing, communications, information, facilities, training, and other requirements. These are Tier 1 functions. See Exhibit 10.6.2-1.
(2) Essential Supporting Activities for the MEF (ESAs) - (formerly part of Critical Business Process CBP) Essential Functions that must be performed in SUPPORT of the agency’s MEFs. Typically, ESAs are COMMON to most agencies (payroll, providing a safe and secure workplace, ensuring computer systems are operational, etc.), but do not accomplish the agency’s mission. ESAs are facilitating activities; they are important and urgent, but accomplishing the ESA does not complete the mission or deliver the services the agency was created to accomplish. The ESAs in the Service cover large number of activities including, but not limited to Payroll, IT operations, Finance and Accounting, and Procurement operations. These are Tier 1 functions. See Exhibit 10.6.2-1
(3) Business Process Priorities (BPPs) - Functions which are part of the mission of the Service but are not at the level of MEFs in terms of criticality to the agency. Business Process Priorities will be recovered and resumed after continuity of MEFs is assured. These are Tier 2 functions. See Exhibit 10.6.2-2.
(4) Deferred Business Processes - All other Business Processes of the IRS, which while important to maintaining an efficient and effective tax processing system, either do not have either statutory or regulatory deadlines -OR- are not directly in support of one of the MEFs. See Exhibit 10.6.2-3.
(5) See IRM 10.6.1 Introduction to Continuity Planning for more definitions.
Acronyms
(1) MEF - Mission Essential Functions.
(2) ESA - Essential Supporting Activities for the MEF.
(3) BPP - Business Process Priorities.
(4) DPB - Deferred Business Processes.
(5) See IRM 10.6.1 Introduction to Continuity Planning for more acronyms.
Related Resources
(1) Headquarters Continuity/COOP Plan (HQCOOP) provides for the continuation of IRS Senior Executive Leadership. Headquarters COOP (HQC) Implementing Instructions are contained in separate Annexes that supplement this plan.
(2) IRS Incident Management Plan (IMP) provides a standardized approach for managing incidents, or continuity events at the local and/or area level as described inIRM 10.6.4 Incident Management Program.
(3) IRS Pandemic Plan defines procedures to address any serious outbreak of contagious illness, such as pandemic influenza, that endangers employee safety or IRS processes. This is referenced in each BU’s Continuity Plan.
(4) Information Systems Contingency Plan (ISCP) is the IRM for the IRS information systems (IS) resources to be fully recovered in the event that IS contingency or disaster recovery plans must be activated. All information systems related information in BU Continuity Plans need to coordinate and agree with ISCP information. See IRM 10.8.62 Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Test, Training, and Exercise (TT&E) Process for information on this plan.
Continuity Operational Phases
(1) There are four phases of continuity operations – Readiness and Preparedness, Activation, Continuity Operations, and Reconstitution. These four phases are the foundation of the Continuity Program, serving as the basis for planning and preparing, establishing goals and objectives, and supporting the performance of essential functions.
(2) The four phases:
Readiness and Preparedness ensures the organization’s ability to respond effectively to a continuity activation;
Continuity Plan Activation involves initial response activities focused on continuation of an organization’s essential functions. Tasks include assessing the situation, alerting and notifying emergency personnel of the incident, and relocating people and/or work to an alternate site if the primary worksite is not available;
Continuity Operations involves recovery activities following a disruptive event. Tasks include accounting for personnel, resuming essential functions, communicating with supporting organizations, customers and stakeholders, and planning the restoration of impacted operations;
Reconstitution involves restoration and resumption of normal operations. Tasks include effecting the orderly resumption of normal operations at a repaired or newly-established permanent facility.
Continuity Elements
(1) Continuity Planning Elements are categorized as Continuity Plan Requirements and Continuity Capability Elements (Program Requirements).
(2) Both areas must be addressed in the Continuity Plans.
Continuity Plan Requirements
(1) Continuity Plans must identify how an organization will resume essential and priority functions following a disruptive event. Plans must include the following:
Triggers for plan activation;
Procedures for reporting operational status information to partners, stakeholders and customers;
Contingency strategies to minimize consequences of disrupted business processes;
Priorities for restoration of disrupted business processes;
Procedures to identify personnel and resources (essential records, equipment and supplies) necessary to restore disrupted business processes.
(2) Every BU has the responsibility to be able to assess and report on the status of their employees and business functions within five days following a disruptive event.
(3) Business Unit (BU) Continuity Plans supplement the IRS HQ COOP plan to respond to incidents that disrupt the IRS’ ability to continue the agency’s MEFS and/or ESAs.
(4) Every BU must have the capability to:
Notify internal/external contacts, customers and stakeholders of processing delays or other impacts of an outage/work-stoppage;
Implement viable continuity strategies (work-arounds, telework);
Implement procedures to recover interrupted business processes by priority order.
(5) The primary purpose of the Continuity Plan is to ensure recovery of the MEFs and ESAs. Other processes (BPPs and DBPs) should be addressed but may not need all Continuity Plan sections. Specific guidance on BPPs and DBPs will be provided by SCR-CO:CO.
(6) Further requirements are listed in IRM 10.6.2.6 Maintenance, Storage, and Availability.
Continuity Capability Elements (Program Requirements)
(1) BU Continuity Plans address strategies, personnel, and resources needed to continue or resume the performance of IRS’ MEFs and ESAs at the posts of duty that support or enable those MEFS and/or ESAs; but are not required to address all continuity capability elements that are listed in the HQ COOP plan.
(2) The IRS Continuity Programs for MEFs and ESAs must (BPPs and DBPs may be required to) address the following Continuity Capability Elements:
Program Management Plans and Procedures;
Essential Functions;
Orders of Succession;
Delegations of Authority;
Communications and Information Systems;
Essential Records Management;
Alternate Locations;
Human Resources;
Devolution;
Reconstitution;
Test, Training, and Exercise.
(3) The IRS Continuity Plans are recommended to contain:
Pandemic Plan;
Telework;
Workstream Information.
Continuity of Government Functions
(1) Essential Functions are described and defined in IRM 10.6.1 Introduction to Continuity Planning and IRM 10.6.3 Test and Exercise.
(2) IRS Essential Functions include MEFs and ESAs.
(3) Essential Functions at the agency level must follow requirements listed in FCD-1 and 2, and requirements set by Treasury.
IRS Mission Essential Functions
(1) When identifying the MEFs, the IRS will include in its Continuity Plan:
A list of functions that must be continued under all circumstances for MEFs;
Prioritization of these essential activities based on criticality of the function. To the extent possible, prioritize these essential activities against likely continuity operations triggers and scenarios;
The IRS can sustain its MEFs for a period up to 30 days or until normal business activities can be resumed;
The lists of resources required to perform the IRS essential functions which need to be reviewed annually and updated as necessary.
(2) All dependencies on the ESAs should be cross referenced.
Essential Supporting Activities for the MEF
(1) Essential Supporting Activities for the MEF (ESAs) are functions that support performance of MEFs but do not reach the threshold of MEFs or PMEFs. ESAs are important facilitating activities performed by most organizations (such as providing a secure workplace and ensuring computer systems are operating); however, the sole performance of ESAs does not directly accomplish an organization’s mission.
(2) The ESAs in the IRS that directly supports one or more of the IRS’ Mission Essential Functions (MEFs - Process Tax Returns, Process Remittances, Process Refunds) and include:
Physical Security;
Facilities Management;
Information Technology;
General Legal Services of Chief Counsel
Financial Management;
Procurement;
Communications;
Payroll;
Human Resources/Benefits.
(3) When identifying the ESAs, the IRS will include in its Continuity Plan:
A list of which functions must be continued under all circumstances for the ESA;
Prioritization of these based on criticality of the function. To the extent possible, prioritize these activities against likely continuity operations triggers and scenarios;
The IRS will be able to sustain its ESAs for a period up to 30 days or until normal business activities can be resumed;
The lists of resources required to perform the IRS ESAs which need to be reviewed annually and updated as necessary.
(4) All dependencies with the MEFs should be cross referenced.
Business Process Priorities
(1) Because the responsibilities for each BU differs, individual BUs must evaluate their processes for inclusion in their Continuity Plan. Business Process Priorities (BPP) are identified using the following criteria:
Business Processes that directly support one or more of the IRS’ MEFs - These Business Processes are those that directly support the IRS MEF’s (Process Tax Returns, Process Remittances, Process Refunds), which are agency-level functions that provide vital services, exercise civil authority, maintain the safety of the public, and sustain the industrial and economic base but are not ESAs;
Business Processes with a Maximum Tolerable Downtime (MTD) of 48 hours or less - These Business Processes are those that must continue within the first 48 hours of an incident;
Other critical activities identified by the BU - These business processes are those that the BU has determined to be essential based on independent analysis.
(2) BUs must continue to perform BPPs during an incident for either statutory or regulatory requirements -OR- because they directly support an MEF.
(3) See Exhibit 10.6.2-2 for the current list.
Deferred Business Processes
(1) Deferred Business Processes (DBPs) are all other Business Processes of the IRS, which while important to maintaining an efficient and effective tax processing system, either do not have either statutory or regulatory deadlines -OR- are not directly in support of one of the MEFs.
(2) DBPs are Tier 3 discretionary functions that can be deferred until after an emergency situation has been stabilized.
(3) DBPs are usually addressed with either shipment of the work to an alternate location or resumption, when possible.
(4) Each BU should prioritize functions and locations, and understand resumption of the DBPs may not occur simultaneously after an event.
(5) See Exhibit 10.6.2-3 for the current list.
Orders of Succession
(1) Orders of succession are provisions for the assumption of senior IRS leadership positions during an emergency when the incumbents are unable or unavailable to perform their authorized duties, roles, and responsibilities. Orders of succession allow an orderly and predefined transition of leadership.
(2) The IRS will provide for a clear line of succession in the absence of existing IRS leadership and the necessary delegations of authority to ensure that the succeeding leadership has the legal authorities to carry out their duties and responsibilities.
(3) The IRS leadership is responsible for establishing, promulgating, and maintaining orders of succession to key positions.
(4) Orders of succession will be of sufficient depth to ensure that IRS is able to perform its MEFs, ESAs, and BPPs. At a minimum:
Establish an order of succession for the position of agency head, the IRS Commissioner;
Establish orders of succession for other key IRS leadership positions, including but not limited to administrators, regional or field directors, key managers, other key mission essential personnel or their equivalent positions (Deputy Commissioners, heads of IRS BUs; Directors of Computing Centers, and Campuses). Orders of succession should also be established for devolution counterparts in these positions;
Identify any limitations of authority based on delegations of authority to others;
There must a minimum of two backups to the process owner;
These backups must be able to immediately sustain these functions;
The Primary and Secondary positions should be geographically located in the Headquarters, and the third position geographically dispersed;
Describe orders of succession by positions or titles, rather than by names of individuals holding those offices. To ensure their legal sufficiency, coordinate the development of orders of succession with the IRS Chief Counsel;
Revise orders of succession, as necessary, and distribute revised versions promptly as changes occur;
Establish the procedures that designated alternates are to follow when facing the issues of succession to office in emergency situations.
Include in the succession procedures the conditions under which succession will take place, method of notification, and time, geographical, or organizational limitations of authorities granted by the orders of succession;
Develop and provide a duties and responsibilities briefing to the designated successors to the position of agency head (IRS Commissioner), when named, and other key IRS leadership positions, on their responsibilities as successors and on any provisions for their relocation;
Appropriate Essential Records for each IRS MEF, ESA, and BPP must be available to everyone in the order of succession.
(5) Designated successors will be provided annual refresher briefings on IRS continuity preparations.
(6) Orders of succession will be included in the Essential Records and be available at all continuity facilities in the event the continuity plan is activated.
(7) All orders of succession must recognize statutory limits on length of time someone may occupy a role in an acting capacity for each role.
Delegations of Authority
(1) A delegation of authority identifies who is authorized to act on behalf of the agency head or other agency officials for specified purposes and ensures that designated individuals have the legal authorities to carry out their duties. To the extent possible, these authorities should be identified by title or position, and not by the individual office holder’s name.
(2) The IRS will pre-delegate authorities for making policy determinations and other decisions to ensure rapid response to any emergency requiring implementation of its continuity plans.
(3) Generally, predetermined delegations of authority will take effect when normal channels of direction are disrupted and will terminate when these channels are reestablished. Delegation of authority is an essential part of IRS continuity plans and should reach to a sufficient depth and have sufficient breadth, at least three positions deep and geographically dispersed where feasible, to ensure the IRS can perform its IRS MEFs, ESAs, and BPPs while remaining a viable part of the Federal Government during any emergency.
(4) A delegation of authority must document, in advance, the legal authority of officials (including those below the level of IRS Commissioner) to make key policy decisions during a continuity situation.
(5) To ensure IRS MEFs, ESAs, and BPPs are performed, delegations of authority must be planned and documented in advance of an incident and in accordance with applicable laws, including by:
Delineating the limits of authority and accountability;
Outlining explicitly in a statement, the authority (including any exceptions to that authority) of an official so designated to exercise IRS direction and the authority of an official to re-delegate functions and activities, as appropriate;
Defining the circumstances under which delegation of authorities would take effect and would be terminated.
(6) Delegations of authority must ensure that those officials who might be expected to assume authorities in a continuity situation are properly informed and trained to carry out their emergency responsibilities.
(7) Delegations of authority must ensure the orderly (and predefined) transition of leadership for the position of IRS Commissioner as well as for key supporting positions within IRS, during an emergency and be closely tied to succession.
(8) At a minimum, annual training is required of IRS officials who might be expected to assume authorities in a continuity situation or an emergency.
Communications and Information Systems
(1) Availability, diversity, and redundancy of interoperable communications and information systems are critical to the ability of the IRS to successfully execute its IRS MEFs, ESAs, and BPPs at its headquarters and at its alternate or other continuity facilities, as well as the ability of IRS Senior Leadership to collaborate, develop policy and recommendations, and respond under all-hazards conditions, depends on the availability of effective communications systems.
(2) The IRS communications systems must support full connectivity, under all conditions, within IRS, among key government leadership, other agencies, customers, and the public.
(3) The IRS communications and IT systems (secure/non-secure, voice, data, video, internet access, email), including hardware and software for continuity operations, should mirror those used in day-to-day operations to assist continuity leadership and staff in a seamless transition to crisis operations.
(4) The IRS will ensure that it has sufficient communications capabilities for its headquarters and its alternate and other continuity facilities to support the continuation of its IRS MEFs, ESAs, and BPPs.
(5) The IRS will plan accordingly for IRS MEFs, ESAs, and BPPs that require uninterrupted communications and IT support. All necessary and required communications and IT capabilities will be:
Operational within 12 hours of continuity operations activation;
Sustained for up to 30 days or until normal operations can be resumed.
(6) The IRS must:
Implement minimum communications requirements for IRS headquarters and its alternate and other continuity facilities, as appropriate, which support the continuation of the IRS MEFs, ESAs, and BPPs;
Possess interoperable and available communications capabilities in sufficient quantity and mode/media that are commensurate with IRS responsibilities during conditions of an emergency;
Possess communications capabilities that can support the IRS senior leadership while they are in transit to alternate facilities;
Ensure that the communications capabilities are maintained and readily available for a period of sustained usage of no less than 30 days or until normal operations can be reestablished;
Ensure that all continuity staff is properly trained, as appropriate, in the use of these communications capabilities;
Satisfy the requirement to provide assured and priority access to communications resources;
Have sufficient communications capabilities to accomplish the IRS MEFs, ESAs, and BPPs from an alternate facility. If the IRS alternate facility is shared with another agency, also have a signed agreement with that agency that ensures that each has adequate access to communications resources.
(7) The communications capabilities will be tested at the alternate facilities at least monthly in order to ensure internal and external interoperability and viability.
Essential Records Management
(1) Essential Records are those records needed to perform essential functions during an emergency situation and to resume normal operations after the emergency ceases.
(2) The IRS will identify all Essential Records (older term is Vital) needed to continue its IRS MEFs, ESAs, and BPPs and to resume normal operations throughout all phases of the continuity event. Procedures will be established to ensure these Essential Records are safeguarded, available, and accessible to support continuity operations.
(3) Essential Records must ensure the following:
Protection of personnel health and safety;
Protection of government assets;
Protection of IRS’s legal rights and interests.
(4) Essential Records can be in either electronic or paper format.
(5) Only a small percentage (usually less than 5%) of records should be considered essential.
(6) All organizations must ensure that Essential Records meeting the above criteria can be accessed or reconstructed within the timeframes specified below.
(7) First priority recovery of Essential Records is for records that must be immediately accessible at all times, including:
Emergency Contact Information;
Occupant Emergency Plans;
Maps and building layout plans to assist emergency responders.
(8) Second priority recovery includes Essential Records that must be accessible within 12 hours following a disruptive event, including BU Continuity Plans and Delegations of Authority.
(9) Third priority recovery includes Essential Records that must be accessible following recovery of Priority 1 and 2 records shown above, including payroll records, records necessary for legal proceedings, contract and lease files.
(10) The IRS continuity personnel will have access to and be able to use the required Essential Records and systems to perform IRS MEFs, ESAs, and BPPs and to reconstitute or resume normal IRS operations. This includes paper and electronic records.
(11) The IRS continuity plans will identify and establish procedures to ensure its Essential Records are safeguarded, available, and accessible to support continuity operations both in paper and electronically.
(12) An Essential Records plan packet must be developed and maintained. The records packet will include:
A hard copy or electronic list of key IRS personnel and continuity personnel with up-to-date telephone numbers;
An Essential Records inventory with the exact locations of vital records;
Updates to the Essential Records;
Necessary keys or access codes;
Alternate facility locations;
Access requirements and lists of sources of equipment necessary to access the records (this may include hardware and software, Internet access, and/or dedicated telephone lines);
Lists of records recovery experts and vendors;
A copy of the IRS Continuity Plans.
(13) At a minimum, Essential Records must be annually reviewed, rotated, or cycled so that the latest versions are available. A copy of the Essential Records packet will be securely maintained at the IRS alternate facilities and other continuity locations where it is easily accessible to appropriate personnel when needed.
(14) Specific issues with IRS records:
Continuity Plans are Essential because they are required for restarting any process or program;
Taxpayer Records are generally not considered to be Essential Records. However, there may be exceptions only if the information contained in the record may become compromised. An example of this would be a paper return that has not been digitized. Once the information is captured electronically, privacy and record security safeguards apply;
Payroll and Employee records are always private, and similar to Taxpayer Records, must always be safeguarded, but are not Essential unless there are only primary paper copies with no backups available;
Procurement/Contract records may be Essential if they do not exist in the Requisition Tracking System (RTS) and are only primary paper copies with no backups available.
(15) Risk factors to be considered:
Environmental risk - Essential Records must be stored in such a way that the information contained cannot be compromised, whether physical damage to paper or electronic damage to stored media. Ideally there will be at least one of the two required backup files in a different format;
Prevention of human error - Essential Records are part of every Continuity Plan. These records must be accurate and up to date. Those who are responsible for developing, maintaining, or implementing them must understand the purpose and content;
Security Risk - Essential Records must be kept secure at the level appropriate for the individual record. For example, records with Personally Identifiable Information (PII) should be secure as required in IRM 10.5Privacy and Information Security. Other records requiring additional security include contract, process instructions, and IT specifications;
Storage Risk - Essential Records must be stored in way that they are accessible when needed;
Implementation of Service’s or BU’s Continuity Plan(s). Essential Records must support implementation of these plans when needed, and must be kept up to date.
(16) Oversight agency concerns:
Government Accountability Office (GAO) lists under Misappropriation Risk Factors the dangers of leaving taxpayer information on disposed paper and electronic media;
Treasury Inspector General for Tax Administration (TIGTA) during an event will work with other Law Enforcement Agencies to secure any PII information that is not secured. Also, if Essential, but not PII, records are needed for resumption of operations, TIGTA will be able to enter a restricted area to retrieve them. After an event TIGTA will include record security and access as part of the After-Incident investigation.
Alternate Locations
(1) An alternate facility is a location, other than the normal facility, used to carry out IRS MEFs, ESAs, and BPPs during continuity operations activation.
(2) The IRS, at a minimum, will identify and maintain an alternate facility. The IRS will designate alternate facilities, alternate usages of existing facilities, and, as appropriate, virtual office options (work at home or alternate sites), as a part of its continuity planning.
(3) Alternate facilities will be identified for the relocation of a limited number of key IRS leaders and staff. These facilities must be able to provide survivable protection and enable continued, endurable operations.
(4) The IRS will prepare its personnel for the possibility of an unannounced relocation of IRS MEFs, ESAs, and BPPs, and/or continuity personnel to these designated facilities.
(5) Alternate facilities can support operations in a threat-free environment, as determined by the geographical location of the facility, assessment of the local threat, and/or the collective protection characteristics of the facility. These facilities should replicate essential capabilities by providing systems and configurations that are used in daily activities.
(6) Telework should not be considered a primary strategy, but should also be addressed as a Continuity Capability:
Each Continuity Plan must include by process which appropriate processes (MEFs and ESAs) can be performed by employees Teleworking;
Each process that can be performed by employees Teleworking should include an estimate of the number of employees that are Telework ready (having a signed Telework agreement in place, completed the Telework Training, and have the proper equipment to function);
All plans should keep a link to appropriate Telework references: http://hco.web.irs.gov/Telework/Index.html and IRM 6.800.2IRS Telework Program.
(7) At a minimum, the designated alternate facilities must provide:
Immediate availability to allow continuity operations to commence rapidly in the event of a no-warning attack;
Sufficient space, infrastructure, power, life support, and network connectivity to accommodate the continuity personnel and equipment required to continue IRS MEFs, ESAs, and BPPs;
Operational capability to perform IRS MEFs, ESAs, and BPPs within 12 hours of an interruption or continuity event;
Capability to sustain IRS MEFs, ESAs, and BPP operations for up to 30 days after an event or until normal IRS operations can be resumed;
Computer equipment, software, and other equipment necessary to carry out MEFs, ESAs, and BPPs;
Interoperable communications, including means for secure communications, if appropriate, with all identified essential internal and external organizations, customers, and the public;
Physical security including perimeter, access, and internal functions commensurate with operations;
Access to reliable logistical support and essential resources such as food, lodging, water, fuel, medical facilities, and office supplies;
Capabilities to access and use the Essential Records needed to facilitate the performance of IRS MEFs, ESAs, and BPPs.
(8) All IRS Continuity personnel will be briefed on IRS continuity plans that involve using, or relocating personnel to alternate facilities, existing facilities, or virtual offices.
(9) The IRS will develop executable transportation plans for movement of its continuity personnel to alternate facilities.
(10) The IRS will develop procedures for maintaining readiness of alternate facilities, procuring equipment and supplies that are not pre-positioned, and to notify and coordinate activation of alternate facilities.
Human Resources
(1) The IRS will identify its continuity leadership and staff and establish IRS human capital strategies that are adaptable to changing circumstances and a variety of emergencies for use during activation of a continuity plan.
(2) In a continuity event or an emergency, IRS continuity personnel and other special categories of employees will be activated by IRS to perform their assigned emergency response duties. These categories are:
Incident Management Team (IMT);
Headquarters Continuity Personnel (HQCOOP);
National Continuity Points of Contact (NCPOCs);
Local Continuity Representatives (LCRs).
(3) In addition, emergency response personnel listed in the IRM 10.6.4 Incident Management Plan who have a continuity role should be included in the Continuity Plan as appropriate.
(4) The plans and procedures for those employees who have not been designated as continuity or emergency response personnel should be addressed in the Continuity Plans as well as in other types of emergency response planning documents, such as the Occupant Emergency Plans or Shelter-in-Place plans.
(5) The IRS will:
Develop and implement a process to identify, document, communicate with and train IRS continuity personnel;
Provide guidance to IRS continuity personnel on the individual preparedness measures they should take to ensure response to a continuity event;
Implement a process to communicate the IRS operating status to all employees;
Implement a process to contact and account for all employees in the event of an emergency;
Keep employees informed during emergencies whether they work at the alternate site or not;
Identify a liaison from the IRS Human Capital Office to work with the IRS continuity coordinator or continuity manager when developing the IRS emergency plans. Implement a process to communicate human capital guidance for emergencies (pay, leave, staffing and other human resources flexibilities) to managers and make employees aware of that guidance to help IRS continue its mission essential functions during an emergency.
(6) Each BU must ensure that its continuity personnel are officially informed of their roles or designations by providing documentation to ensure that continuity personnel know and accept their roles and responsibilities. All continuity personnel must:
Understand the continuity planning requirements;
Understand their roles and responsibilities;
Participate in all required continuity tests, training, and exercises.
(7) IRS managers will:
Encourage employees to be Telework ready (see http://hco.web.irs.gov/Telework/Index.html Telework Program);
Ensure that all employees have a clear understanding of what they are able to do in an emergency;
Place the right people in the right jobs to perform IRS mission essential functions most effectively;
Know where their employees are and how to contact them;
Maintain specific protocols for designating and activating special needs employees;
Support regular exercises and simulations;
Develop, review, and update emergency guidance, as needed.
(8) The IRS should also:
Develop a communications plan to disseminate information to its essential and non-essential employees;
Address the health, safety, and emotional well-being of employees and their families;
Assure personal preparedness for staff through training and education.
Devolution
(1) Devolution is the capability to transfer the legal authority and responsibility for IRS MEFs, ESAs, and BPPs from the IRS primary operating personnel and facilities to other IRS employees and facilities, and to sustain that operational capability for an extended period.
(2) Devolution planning supports overall continuity planning and addresses the full spectrum of threats and all-hazards emergency events that may render the IRS leadership and staff unavailable to support, or incapable of performing, IRS MEFs, ESAs, and BPPs from either its primary or alternate facilities. Devolution planning also addresses notice and no notice events.
(3) The devolution sites and personnel will be able to support the continuation of all IRS MEFs, ESAs, and BPPs.
(4) The devolution option may be used when the IRS alternate facility is not available, or the option can be activated as a continuity measure.
(5) At minimum, the devolution plan will:
Account for IRS MEFs, ESAs, and BPPs;
Include elements of a viable continuity capability: program plans and procedures; budgeting and acquisitions; IRS MEFs, ESAs, and BPPs; orders of succession and delegations of authority specific to the devolution site; interoperable communications; Essential Records management; staff; test, training, and exercise; and Reconstitution;
Define tasks that support the IRS MEFs, ESAs, and BPPs, define tasks that support those mission essential functions, and determine the necessary resources to facilitate an immediate and seamless transfer of these mission essential functions to the devolution site;
Include a roster that identifies fully equipped and trained personnel who will be stationed at the designated devolution site and who will have the authority to perform the IRS MEFs, ESAs, and BPPs when the devolution option of the continuity plan is activated;
Identify likely triggers that would initiate or activate the devolution option;
Specify how and when direction and control of IRS operations will be transferred to and from the devolution site;
List the necessary resources (people, equipment, and materials) to facilitate the ability to perform the IRS MEFs, ESAs, and BPPs and sustain operations at the devolution site;
Establish and maintain reliable processes and procedures for acquiring the resources necessary to continue the IRS MEFs, ESAs, and BPPs and to sustain operations for extended periods;
Establish and maintain capabilities to restore or reconstitute IRS authorities to their pre-event status upon termination of devolution.
(6) Annual training will be conducted on the IRS devolution option for continuity, addressing how the IRS will identify and conduct its IRS MEFs, ESAs, and BPPs during an increased threat situation or in the aftermath of a catastrophic emergency.
Reconstitution
(1) The purpose of Reconstitution is to have the process fully operational as quickly as possible.
(2) The process of Reconstitution will generally start immediately after the threat no longer exists. Some of the activities involved with reconstitution include:
Assessing the status of affected facilities;
Determining how much time is needed to repair the affected facility and/or to acquire a new facility;
Supervising facility repairs and notifying decision makers of the status of repairs, including estimates of when the repairs will be completed;
Implementing a priority-based phased approach to Reconstitution.
(3) Inform all IRS personnel that the necessity to continue operating in a continuity environment no longer exists and provide instructions for resumption of normal operations.
(4) Supervise an orderly return to the normal operating facility or movement to other temporary or permanent facilities.
(5) Report the status of relocation to the FEMA Operations Center (FOC) and other points-of-contact, as applicable.
Test, Training, and Exercise
(1) The IRS will develop and maintain a continuity test, training, and exercise program for conducting and documenting test, training, and exercise activities and identifying the components, processes, and requirements for the identification, training, and preparedness of personnel needed to support the continuation of the performance of IRS MEFs, ESAs, and BPPs.
(2) An effective test, training, and exercise program is necessary to assist the IRS in preparing and validating its continuity program and its capabilities.
(3) The test, training, and exercising of IRS continuity capabilities are essential to demonstrating, assessing, and improving the ability of IRS to execute its continuity program, plans and procedures.
(4) The IRS continuity plans will include a test, training, and exercise schedule.
(5) Further details are in IRM 10.6.3 Test and Exercise.
Elements Recommended in a Continuity Plan
(1) The following additional elements will be addressed at a Servicewide level, but BUs may wish to consider one or more to maintain continuity:
Pandemic;
Telework;
Workstream.
Pandemic Requirements
(1) Each BU must be able to address work disruption caused by pandemic, either through the Servicewide Plan or with additional information;
(2) Further requirements may be found in IRM 10.6.6 Pandemic Requirements.
Telework Requirements
(1) Telework should be considered an essential but not primary component to restoring operations and processes in the IRS.
(2) At a minimum, each BU should annually:
Ensure the BU has the capability to use Telework for critical processes (if possible);
Ensure the employees’ Telework Plans are current, and update if necessary.
(3) It is recommended that Telework Plan capabilities be documented in the Continuity Plan.
(4) Further information can be found in IRM 6.800.2 IRS Telework Program.
Workstream Information
(1) Workstream Information refers to specific workstreams or processes to support IRS MEFs, ESAs, and BPPs.
(2) The Continuity Plan(s) and associated annexes maintain information at the highest level for program recovery.
(3) At a minimum, the four stages to be addressed are:
Make Telework determination;
Retrieve incoming mail (both physical and electronic);
Determine Devolution Site;
Establish phone and email notification.
(4) Each BU may use a different list of stages specific to their needs.
(5) All workstream information should be consistent with the DRP/ISCP for the systems involved.
Training Requirements
(1) All BU Continuity personnel (NCPOCs, LCRs, CPs, Continuity Operations) must take training required for their position within 30 days of appointment.
(2) The ITM training requirements for SCR-CO:CO are:
44595 Introduction to Continuity of Operations IS-1300;
45146 Introduction to the National Incident Management System (NIMS) IS-700;
45148 National Response Framework IS-800;
45149 Introduction to COOP Planning for Pandemic/Influenza IS-520;
78742 Introduction to the Incident Command System IS-100.c;
78743 An Introduction to Exercise IS-120.c;
78740 Exercise Design and Development IS-139.a;
78744 Fundamentals of Emergency Management IS-230.d;
78745 Reconstitution Planning Course IS-545;
78741 Devolution Planning IS-551.
(3) The ITM training requirement for HQCOOP members is:
56022 ELMS Video with Link-or- 56022 given as seminar.
(4) The ITM training requirement for NCPOC members is:
53521 National Continuity Point of Contact (NCPOC) Training.
(5) The ITM training requirement for LCRs are:
32294 Introduction to Continuity Planning;
29959 LCR Roles and Responsibilities.
(6) In addition, SCR-CO:CO will offer various seminars, meetings, and training sessions for credit to the Continuity Community.
(7) SCR-CO will document the continuity training conducted, date of training, those completing the training, and the training facilitator or instructor, and submit to ITM.
Continuity Certification
(1) Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) offers certification in Continuity Operations;
(2) Level 1 Continuity Certification and Level 2 Continuity Certificates are provided through DHS FEMA Emergency Management Institute http://training.fema.gov/, and may be accessed through ITM;
(3) Participants will need to create an account and password in FEMA;
(4) Each course has a final exam which must be completed with a passing grade to receive certification;
(5) IRS employees should access the courses through ITM and after completion, exit through ITM in order to receive credit in ITM;
(6) Level 1 Continuity Certification courses are:
45149 Introduction to Continuity of Operations Planning for Pandemic Influenza IS-520;
44595 Continuity of Operations Awareness IS-1300 (formerly IS 546.a);
45146 Introduction to National Incident Management System IS-700;
45148 National Response Framework: An Introduction IS-800;
78742 Introduction to ICS IS-100.c;
78743 Introduction to Exercises IS-120.c;
78744 Fundamentals of Emergency Management IS-230.d;
78745 Reconstitution Planning Workshop IS-545;
78746 Effective Communication IS 242.b.
(7) Level 2 Continuity Certification courses and seminars are:
71869 How to be an Exercise Evaluator IS-130.a;
79234 Leadership and Influence IS-240.b;
79235 Building Design for Homeland Security Course for Continuity of Operations IS-156;
78741 Devolution PlanningIS-551;
79236 Instructor Training Certification (ITC) PER-266;
79237 Instructional Presentation & Evaluation Skills Course E/L/G-141;
79232 (Seminar) Continuity Planners Course E-1301;
79233 (Seminar) Continuity Program Management Course E-1302.
Note: Some of the courses required for SCR-CO:CO are in the FEMA Level 1 and Level 2 Certification Certificates.
Maintenance, Storage, and Availability
(1) Continuity Plans are living documents that required periodic reviews, modifications, and milestone or completion dates for planned controls.
(2) Procedures must be in place identifying who reviews the Continuity Plans and follows up on the planned controls.
(3) All continuity plans, at a minimum, will be marked, handled, and controlled to the level of sensitivity determined by IRS policy.
(4) All continuity plans will be signed by the Business Unit director or their designee and dated for ease of tracking modifications and approvals. Dating each page of a Continuity Plan is required.
(5) At a minimum, the entire Continuity Plan will be reviewed annually and updated accordingly. Significant changes (MEFs, designation of ESAs, alternate facilities, and continuity personnel rosters with contact information) to the Continuity Plan must be updated as changes occur.
(6) All Continuity Plans must reside in an electronic, centralized storage area determined by Office of Continuity Operations. Plans that are not included in this electronic, centralized storage area will not be considered part of the official BU plan.
(7) Access to this centralized storage area may controlled by SCR-CO:CO.
TIER 1: IRS Essential Functions
|
Mission-Essential Functions | Essential Supporting Activities |
|
|
|
TIER 2: Business Process Priorities
|
|
TIER 3: Deferred Business Processes
|
|