Skinner: DHS IT systems not ready should disaster strike

The Homeland Security Department is not adequately prepared to recover its IT systems following a disaster, according to a new report from the department's acting Inspector General Richard Skinner.

Fifteen of the 19 IT facilities reviewed at the department either had no recovery sites or their recovery sites were not fully operational, the IG found.

Four IT programs that did have working recovery sites displayed significant shortcomings. "Tests at those facilities revealed deficiencies that could adversely impact recovery of critical IT systems," the report said.

The flaws in disaster capabilities could lead to disruptions and delays in the 19 IT systems examined, which include systems for screening passengers at airports, processing grants following a disaster and screening the flow of goods across borders, according to the report.

"The inability to restore DHS' critical IT systems following a disaster could have negative effects on the performance of mission-essential functions," the IG said.

Planning documents for continuity of operations also were inadequate, with deficiencies in 25 of the 31 documents reviewed. Thirteen DHS contingency planning documents "had not been finalized" to date, the IG said.

To remedy the problems, the IG is recommending the department implement an "enterprisewide disaster recovery solution." The department should require that new IT systems include disaster recovery capabilities, and that recovery planning and documentation should be finished.

The IG reviewed department compliance with Federal Preparedness Circular 65 issued by the Federal Emergency Management Agency in June 2004. It specifies steps to be taken to prepare to continue essential functions of federal agencies in the event of an emergency.

The guidance requires that agencies must be able to shift to emergency status within 12 hours without advance warning, develop capabilities to support the agency during emergency status and to regularly test those capabilities.

"The disaster recovery sites for the reviewed DHS facilities were either not available, not fully operational or had identified deficiencies," the report said. "The disaster recovery sites for all 19 facilities lacked adequate capabilities to prevent service disruptions from potentially affecting DHS' ability to either respond to a threat or to mitigate the effects of the disaster."

Six IT facilities had no recovery site at all. "At these six facilities, there were a total of 383 servers and nine mainframe systems," the IG said.

By those criteria, the department fell short, according to the redacted version of the report posted on the IG's Web site.

In their written response, included within the IG report, department officials agreed with the recommendations.