Federal Continuity Directive 2: FFederal Executive Branch Mission Essential Functions and Candidate Primary Mission Essential Functions Identification and Submission ProcessPurpose: Federal Continuity Directive-2 (FCD-2) implements the requirements of FCD-1, Annex B (Essential Functions), and provides direction and guidance to Federal Executive Branch Departments and Agencies (D/As) to assist in validation of Mission Essential Functions (MEFs) and Primary Mission Essential Functions (PMEFs). The update and validation of essential functions includes conducting a comprehensive Business Process Analysis (BPA) to understand those processes necessary to the performance of organizational functions and requirements. It also includes conducting a Business Impact Analysis (BIA) to identify potential impacts on the performance of essential functions and the consequences of failure to sustain them. Further, it requires the application of organization-wide risk analysis to inform decision making and strengthen operations through effective risk management. FCD-2 outlines requirements and provides checklists and resources to assist D/As in identifying and assessing their essential functions through a risk-based process and in identifying candidate PMEFs that support the National Essential Functions (NEFs). This FCD provides guidance for conducting a BPA and BIA to identify essential function relationships, dependencies, time sensitivities, threats, vulnerabilities, consequences, and mitigation strategies related to the performance of the MEFs and PMEFs. This FCD also provides direction on the formalized process for submitting D/As’ candidate PMEFs in support of the NEFs.Policy and Background: PPD-40, National Continuity Policy, sets forth the policy of the United States to maintain a comprehensive and effective continuity capability through Continuity of Operations (COOP), Continuity of Government (COG), and Enduring Constitutional Government (ECG) programs ensuring the preservation of government structure under the United States Constitution and continuing performance of NEFs under all conditions.1 As noted in FCD-1, national continuity programs are based on the continuous performance of NEFs through the sustainment of essential functions performed by D/As. NEFs are the foundation of all continuity programs and capabilities and represent the overarching responsibilities of the Federal Government to lead and sustain the Nation before, during, and in the aftermath of a catastrophic emergency. All D/As, regardless of size or location, are required to have a viable continuity capability to ensure organizational resilience and continued performance of essential functions under all conditions. The foundation of robust and viable continuity programs and capabilities is the understanding and commitment to the continued performance of the organization’s essential functions. Organizations must consider and fully integrate continuity planning and procedures into all aspects of daily operations to create a culture of continuity that will ensure seamless continuation of essential functions under all conditions. To preserve the government and sustain the NEFs, D/As must identify their MEFs and PMEFs and ensure that those functions can be continued during, or resumed rapidly after, a disruption to normal operations. While the Federal Government provides many services to the American people, Federal Executive Branch D/As must identify and prioritize those critical services that must continue during an emergency. D/As must set those priorities as part of their preparedness posture and not wait for a crisis or a continuity event to determine which activities must be sustained throughout the event. Only with a coordinated, organization-wide approach can D/As ensure resilience and the ability to continue to perform essential functions during both catastrophic emergencies and more routine disruptions to operations both planned and unplanned. FCD-2 directs updates to and validation of essential functions, requiring the conduct of a comprehensive BPA, conduct of a BIA, and the application of agency-wide risk analysis in support of organizational resilience and continuity programs. This analytic approach defines how robust an organization’s continuity program shall be and underscores that strengthening the continuity program will strengthen the enterprise, making the organization more resilient regardless of the challenges it may face. Risk analysis of a BPA, supported by a BIA, aids in the identification on non-obvious, emerging, and future risks or threats to an organization's operations. Structured and in-depth analysis enables organizations to consider and allocate resources to those areas of greatest risk and where the most benefit from investment may be achieved. Analytic findings and supporting documentation further enable justification of needed resources, as well as determinations on resource allocation throughout the organization. Investing in those areas critical to the performance of an organization's essential functions will further allow agencies to build resilience and more readily adapt to evolving threats. The use of analysis and related tools will maximize the organization’s use of resources given dependency considerations for performance of both steady-state functions and essential functions during a catastrophic emergency.Federal Emergency Management AgencyFEMA_f3aea7da-0276-40be-8963-931fdd9d37afRobert J. FentonAdministrator (Acting), FEMAU.S. Department of Homeland SecurityFederal Executive BranchThe provisions of this FCD apply to the executive D/As enumerated in 5 United States Code (U.S.C.) § 101, including the U.S. Department of Homeland Security (DHS), independent establishments as defined by 5 U.S.C. § 104(1), government corporations as defined by 5 U.S.C. § 103(1), and the United States Postal Service. The D/As, commissions, bureaus, boards, and independent organizations are hereinafter referred to as "organizations" to better reflect the diverse organizational structures within the Federal Executive Branch. The provisions of this FCD are applicable at all levels of Federal Executive Branch organizations regardless of their location, including regional and field locations. Headquarters (HQ) elements are responsible for providing oversight and promulgating direction to their component, subcomponent, and field organizations. In this FCD, the term "headquarters" refers to the central, head offices of operations for organizations identified in Presidential Policy Directive (PPD)-40, Annex A, Categories of Departments and Agencies. The terms "component" or "subcomponent" refers to all organizational elements, whether at HQs or a regional, field, or satellite office.Federal DepartmentsFederal AgenciesUnited States Postal ServiceState GovernmentsThough not a requirement, state, local, tribal, and territorial governments, non-government organizations, and private sector critical infrastructure owners and operators are strongly encouraged to adopt this approach, as there are many dependencies and interdependencies among various levels of government critical to ensuring the continued functioning of governments and the continued performance of essential functions. Specific guidance for non-federal organizations is available in the Continuity Guidance Circular.Local GovernmentsTribal GovernmentsTerritorial GovernmentsPrivate Sector Critical Infrastructure OwnersPrivate Sector Critical Infrastructure OperatorsFEMA National Continuity ProgramsQuestions regarding this FCD can be submitted to FEMA National Continuity ProgramsContinuous performance of National Essential Functions (NEFs) under all conditions._1f254496-ef76-11e7-80d3-c2c0c4516356To implement the requirements of FCD-1, Annex B (Essential Functions), and provide direction and guidance to Federal Executive Branch Departments and Agencies (D/As) to assist in validation of Mission Essential Functions (MEFs) and Primary Mission Essential Functions (PMEFs)._1f2546a8-ef76-11e7-80d3-c2c0c4516356MEF & Candidate PMEF IdentificationIdentify and prioritize essential functions._1f2547ac-ef76-11e7-80d3-c2c0c45163561Identification and prioritization of essential functions enable effective continuity planning. Essential functions are critical activities used to identify key assets, supporting tasks, and resources that an organization must include in its continuity planning process. Essential functions are those functions an organization must continue in a continuity situation, whether the functions are PMEFs, MEFs, or Essential Supporting Activities (ESAs). Annex A describes the types of essential functions and Annexes B through E provide direction and guidance on the processes for identifying, reviewing, validating, and updating MEFs and PMEFs and conducting a BPA and BIA. Many D/As have MEFs and a smaller number of D/As have PMEFs. This narrowing and prioritizing is both appropriate and consistent with the concepts that underpin a comprehensive continuity policy. The fact that some D/As may not have a PMEF is not a reflection of the importance of their responsibilities, but rather a reflection of the urgency of the functions that D/As may need to perform during a catastrophic emergency. D/As' analysis should include consideration of functions performed at all of the organization's locations and not be limited to HQ activities._1f254860-ef76-11e7-80d3-c2c0c4516356Risk Management & AnalysisImplement agency-wide continuity risk management programs._1f254932-ef76-11e7-80d3-c2c0c45163562Risk is the "potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences." An agency-wide continuity risk management program will inform agency planning and resource allocation decisions to sustain essential functions, build on the organization’s existing risk management activities, and encompass all of the organization's operations. Countless risks may cause degradation or hindrance in the performance of essential functions, supporting activities, and normal operations. Performing analysis to better understand these risks and then managing risks to minimize their effects is critical. Examining factors within an organization's operating environment that exhibit the potential to disrupt business processes through the exploitation of vulnerabilities will aid in the prioritization of risks and associated risk management. Analyzing risk to the organization -- the enterprise -- requires detailed knowledge of the organization's operations, information on what may cause harm and the results of such harm, and information on how to contend with identified risks. Risk management and analysis requires a team approach, leveraging subject-matter experts on an organization's operations, programs, and functions to develop a holistic picture of enterprise risk and an understanding of dependencies, interdependencies, and interfaces.Risk Analysis_1f2549f0-ef76-11e7-80d3-c2c0c45163562.1Various types of analysis will contribute to the overall understanding of the risks faced by an organization and how to best manage those risks. Enterprise risk management may inform decision making involving organizational strategic and operational planning, human capital planning, capital investment planning, program management, and budget formulation. Programmatic risk analysis considers the technological or quality, cost, and schedule risks within a program. All-hazards risk analysis considers risks posed by all conditions, environmental or manmade, that have the potential to cause injury, illness, or death; damage to or loss of equipment, infrastructure services, or property; or causing functional degradation. Although there are many ways to perform analysis, the following general steps apply ... Risks must be communicated to improve understanding among an organization’s leadership, staff, and key stakeholders, enhance risk perception, and support risk management decisions and resource allocation. Risk analysis will inform continuity planning efforts and enable organizations to allocate resources to derive the most benefit from their investment.Context, Requirements & ParametersDefine the context and develop the analysis by setting requirements and parameters, to include defining the scope of the analysis and building the analysis team._1f254aae-ef76-11e7-80d3-c2c0c45163562.1.1Essential FunctionsIdentify the organization's essential functions, considering how the "system" works._1f254b8a-ef76-11e7-80d3-c2c0c45163562.1.2Identify potential risks based on those functions.RisksAssess the potential risks to the organization, looking at threats, vulnerabilities, and consequences._1f254c52-ef76-11e7-80d3-c2c0c45163562.1.3AlternativesDevelop alternatives to manage risks to an acceptable level, which may include accepting, avoiding, transferring, or controlling risk._1f254d10-ef76-11e7-80d3-c2c0c45163562.1.4PrioritizationPrioritize (or rank and order) the identified risks and risk management strategies, considering associated costs and benefits. Decide upon and implement appropriate strategies._1f254df6-ef76-11e7-80d3-c2c0c45163562.1.5Evaluation & MonitoringEvaluate and monitor risk management strategies to determine and continuously improve upon risk mitigation._1f254ebe-ef76-11e7-80d3-c2c0c45163562.1.6DefenseDefend prioritizations and resource allocations, based on the results of risk analysis, to enhance the readiness, preparedness, and resilience of the organization._1f254f90-ef76-11e7-80d3-c2c0c45163562.1.7Critical Infrastructure & Interdependency Analysis_1f255076-ef76-11e7-80d3-c2c0c45163562.2The Nation's critical infrastructure provides services that underpin the performance of essential functions. This supporting infrastructure is both diverse and complex, and each of the 16 critical infrastructure sectors has unique characteristics, operating models, and risk profiles. The term critical infrastructure is used to describe "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Together, PPD-40 and PPD-21, Critical Infrastructure Security and Resilience, require the Federal Government to coordinate with state, local, territorial, and tribal governments and private sector owners and operators of critical infrastructure, as appropriate, to strengthen the Nation's resilience and sustain essential services during a catastrophic emergency.Assets & SystemsIdentify internal critical assets and systems supporting essential functions and external infrastructure._1f25513e-ef76-11e7-80d3-c2c0c45163562.2.1As part of risk analysis, the analysis team must identify internal critical assets and systems supporting essential functions and external infrastructure upon which operations are dependent, including but not limited to "lifeline" infrastructure such as energy or power, water, communications, and transportation systems.AnalysisAnalyze dependencies and interdependencies on critical infrastructure._1f255210-ef76-11e7-80d3-c2c0c45163562.2.2Analyzing dependencies and interdependencies on critical infrastructure that support the performance of essential functions contributes to the organization's BIA and analysis of resilience. This information contributes to effective risk management to ensure the protection of critical assets, networks, systems, and information necessary to the performance of essential functions.Analysis OutcomesAnalyze risk and related dependencies on critical infrastructure._1f255300-ef76-11e7-80d3-c2c0c45163562.3Analyzing risk and related dependencies on critical infrastructure through a BPA and BIA aids in the identification of non-obvious risks, gaps in an organization's operational processes and procedures, and essential function resource requirements. The BIA must take a risk-based approach to ensure all potential threats and hazards, vulnerabilities, and consequences are considered. Through conduct of BPAs and BIAs, D/As must: * Identify and prioritize essential functions and resource requirements. * Determine dependencies and interdependencies related to the performance of essential functions. * Identify and assess factors which may impact the performance of essential functions and the potential for cascading effects. D/As should consider existing threat assessments, vulnerability assessments, and consequence analysis, where available. While organizations can neither respond to, nor eliminate, all risk, they must work to assess and manage challenges to perform essential functions based on structured and documented analysis. The determination and socialization of maximum tolerable downtimes, external dependencies upon critical infrastructure sectors or other organizations, and internal dependencies or interfaces will inform decisions on resource allocations and activities to sustain essential functions. Risk and dependency analysis inform mitigation actions needed to sustain essential functions and the development of the organization’s continuity program. Collectively, the continuity community will gain an understanding of how essential functions are interrelated, how MEFs support PMEFs, and how PMEFs support NEFs to ensure the Nation can continue to function before, during, and after a catastrophic emergency. Effective risk management will strengthen organizational resilience, improve readiness, and enhance the Nation’s resilience. Annexes C and D outline the requirements, key considerations, and basic processes for conducting a BPA and BIA. However, given the wide range of structured analytic techniques and methodologies available, the specific methods used by D/As to conduct their BPAs and BIAs is ultimately up to individual organizations provided that the factors considered and documentation meet FCD-2 requirements.Functions & ResourcesIdentify and prioritize essential functions and resource requirements._1f2553dc-ef76-11e7-80d3-c2c0c45163562.3.1Dependencies & InterdependenciesDetermine dependencies and interdependencies related to the performance of essential functions._1f2554b8-ef76-11e7-80d3-c2c0c45163562.3.2Performance FactorsIdentify and assess factors which may impact the performance of essential functions and the potential for cascading effects._1f2555bc-ef76-11e7-80d3-c2c0c45163562.3.3D/As should consider existing threat assessments, vulnerability assessments, and consequence analysis, where available.Submission Process Requirements_1f2556a2-ef76-11e7-80d3-c2c0c45163563Reviews & DocumentationBiennially review MEFs and supporting BPAs and document the dates of review and names of personnel conducting the review._1f2559a4-ef76-11e7-80d3-c2c0c45163563.1D/As must review biennially MEFs and supporting BPAs and document the dates of review and names of personnel conducting the review in accordance with FCD-1. D/As will follow the processes outlined in the annexes of this FCD to identify, review, and validate their MEFs, existing PMEFs, and candidate PMEFs.ChangesIncorporate changes generated by new programs, priorities, or functions within the organization and any organizational changes to existing programs or functions._1f255b02-ef76-11e7-80d3-c2c0c45163563.2D/As must incorporate any identified changes generated by new programs, priorities, or functions within the organization and any organizational changes to existing programs or functions.LocationsInclude consideration of functions performed at all locations._1f255bfc-ef76-11e7-80d3-c2c0c45163563.3D/As' analysis should include consideration of functions performed at all of the organizations' locations and not be limited to HQ activities.PMEFsDetermine whether to revise existing PMEFs or propose news PMEFs._1f255cec-ef76-11e7-80d3-c2c0c45163563.4National Continuity CoordinatorInteragency BoardAfter the review and validation process, D/As will determine whether they need to revise an existing PMEF or propose a new candidate PMEF for consideration by the Interagency Board (IAB), established by the National Continuity Coordinator, following the submission guidance in Annex F.2017-06-132018-01-01https://www.fema.gov/media-library-data/1499702987348-c8eb5e5746bfc5a7a3cb954039df7fc2/FCD-2June132017.pdfOwenAmburOwen.Ambur@verizon.net