Occupant Emergency Plan: SP 800-34 Revision 1

Understanding SP 800-34 and the related continuity plans. 

In the March issue we provided a list of the 8 different types of continuity-related plans listed in NIST SP 800-34 revision 1:

  • Occupant Emergency Plan (OEP)
  • Critical Infrastructure Plan (CIP)
  • Information System Contingency Plan (ISCP)
  • Disaster Recovery Plan (DRP)
    Incident Response Plan (IRP)
  • Business  Continuity Plan (BCP)   
    Crisis Communications Plan (CCP)
  • Continuity Of Operations Plan (COOP) 
In this issue we will discuss the Occupant Emergency Plan (OEP).  Federal Management Regulations (FMR) subpart 103-74.230A requires Federal agencies that occupy Federal property to develop an OEP.  This requirement includes Federal agencies that occupy space leased by the General Services Administration (GSA).  
 
The purpose of an OEP is to ensure that all occupants know how to respond in an emergency, regardless of the nature of the emergency whether it’s man-made or natural.  An OEP must address:
 
  • Who will be in charge
  • Facility characteristics and security
  • Criteria for plan activation
  • Actions to be taken
  • Training
  1. Who will be in charge?  Establish an Incident Command Structure with a succession of authority.  Make sure that everyone knows who will be in charge to avoid any confusion.  Identify and appoint floor captains who will ensure complete evacuations and arrange assistance for those employees who have physical challenges.
  2. Facility characteristics.  Map out evacuation routes and shelter-in-place locations (“shelter-in-place” refers to a safe room at work when the situation warrents that it is best to stay inside and not attempt to leave).  Make every effort to clearly mark along those routes so that even in the most confusing situations everyone knows where to go and how to get there.  Make sure that the rallying areas are clearly marked so everyone knows where to go for personnel accountability.  Make arrangements to compare attendance records against those who are out of the building for vacation, or meetings, and don’t forget the visitors to the building.  Coordinate with security to make sure EVERYONE is safe.  Build into your OEP when it’s best to evacuate and when it’s safer to shelter-in-place.
  3. When is the plan activated?  Identify criteria that can reduce the ambiguity.  Remember, personnel safety comes first – when in doubt, activate.
  4. Actions to be taken.  When building your checklists, remember the 3 key points:  Recognize the situation for what it is, React appropriately and calmly, Report to the necessary facility and civil authorities the nature of the emergency.  Build your plans to be checklist centric.  You don’t want to sift through 5 pages of narrative to get to step 1.  Short, concise steps/actions should be clear with a method for recording the commencement and completion of each action. 
    4a. Work with your risk managers.  Determine which emergencies are the most likely.  If you’re located in the south west, flooding may not be an issue.  If you’re located in “tornado alley” shelter in place should be a very important factor in your plan.
  5. Training.  Everyone must be trained in their responsibilities.  Even if their responsibilities are limited to calm evacuation/shelter in place and ensure they are accounted for with those who are taking a roll call.  Exercise the plan!  You don’t know what’s broken until you try to use it.

In the next issue, we’ll look at Information System Contingency Plans (ISCPs).
  
To review an alphabetized list with a short synopsis of how each plan is used, click here 

To find out more information on Lunarline’s extensive experience in identifying, developing and implementing recovery strategies, click here.
About these ads

About Bob Cohen

As a business continuity/ continuity of operations (COOP) planner I earn my living as a first line of defense against the hordes of chaos. In my spare time I’m an actor on the local stage and in voice over recording booths. If you ride the Metro Rail You might have seen me as “Mr. Exasperation” in a recent advertisement for the DC Lottery.
This entry was posted in Cyber Security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s