Disaster Recovery Services

This topic provides guidance on various solutions/services for consideration for DR based on requirements for CMS.

DR Alternatives

The goal of the recovery strategy is to provide a recovery capability that balances implementation and ongoing costs against potential impacts and exposures to CMS.

The agency can consider several available alternatives—from taking no action or doing nothing to full system mirroring/high availability. The recovery strategy selected may be a combination of two or more of these alternatives:

  • Do nothing. This option provides no additional funds or resources for providing recovery capability, (i.e., “do nothing”). This would leave CMS unprotected against a major disruption of agency operations. There must be an authorized risk acceptance and approval process in place for this option.

  • Normal restoration/replacement. This option depends on the restoration or replacement of the damaged or destroyed facilities, furnishings, equipment, etc. in the normal course of business.

  • Self-recovery (VDC). CMS can provide its own disaster recovery capability by having at least two Virtual Data Center (VDC) facilities where similar types of functions and operations are performed. Leveraging HA architecture for this solution is an option. This alternative requires that the facilities:

    • Are sufficiently geographically distant from each other

    • Contain enough “spare” room

    • Ensure that the entire baseline infrastructure the affected functions will require is pre-installed or have all hardware for “hook-up” pre-installed

  • Replication (VDC). Maintaining availability of CMS critical applications is a key part of disaster recovery and business continuity planning. CMS could choose to provide its own disaster recovery capability by replicating (also known as mirroring) the critical systems at an off-site third-party location. Again, leveraging HA architecture for this solution is an option.

The recovery alternative selected for CMS systems should be chosen based on operational requirements for fulfilling the approved RTO, cost efficiencies, and MEFs supported.

“Disaster Recovery as a Service” (DRaaS) encompasses combinations of alternatives listed above.

DR Assessment

DR Assessment determines completeness of a systems DR readiness can be achieved through the conduct of periodic test, training and exercise (TT&E) activities.

DR Readiness

DR Readiness is the ability of an organization to respond to a continuity activation. Readiness is an aspect of the planning and training activities, but ultimately CMS leadership is responsible for the overall determination of readiness. It must know that systems can perform disaster recovery operations, including essential functions before, during, and after emergencies.