The Department of Defense has defined a group of levels known as “Mission Assurance Categories” or MAC levels. These take the concept of what has been discussed over time in IT for categorizing applications into groups relevant to their importance to the organization (i.e. Gold, Silver, Bronze, etc). Often times when applications are grouped, they are grouped with a simple priority assigned by the application owner -- I.e. What is most important to them, not necessarily the organization.

MAC levels, as used by the military, creates these levels with a defined scope of what is required in being able to support the combat mission, which helps to focus the conversation from my group to the organization. SAC retools this concept to a more general purpose categorization.

SAC simplifies this process because it removes the emotions and expectations. Once you have grouped applications with a SAC level it becomes easier to make other decisions, such as:

• How deep do we monitor it?
• What type of disaster recovery is needed?

Almost immediately we are able to suddenly scope many of the challenges that can easily plague decisions across a large organization.

Service Assurance Category

SAC-1 – These systems handle information that is determined to be vital to the effectiveness of our organization. Loss of these systems can cause immediate and sustained loss of effectiveness. Service Assurance Measures covered by SAC-1 systems: Disaster Recovery (DR), Business Continuance (BC) and High Availability (HA). Target Service Availability is 99.999% scheduled uptime (no more than 5.26 minutes of unscheduled outages per year).

SAC-2 – These systems are important to the organization. Loss of availability is difficult to deal with, and can only be tolerated for short periods of time. The consequences can include delay or degredation in providing important services. Information Assurance Measures covered by SAC-2 systems: Business Continuance (BC) and High Availability (HA). Target Service Availability is 99.99% scheduled uptime (no more than 52.56 minutes of unscheduled outages per year).

SAC-3 – These systems are necessary for the conduct of day-to-day business, but the consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on operational effectiveness to the organization. The consequences could include the delay or degradation of services or commodities enabling routine activities. Information Assurance Measures covered by SAC-3 systems: High Availability (HA). Target Service Availability is 99.9% scheduled uptime (no more than 8.76 hours of unscheduled outages per year).

SAC-4 – These systems are similar to SAC-3 systems, but which do not meet the Information Assurance Measures necessary to qualify for SAC-3 systems. Target Service Availability is 98% scheduled uptime (no more than 7.3 days of unscheduled outages per year).

Information Assurance Measures

• Disaster Recovery (DR) – An implemented and tested scenario for bringing the system online in alternate datacenter and returning to readiness within a defined period of time. DR does not require an active hot-site, but that can be part of the scenario.

• Business Continuance (BC) – The system can tolerate systemic failure of an entire complex within an operational center and continue operating. This includes top to bottom redundancy, from storage through to the end delivery component, of all tiers of the application (application, database, storage, fabric).

• High Availability (HA) – The system can tolerate component failure within a complex and continue operating. This includes individual sets of HA, but does not require a complete system complex of redundancy. The distinguishing features of BC and HA are that BC exists in two complexes, where HA exists in one.