Je veux savoir à propos de…

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices implement controls to manage and mitigate those risks.42
Resiliency and Recovery As noted earlier, given OCCs role as a SIFMU, it is vital that OCC work to ensure operations moved to Cloud Infrastructure have appropriately robust resilience and recovery capabilities.
Below is a discussion of how OCC has evaluated resiliency including: i The steps taken by OCC and the CSP to help ensure the persistent availability of Compute, Storage, and Network capabilities in the Cloud; ii the resiliency of the CSPs method for deploying updates to help ensure that consequences of incidents are limited to the fullest extent possible; iii the onpremises backup; and iv the use of store and forward 43 messaging technology.
i. Resiliency of the Cloud Infrastructure
jspears on DSK121TN23PROD with NOTICES1

OCC believes the Cloud Implementation will enhance the resiliency of OCCs core clearing, risk management, and data management applications by virtue of its built-in six levels of redundancy that will provide OCC with easy access to multiple zones within multiple and geographically diverse regions. The redundancy provided to OCC in the Cloud Infrastructure helps ensure that Compute, Storage, and Network resources will be available to OCC on a persistent basis.
OCC will provision Compute, Storage, and Network resources in two autonomous and geographically diverse regions, in a hot/warm configuration to increase resources on demand, maintained by the CSP. Each region will maintain independent and identical copies of all applications that are deployed by OCC, allowing OCC to transition its core clearing, risk management, and data management applications from one region to another seamlessly. Production workloads would be run across and shifted between regions regularly to protect OCC against disruptions from regionalized incidents. In the unlikely event that a region is temporarily disabled as a result of an extreme event, OCC would failover to run core clearing, risk management, and data management applications in the other region. This 42 OCC has separately submitted a request for confidential treatment to the Commission discussing the status of security projects which OCC has provided in confidential Exhibit 3t to File No. SROCC2021802.
43 Store and forward messaging refers to messaging technology that retains copies of messages until confirmation of receipt, thus limiting the likelihood of loss during transmission.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

will necessarily require that both regions be maintained with full and expansion capacity. At any point, OCC
will have active primary and standby instances of the core clearing, risk management, and data management applications that can be moved to any of the six instances i.e. three zones in each of the two regions. This is analogous to having six physical data centers with primary and backup running out of any two instances at a given point in time.
Each region consists of three zones, each of which has a physical infrastructure with separate and dedicated connections to utility power, standalone backup power sources, independent mechanical services, and independent network connectivity.
While not dependent on one another, zones are connected to one another with private fiber-optic networking, enabling the architecture of core clearing, risk management, and data management applications to automatically failover between zones without interruption.
Since each zone can operate independently of one another but failover capability is near instantaneous, a loss of one zone will not affect operation in another zone; however, no core clearing, risk management, or data management application will be reliant on the functioning of a single zone. This structural framework offers OCC a wide expanse within which to run its core clearing, risk management, and data management applications while simultaneously restricting the effect of an incident at the CSP to the smallest footprint possible.44
As core clearing, risk management, and data management applications will be deployed in a primary hot/
secondary warm mode, each environment will be active, run the same software, and receive the same data, enabling a failover or switch from one region to another within two hours.
Software and Infrastructure will be deployed via automated processes to ensure both are identical in each region.
Additional capacity will always be available to support the resiliency of OCCs core clearing, risk management, and data management applications by way of the six-way redundancy. OCC
44 To further ensure the resiliency of the Compute, Storage, and Network capabilities, the CSPs services are divided into data plane and control plane services. OCCs applications will run using data plane services; control plane services are used by the CSP to configure the environment.
Resources and requests are further partitioned into cells, or multiple instantiations of a service that are isolated from each other and invisible to the CSPs customers, on each plane, again minimizing the effect of a potential incident to the smallest footprint possible.

PO 00000

Frm 00071

Fmt 4703

Sfmt 4703

60511

will continue to periodically test the CSPs capacity scaling features and failover capabilities to ensure adequate capacity is always available to OCC.45
The CSP may not unilaterally terminate the relationship with OCC
absent good cause or without sufficient notice to allow OCC to transition to an alternate CSP or to the on-premises solution for its Compute, Storage, and Network needs. The notice provision in the Cloud Agreement for terminations that are not for cause would give OCC
sufficient time to consider and transition 46 its core clearing, risk management, and data management applications to another CSP or to its backup on-premises data center.
Specifically, the CSP must provide notice OCC believes is sufficient to transition if it wishes to terminate the Cloud Agreement for convenience or if it wishes to terminate an individual CSP
service offering on which OCC relies for all of its Cloud customers.47
The CSP is permitted to terminate the Cloud Agreement with shorter notice periods in the event of a critical breach or an uncured material breach of the Cloud Agreement. In the highly unlikely event that a critical breach or uncured material breach occurs, OCC would have sufficient notice to shift operations to the on-premises data center. Contract provisions that allow a party to terminate for uncured material breaches are designed to limit the types of actions that could lead to contract termination typically, a breach is considered material only if it goes to the root of the agreement between the parties or is so substantial that it defeats the object of the parties in making the contract and to establish a short period of time to resolve an aggrieved partys claim often 30 days. This gives the parties time and incentive to address the problem without having to resort to termination.
Critical breaches are material breaches:
i For which OCC knew its behavior would cause a material breach such as a willful violation of Cloud Agreement 45 OCC will continue to perform periodic business continuity and disaster recovery tests to verify business continuity plans and disaster recovery infrastructure will support a two-hour recovery time objective for critical systems.
46 The possible transition of core clearing, risk management, and data management applications either from the CSP back to an on-premises solution or to another CSP is discussed below.
47 The CSP permits an exception to this sufficient notice provision in the event the CSP must terminate the individual service offering if necessary to comply with the law or requests of a government entity or to respond to claims, litigation, or los sic of license rights related to third-party intellectual property rights. In this event, the CSP must provide reasonable notice to OCC of the termination of the individual service offering.

E:FRFM02NON1.SGM

02NON1