U.S. Department of Homeland Security Standards Adoption

Ten years ago, the National Technology Transfer and Advancement Act (NTTAA), Public Law 104-113, was signed into law, and implemented using Office of Management and Budget (OMB) Circular A-119, “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities.” NTTAA requires all federal agencies and departments to use technical standards, unless their use is impractical or inconsistent with law. NTTAA is the basis for Department of Homeland Security (DHS) adoption of Non-Government Standards (NGS).

The Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) examined DHS standards adoption and its meaning for the nation’s Emergency Services Sector (ESS). The standards adoption and maintenance program is managed by the DHS Test & Evaluation and Standards Division of the Science and Technology Directorate.

DHS has so far adopted at least 35 responder-relevant standards that pertain to personal protective gear, radiation and nuclear detection equipment, incident management, and biometrics, developed by organizations such as the National Fire Protection Association (NFPA), Institute of Electrical and Electronics Engineers (IEEE), and the National Institute of Occupational Safety and Health (NIOSH). Adopted most recently were NFPA 472, “Standard for Competence of Responders to Hazardous Materials/Weapons of Mass Destruction Incidents,” and NFPA 473, “Standard for Competencies of EMS Personnel Responding to Hazardous Materials/Weapons of Mass Destruction Incidents,” that set minimum requirements for responders to incidents that involve hazardous materials and weapons of mass destruction (WMD).

When DHS formally adopts an NGS, it is designated a “DHS National Standard.” Its use is not mandatory, but strongly encouraged. Once adopted, DHS National Standards boost limited federal resources by increasing DHS access to subject matter experts, thus enabling resources that would be devoted to internal standards development to be applied to other critical areas. For responder personnel and other homeland security professionals, DHS National Standards offer best practices that support national initiatives (e.g., the National Incident Management System (NIMS) and the National Preparedness Goal) that enable implementing a preparedness and response system that includes a common language and standard operating procedures. By identifying minimum performance and describing best practices, DHS National Standards bolster interoperability of products and practices, as well as interchangeability, durability, flexibility, portability, dependability, survivability, sustainability, scalability, and maintainability of homeland security products and services. For additional information about ESS-related DHS National Standards, visit http://www.dhs.gov/xfrstresp/standards/editorial_0420.shtm.

"DHS designates NFPA codes and standards development process as “Qualified Anti-Terrorism Technology”

October 21, 2008 – On September 17, 2008, the U.S. Department of Homeland Security (DHS) designated the National Fire Protection Association (NFPA) codes and standards development process as a “Qualified Anti-Terrorism Technology” (QATT) under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act). NFPA is the first standards development organization to receive this designation. Under provisions of the SAFETY Act, NFPA’s codes and standards development process was also certified as an “Approved Product for Homeland Security.”

According to DHS, the SAFETY Act encourages the development and deployment of new and innovative anti-terrorism products and services by providing liability protections. Designation as a QATT and certification as an approved product for homeland security under the SAFETY Act provides legal protections for the NFPA codes and standards development process as applied to anti-terrorism.

“NFPA is pleased to have its codes and standards development process recognized as an effective anti-terrorism technology which reflects the openness, balance and fairness NFPA strives to achieve in its voluntary codes and standards development process,” said NFPA President James M. Shannon.

Federal protections under the DHS Designation and Certification are retroactive and recognize NFPA’s technology’s “first date of sale” as September 11, 2001.

Shannon added, “The commitment and involvement of NFPA in anti-terrorism standards predates the events of 9/11. NFPA has long been committed to making its codes and standards development process available for the creation and continual improvement of standards used to protect first responders and the public in terrorist events. We believe we have a world-class system which attracts numerous experts from diverse fields to develop codes and standards that mitigate the effects of terrorism on people and property.”

All NFPA safety codes and standards are developed through a process accredited by the American National Standards Institute (ANSI). The more than 250 technical committees responsible for developing and updating all 300 codes and standards include approximately 4,000 volunteers, representing enforcing authorities, installers and maintainers, labor, research and testing laboratories, insurers, special experts, consumers and other users."

Title IX of Public Law 110-53: Updated Resource Links and Presentations

I have updated the Resources page within the Preparedness, LLC website to include links to the text of Public Law 110-53,"Implementing Recommendations of the 9/11 Commission Act of 2007," the text of Title IX of the law, DHS/FEMA resources, and a link to ANAB. ANAB is the organization that will develop program guidelines for the "certifying bodies" that will actually evaluate and accredit the private sector preparedness programs.

In addition, you can view PDF copies of presentations to the Securities Industry and Financial Markets Association and the NorthEast Disaster Recovery Information X-Change, which provide background on Title IX of PL 110-53 and NFPA 1600, which is one of the standards that may be used as criteria for evaluation of private sector preparedness programs.

Voluntary Private Sector Preparedness Accreditation & Certification Program

Title IX of Public Law 110-53 (“Implementing Recommendations of the 9/11 Commission Act of 2007”) requires the U.S. Department of Homeland Security (DHS) to develop a voluntary private sector preparedness accreditation and certification program. DHS was charged with tasks to establish the program including:

• Designate one or more organizations to act as an accrediting body
• Designate one or more standards for assessing private sector preparedness
• Provide information and promote the business case for voluntary compliance with preparedness standards

Since the law was passed in August 2007, DHS has designated FEMA Administrator Paulison to administer the program and chair the Private Sector Preparedness Council. The council includes leadership from the Science & Technology Directorate, Office of Infrastructure Protection, and the Private Sector Office.

DHS has signed an agreement with the ANSI-ASQ National Accreditation Board (ANAB) to develop and oversee the certification process, manage the accreditation, and accredit qualified third parties to carry out the certification in accordance with the accepted procedures of the program.

ANAB has organized its “Committee of Experts” to advise ANAB on the qualifications of the “Certifying Bodies” that will accredit qualified third parties. Don Schmidt, CEO of Preparedness, LLC and Chair of the NFPA 1600 Technical Committee, is a member of the ANAB Committee of Experts along with representatives from other standards developers and private sector industry representatives.

DHS has not yet formally designated any standards for assessing private sector preparedness under this law, although DHS’ Science & Technology Directorate has adopted NFPA 1600. At the October ANSI Homeland Security Standards Panel plenary meeting in Washington, officials stated they are not picking a “winner” and that all reasonable standards will be included. DHS, however, has privately informed ANAB to begin work using NFPA 1600.

DHS has also published an initial draft of their “target criteria,” which will be used to select standards for assessing private sector preparedness. The “target criteria” for selecting standards includes:

• A scope and/or policy statement.
• Identification and conformity with applicable legal, statutory, regulatory and other requirements.
• Objectives and strategies.
• Hazard and threat identification, risk assessment, vulnerability analysis, and impact analysis.
• Incident management, strategy, tactics, operational plans and procedures.
• Communications and warning.
• Training.
• Resources management and/or logistics.
• Assessments, audits and/or evaluation of programs.
• Program revision and process improvement including corrective actions.

These “target criteria” align almost exactly to the elements within NFPA 1600. Accordingly, we will discuss each of these criteria within upcoming newsletters.

Although this program is voluntary, businesses are watching closely. Whether they choose to seek certification or not, business leaders are evaluating their preparedness program. In the end, that’s what it’s all about—protecting employees, property, business operations, the environment, and the business entity itself.

Canadian Standards Association unveils new emergency management and business continuity standard

Toronto, October 8, 2008, Canadian Standards Association - "More than 40 per cent of Canadians say the company where they work does not have an emergency plan in place according to a recent study[1]. Canadian Standards Association (CSA), a leading developer of standards and codes, today officially announced a new emergency management and business continuity programs standard, CSA Z1600, which is designed for private and public organizations of all sizes to use if disaster strikes. This new standard is based on the National Fire Protection Association (NFPA) 1600 Disaster/Emergency Management and Business Continuity Programs standard."

As chair of the NFPA 1600 technical committee, I am excited and pleased to see the release of CSA's Z1600 standard. I know that members of the CSA technical committee have worked very hard to produce this standard for Canada. Congratulations to all of them on their accomplishment.

Z1600 is an adaptation of NFPA 1600, which in its 4th edition, is the most widely used emergency management and business continuity standard in the United States. NFPA 1600 is also used in many countries around the globe. The CSA technical committee's work is impressive, and the NFPA 1600 technical committee has taken a liking to the ordering of Z1600. In fact, at the NFPA 1600 "Report on Proposals" meeting in August, the NFPA 1600 technical committee voted to reorder the elements within NFPA 1600 similar to the new ordering of Z1600. The CSA committee builds on the work of the NFPA technical committee, and the NFPA technical committee returns the favor. This is truly a relationship that is productive for both the United States and Canada and a model of how standards organizations can work together to produce quality standards for both private and public sectors.

I will be providing some updates on NFPA 1600 in the coming months as NFPA publishes the official "Report on Proposals" draft of the 2010 edition of NFPA 1600. The ROP draft will incorporate many changes to 2007 edition. I will also provide a link, so that readers can download the ROP draft and provide their comments for the technical committee's action. If you want more information on NFPA 1600 and the handbook written by technical committee members including yours truly, please check out this link.

1 Leger Marketing conducted an online survey among 1,088 working Canadians aged 18+ on their opinions of major disasters in their community. The margin of error for a sample of this size is +/- 3.0%, 19 times out of 20.

Fire Prevention Week, October 5-11

October 5-11 is Fire Prevention Week, an annual campaign focused on fire safety and promoted by the National Fire Protection Association. Did you know that fire departments responded to nearly 400,000 home fires in 2006? That's why this year's theme is titled "Prevent Home Fires." I strongly encourage you to educate your family about fire safety. Practice EDITH (exit drills in the home.) Make sure everyone knows to get out and stay out if there is a fire in the home. Make sure everyone knows where to meet, so everyone can be accounted for. Conduct a fire inspection in your home to identify hazards--before they can ignite a fire. Make sure your smoke detectors are working properly and that extinguisher, too. As a long time member of NFPA, I can attest to the conviction, expertise, and professionalism of the NFPA staff. I urge you to take their advice to heart. For more helpful information and educational tools, check out the following on the NFPA Fire Prevention Week website:

• Read our blog
• New survey looks at heating costs, fire risk
• Send a Sparky® e-card to friends
• Interactive learning stations for your open house.
• The Great American Fire Drill
• Online safety quiz.
• Free Scholastic materials
• View three new Dan Doofus FPW videos
• Home inspection checklist

"Reproduced from NFPA's Fire Prevention Week Web site, www.firepreventionweek.org. ©2008 NFPA."

Protecting the Education Infrastructure

As reported in the Emergency Management and Response Information Sharing and Analysis Center (EMR-ISAC) INFOGRAM 37-08, September 25, 2008: "Much effort has been expended to protect the nation’s critical infrastructures, including those of the Emergency Services Sector (ESS). However, Department of Education officials concede that educational institutions are not specifically identified as among America’s critical infrastructure sectors or key resources, which potentially makes soft targets of schools, colleges, and universities. Experts say learning facilities are vulnerable to terrorism, because of the high consequence of an attack against children. The Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) gleaned from various case studies that the threat to schools may not be detected or prevented by physical security measures alone. Therefore, the EMR-ISAC suggests that ESS leaders can offer encouragement and assistance to educational centers as they conduct emergency planning and develop crisis action plans. For example, it is important that a school’s emergency plans are effectively integrated with the emergency response plans of the community in which the teaching establishment resides. Case studies further indicate that municipal authorities and their ESS leaders consider the following activities to improve the overall security of the local education infrastructure:

• Deliver “all-hazards” awareness training for school administrators, staff, and students.
• Train school administrators and staff regarding emergency actions.
• Review and validate all school emergency response, crisis management, and communications plans.
• Conduct drills and exercises to test and refine emergency response and crisis management plans.
• Provide primary and secondary interoperable communications systems for each school.
• Implement and test plans to maintain reliable contact with schools and school buses.
• Arrange for a “closed-campus” environment with a single point of access for all personnel.
• Increase police presence on school grounds by ensuring frequent visits as part of patrol routes.

There are national standards, including NFPA 1600, that address the essential elements of emergency management program. In addition, a new school preparedness standard is being developed in conjunction with the U.S. Department of Education. I am principal author of that new standard, and I will provide updated information on the standard when it can be released to the public.

If you are interesting in learning more about school emergency preparedness, check out the resource links at http://www.preparednessllc.com/resources/resources.html.

October is National Cyber Security Awareness Month

For the fifth year, the U.S. Department of Homeland Security’s National Cyber Security Division (NCSD) is spearheading National Cyber Security Awareness Month, a comprehensive outreach campaign to empower all Americans and businesses to take steps to secure their part of cyberspace. During the month of October, events will take place across the country to raise awareness of the growing need to protect the Nation’s critical infrastructures and key resources from cyber threats and vulnerabilities.The NCSD is partnering with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, along with other government agencies and the private sector. The month's activities include press and media events, educational workshops, state cyber exercises, and lectures hosted by public and private partners, proclamations by state governors, and other stakeholder outreach activities. Here are 10 actions you can take to improve cyber security in your organization:

1. Use strong passwords at work and at home. Update your password frequently and encourage others to do the same.
2. Make sure that your anti-virus software and firewalls are up-to-date. New threats are discovered everyday and keeping your software and firewalls updated is one of the easiest ways to protect yourself from an attack. Set your computer to automatically update for you.
3. Hold an event at your facility designed to increase cyber security education and awareness. Download EDUCAUSE’s cyber resource kit online at http://www.educause.edu/7479.
4. Reach out to people that you know – your children, co-workers, friends – about good online safety and security habits, including protecting their personal information and their reputation. For more information and tips go to http://www.staysafeonline.org/ and http://www.us-cert.gov/.
5. Print cyber security posters from http://www.onguardonline.gov%20/ and post them in workrooms, hallways, bathrooms and other employee gathering places. Print and post cyber security tips near your computer at home and at work. Review them with your colleagues, employees and family members.
6. Create a separate section for cyber security tips on your organization’s web site. Download online buttons and banners about phishing, identity theft, file-sharing, and other cyber security topics at http://www.msisac.org/ or http://www.onguardonline.gov/ and place on your organization’s home page.
7. Use regular communications – newsletters, email alerts, websites, etc. – as an opportunity to promote your commitment to cyber security. Some newsletter topics to consider include: updating software processes; protecting personal identifiable information; and securing your wireless network.
8. Subscribe to the National Cyber Alert System from the US Computer Emergency Readiness Team at http://www.blogger.com/www.us-cert.gov. Through the Alert System, you can receive timely information about current cyber security problems to protect home and office computers. This information includes weekly bulletins with summaries of new vulnerabilities, patch information when available, and tips on common security topics, such as privacy, email spam, and wireless protection.
9. Back up important files. If you have important files stored on your computer, back them up to removal media, to a server, and best yet to an online backup service. Secure your backup media to prevent unauthorized access and store the media in a location where it will not be damaged from a hazard that affects your computer (what if your place of business was destroyed by fire?)
10. Ask IT security specialists at your workplace to report any potential cyber incident, threat, or attack to the United States Computer Emergency Readiness Team (USCERT) at 1-888-282-0870 or US-CERT.gov.

These links along with dozens of others that related to risk assessment, hazard prevention, risk mitigation, emergency response, and business contininuity have been added to the growing "Resources" page of the Preparedness, LLC website.

Parents May Not Heed Evacuation Orders

An interesting survey was published by the National Center for Disaster Preparedness at Columbia University's Mailman School of Public Health. The 2008 American Preparedness Project: Why Parents May Not Heed Evacuation Orders & What Emergency Planners, Families and Schools Need to Know

"2008 survey data illustrate that in the event of an order to evacuate parents say they are overwhelmingly likely to disregard existing community emergency plans and instead attempt to pick up their children directly from school or day care instead of evacuating separately. Were this to occur in the immediate aftermath of a sudden disaster, chaos would ensue and public safety would be jeopardized."

The studies authors made several important recommendations for schools:

• All schools should have "well thought out" emergency plans coordinated with local emergency officials.
• Parents need to be aware of school emergency plans and what they should do.

I have worked with numerous school systems over the past 10 years, and here are some specific recommendations:

• Schools should conduct a detailed risk assessment to identify hazards that could injure students, teachers, staff, and others as well as damage property or interrupt school activities. The risk assessment should lead to the develop of strategies to prevent hazards or mitigate hazards that can't be prevented. The strategy should be endorsed by the superintendent, school committee, and others who need to provide funding.
• Schools should have plans at the Superintendent or district level to manage the overall incident including communications with the community.
• Schools should have organized emergency response teams and procedures to respond effectively to the different types of emergencies that may occur. Types of emergencies include the ones we all think of (e.g., fire, medical, act of violence, etc.) Plans should also address regional or community-wide emergencies (e.g., earthquake, act of terrorism, etc.) that are not as probable, but would put the school in the position of having to fend for itself for the initial minutes or hours.
• Plans must include detailed procedures for evacuation, shelter-in-place, lockdown, and student/family reunification. These plans must be coordinated with public agencies including fire, law enforcement, and emergency medical services.
• All members of school emergency response teams must be trained so they understand and can fulfill their responsibilities as defined in the plan.
• Drills (evacuation, shelter-in-place, and lockdown) and exercises (tabletop, functional, and full-scale) should be conducted to familiarize everyone with emergency procedures and identify any gaps in plans, procedures, resources, or the capability of those who have to carry out the plans.
• Every teacher should be trained in basic emergency procedures and every classroom should be equipped with a concise list of emergency procedures.
• Parents need to be informed through outreach by administrators, PTO, websites, flyers sent home, and by their own sons and daughters who actively get them involved.

A national standard on school emergency preparedness is being written under the auspices of ASTM International, one of the national standards developers. I am one of the members of the committee writing the standard and we expect to present our preliminary draft to the U.S. Department of Education in November.

If you would like more information on Preparedness, LLC's services to public schools, click here.

If you would like to see an example of a school emergency preparedness website, click here.

References & Resources: Links to Helpful Information

I recently updated the "Resources" within the Preparedness, LLC website. It includes more than five printable pages of references and resources for risk assessment, prevention and mitigation, emergency planning, business continuity, training, and more. There are links for laws and regulations, codes and standards, government agencies, nonprofit/professional organizations, and more. There are also many links to excellent, peer reviewed technical documents that open in HTML or PDF format from their hosted websites. It will always be a work in progress, but I will do my best to keep it updated. If you have suggestions for additons to the page, please let me know.

Copycat White Powder Mailings

From the Emergency Management and Response Information Sharing and Analysis Center, INFOGRAM 35-08 September 11, 2008:

“Various State Fusion Centers and news sources recently reported about the rash of copy cat mailings throughout the nation containing white powder. The letters and packages have been sent to well known political figures and local government offices as well as to the homes and work sites of individuals not involved in public life. Upon reviewing these reports, the Emergency EMR-ISAC learned that to date none of the mailings were determined to be dangerous by responding hazardous materials teams."

Do you remember what happened in October 2001 when Senator Daschle, Tom Brokaw, an innocent grandmother in Fairfield County Connecticut, and others received anthrax laden mail? Thankfully these cases have been hoaxes, but are you prepared if someone reports receiving a suspicious envelope or package. CDC and GSA have some good information to help with planning. The guidance needs to be integrated into an emergency management program that includes people organized and trained to respond.

7th Anniversary of September 11, Remembering Lars, Harry, Sal, and so many others

Today is September 11, 2008. It’s been seven years since that fateful day.

On September 11, 2001 I lost many good friends and colleagues. We all lost many fine citizens who just went to work that day. We also lost many of New York’s Bravest (FDNY), New York’s Finest (NYPD and PAPD), soldiers in the Pentagon, and those on the doomed aircraft. It’s a day none of us will ever forget.

On September 10, 2001 I was in Midtown Manhattan speaking at a seminar on emergency response and business continuity. The seminar was to be held in the World Trade Center on September 11, but it had to be moved to the Harvard Club and rescheduled because of the number of people who registered. Thank you to all who registered.

On the morning of September 11, 2001, I was speaking on the same subject, but this time it was in Boston’s Back Bay—at the Bull & Finch Pub of Cheers fame. Around 8:46 AM, I was asking the audience to picture themselves on the upper floor of a high rise building when the fire alarm sounds and they see smoke in the corridor. That was the situation faced by one of my clients when a multiple alarm fire in the Prudential Center ignited below them. That was back in January 1986. My client and everyone else in the Prudential Center evacuated safely—due to the heroic efforts of the Boston Fire Department—there were no automatic fire sprinklers at that time [there are now.]

On September 11, 2001 my friends, colleagues, and many fine Americans were not able evacuate safely. Their evacuation paths were cutoff…

I still see their faces when I pass people on the street. I can picture their faces in my mind and hear their voices in my head. I miss you guys—Lars, Harry, Sal, and too many others.

In the aftermath of 9/11, I had the opportunity to meet with staff of the 9/11 Commission—on the eve of the second anniversary of the attacks. I got to look at Ground Zero and remember everyone who was lost. In our discussion with the 9/11 Commission staff, we talked about preparedness. Emily Walker, the lead staffer from the Commission, relayed her painful discussions with family members of those who were lost that fateful day. She knew something more needed to be done. To condense months into a sentence, the 9/11 Commission embraced a recommendation for enhancing private sector preparedness. That recommendation has been echoed in multiple Federal laws and most recently in Title IX of Public Law 110-53. Let’s be better prepared. We owe it to Lars, Harry, Sal, and so many others.

Work Begins on European Disaster Preparedness Standard

The list of disaster preparedness standards is growing longer:

"The Brussels Management Centre of CEN, the European Committee for Standardization, is the site of two meetings today that will lead to creation of a new standard for protecting the populace against natural disasters and terrorist acts. CEN, which develops voluntary standards, was asked by the European Community to address this issue, and it formed CEN BT/WG 161, "Protection and Security of the Citizen," to accomplish the task."

In the United States we have NFPA 1600, and in Canada Z1600 (the Canadian standard based on NFPA 1600). ISO published ISO PAS (Publicly Available Specification) 22399 "Societal Security" late last year, and now this new project originates in Europe.

September is National Preparedness Month

September is National Preparedness Month, and I provide some information from the Ready Business Fact Sheet. A national survey of businesses with 2-999 employees conducted by The Ad Council in December 2007 found:

• 38 percent said their company has an emergency plan in place in the event of a disaster
• 59 percent assessed their own business as “very” or “somewhat” prepared in the event of a disaster
• 55 percent of businesses surveyed said that they had taken either significant or small steps to improve emergency preparedness in the past year
• The surveyed businesses said that the most important threats for them to address are fires followed by cyber attacks and then hurricanes, winter storms, tornadoes and terrorist attacks.

It's good to see that work is being done even in these days of a challenging economy, but every workplace needs to have a basic emergency plan in place. The Occupational Safety and Health Administration (OSHA) requires emergency action plans for companies with 10 or more employees. Fire and life safety codes also require emergency plans.

It's good to see that businesses are focusing on natural hazards. With tropical storm Fay, Hurricane Gustav, and possibly Hurricane Ike, the dangers of tropical cyclones are clearly evident. With the 7th anniversary of 9/11 approaching, it's good to see that people haven't forgotten that terrorism is still a threat. The reality is, however, that there are dozens and dozens of hazards that can impact businesses today. We'll take a look at hazards—natural, human-caused, and technological—and risk assessment in the coming days and week.