[Federal Register Volume 73, Number 248 (Wednesday, December 24, 2008)]
[Notices]
[Pages 79140-79148]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-30685]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Federal Emergency Management Agency
[Docket ID FEMA-2008-0017]
Voluntary Private Sector Accreditation and Certification
Preparedness Program
AGENCY: Federal Emergency Management Agency, DHS.
ACTION: Notice; request for recommendations.
-----------------------------------------------------------------------
SUMMARY: In the ``Implementing the Recommendations of the 9/11
Commission Act of 2007'' (the 9/11 Act), Congress authorized the
Department of Homeland Security (DHS) to establish a voluntary private
sector preparedness accreditation and certification program. This
program, now known as ``PS-Prep,'' will assess whether a private sector
entity complies with one or more voluntary preparedness standards
adopted by DHS, through a system of accreditation and certification set
up by DHS in close coordination with the private sector.
PS-Prep will raise the level of private sector preparedness through
a number of means, including (i) Establishing a system for DHS to adopt
private sector preparedness standards; (ii) encouraging creation of
those standards; (iii) developing a method for a private sector entity
to obtain a certification of conformity with a particular DHS-adopted
private sector standard, and encouraging such certification; and (iv)
making preparedness standards adopted by DHS more widely available.
This Notice discusses essential elements of the program, describes
the consultation that has taken place and will take place with the
private sector, and seeks additional recommendations in a number of
areas, including the private sector preparedness standards that DHS
should adopt, both initially and over time.
DATES: Comment period: Anyone may submit comments on this guidance at
any time, and comments will be considered as they are received. We
would appreciate any recommendations for adoption of currently-existing
private sector preparedness standards by January 23, 2009, though, as
made clear below, we will accept submissions of private sector
preparedness standards for adoption as well as comments on this notice
at any time.
Public Meetings: DHS intends to hold two public meetings in
Washington, DC to provide a forum for public comment on the subject of
private sector preparedness standards, one in January and another in
February, 2009. Meeting details and registration information will be
published in the Federal Register and posted at http://www.fema.gov/privatesectorpreparedness.
ADDRESSES: You may submit comments, identified by Docket ID FEMA-2008-
0017, by one of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov. Follow the
instructions for submitting comments. (All government requests for
comments--even if, as in this case, they are not for regulatory
purposes--are sent to this portal.)
E-mail: [email protected]. Include Docket ID FEMA-2008-0017 in
the subject line of the message.
Fax: 866-466-5370.
Mail/Hand Delivery/Courier: Office of Chief Counsel, Federal
Emergency Management Agency, 500 C Street, SW., Room 845, Washington,
DC 20472.
Instructions: All submissions received must include the agency name
and docket number (if available). Regardless of the method used for
submitting comments or material, all submissions will be posted,
without change, to the Federal eRulemaking Portal at http://www.regulations.gov, and will include any personal information you
provide. Therefore, submitting this information makes it public. You
may wish to read the Privacy Act notice that is available on the
Privacy and Use Notice link on the Administration Navigation Bar of
http://www.regulations.gov.
Docket: For access to the docket to read background documents or
comments received, go to the Federal eRulemaking Portal at http://www.regulations.gov. Submitted comments may also be inspected at FEMA,
Office of Chief Counsel, 500 C Street, SW., Room 840, Washington, DC
20472.
FOR FURTHER INFORMATION CONTACT: Mr. Don Grant, Incident Management
Systems Director, National Preparedness Directorate, FEMA, 500 C Street
SW., Washington, DC 20472. Phone: (202) 646-8243 or e-mail:
[email protected].
SUPPLEMENTARY INFORMATION: This supplementary information section is
organized as follows:
Table of Contents
I. Background
A. Preparedness in the Wake of 9/11
B. Purpose and Structure of the Program
II. Establishment of PS-Prep
A. Statutory Authorization
B. The Designated Officer
C. The PS-Prep Coordinating Council (PSPCC)
D. Coordination with the Private Sector and Other Non-DHS
Entities
III. DHS's Adoption of Voluntary Preparedness Standards
A. Call for Recommendations
B. Principles for Standards Adoption
C. Elements to be Considered for DHS Adoption of a Standard
IV. Accreditation
A. The Selected Entity
B. Procedures and Requirements for the Accreditation Process
C. Review of Certifiers
V. Certification of Qualified Private Sector Entities
VI. Small Business Concerns
VII. Other Relevant Issues
A. SAFETY Act
B. Access to Sensitive Information
C. Availability of Standards
VIII. Public Listing of Certified Private Sector Entities
IX. Ongoing and Regular Activities of the PS-Prep Coordinating
Council
X. Next Steps
XI. Draft List of Possible Elements to Consider in Standards
Development (Target Criteria)
I. Background
A. Preparedness in the Wake of 9/11
Private-sector preparedness is not a luxury; it is a cost of
doing business in the post- 9/11 world. It is ignored at a
tremendous potential cost in lives, money, and national security.
This conclusion was reached by the National Commission on Terrorist
Attacks Upon the United States--the 9/11 Commission--in making a
specific finding about private sector preparedness. During the course
of its inquiry, the Commission found that the private sector was not
prepared for the aftermath of the 9/11 attacks, and that, despite 9/11,
the private sector remained largely unprepared at the time of its final
report. The 9/11 Commission Report: Final Report of the National
Commission on Terrorist Attacks Upon the United States at 398 (2004)
(9/11 Commission Report). The 9/11 Commission's central recommendation
in this area was that the Department of Homeland Security (DHS) promote
private sector preparedness standards that establish a common set of
criteria and terminology for preparedness, disaster management,
emergency
[[Page 79141]]
management, and business continuity programs.\1\ This recommendation
was the genesis of the Voluntary Private Sector Preparedness
Accreditation and Certification (PS-Prep) program.
---------------------------------------------------------------------------
\1\ The Commission specifically advocated that DHS promote a
specific standard: The American National Standards Institute's
(ANSI) standard for private preparedness. That standard is discussed
below. The Commission also recommended that conformity with that
standard define the standard of care owed by a company and its
employees for legal purposes, and that insurance and credit-rating
services look closely at a company's conformity with the ANSI
standard in assessing its insurability and creditworthiness.
---------------------------------------------------------------------------
It is well known that approximately 85% of that infrastructure
which we consider to be ``critical'' is owned and operated by the
private sector. Critical infrastructure and key resources, or CIKR,
comprises systems and assets, whether physical or virtual, so vital to
the United States that their incapacitation or destruction would have a
debilitating impact on national security, national economic security,
public health or safety, or any combination of those matters. Terrorist
attacks on our CIKR as well as other manmade or natural disasters could
significantly disrupt the functioning of government and business alike,
and produce cascading effects far beyond the affected CIKR and physical
location of the incident.
Since one of DHS's core functions is encouraging preparedness and
protection of critical infrastructure, Congress gave DHS a range of
specialized tools to carry out its private sector mission. Two of the
most prominent of these tools are authorized in the Homeland Security
Act: the Supporting Anti-terrorism by Fostering Effective Technologies
Act of 2002 (the SAFETY Act),\2\ implemented through the department's
SAFETY Act program (6 CFR Part 25), and the Critical Infrastructure
Information Act of 2002, implemented through the department's Protected
Critical Infrastructure Information, or PCII, program (6 CFR Part 29).
The SAFETY Act authorizes certain liability mitigation measures for
providers of qualified anti-terrorism technologies, if those
technologies are alleged to have failed in the course of a terrorist
attack. The PCII program allows entities to create assessments of the
security of their critical infrastructure and share such assessments
with DHS without the risk that such information, once shared, can be
used against it in court or be publicly disclosed.
---------------------------------------------------------------------------
\2\ Subtitle G of Title VIII of the Homeland Security Act of
2002, Public Law 107-296 (Nov. 25, 2002); 6 U.S.C. 441-444.
---------------------------------------------------------------------------
In the 9/11 Act, Congress authorized another tool for DHS to work
with the private sector--PS-Prep--through which private sector entities
can obtain certification of conformity with one or more voluntary
preparedness standards adopted by DHS. Each of these programs has a
common thread: that it is not DHS that will regulate preparedness or
security in most corners of the private sector, but it is the private
sector itself--with tools provided in part by DHS--that should take on
that responsibility. In creating these programs, Congress recognized
that achieving preparedness in the private sector is often more quickly
and efficiently accomplished through incentives and certification
processes made available to the to the private sector--since the
private sector has greater resources and is generally more nimble than
the Federal government--than through Federal regulatory mandates. PS-
Prep will work with these other programs to leverage the powerful
private sector tools DHS has been authorized to use.
B. Purpose and Structure of the Program
Simply stated, the purpose of PS-Prep is to widely encourage
private sector preparedness. The program will do so by providing a
mechanism for a private sector entity--a company, facility, not-for-
profit corporation, hospital, stadium, university, etc.--to receive a
certification from an accredited third party that it is in conformity
with one or more private sector preparedness standards adopted by DHS.
Seeking certification will be completely voluntary: no private
sector entity is required by DHS to seek or obtain a PS-Prep
certification. For the reasons cited by the 9/11 Commission and
discussed throughout this notice, however, DHS encourages all private
sector entities to seriously consider seeking certification on
appropriate standards adopted by DHS, once those standards become
available. DHS also encourages private sector entities, including
consensus standard development organizations and others, to develop
preparedness standards that, if appropriate, may be adopted by DHS and
become part of PS-Prep.
In order to accomplish its purpose, PS-Prep has three separate but
interrelated components: adoption, accreditation, and certification.
``Adoption'' is DHS's selection of appropriate private
sector preparedness standards for the program. Given DHS's goal of
broadly encouraging private sector preparedness, we have developed a
process, described below, that allows a wide variety of standards to be
considered and adopted.
``Accreditation'' is a process managed by a DHS-selected
non-governmental entity to confirm that a third party is qualified to
certify that a private sector entity complies with a preparedness
standard adopted by DHS. Third parties are ``accredited'' to provide
certifications, and may be accredited on one, some, or all of the DHS-
adopted standards.
``Certification'' is the process by which an accredited
third party determines that a private sector entity is, in fact, in
conformity with one of the private sector preparedness standards
adopted by DHS.
II. Establishment of PS-Prep
A. Statutory Authorization
President George W. Bush signed the 9/11 Act into law on August 3,
2007. Section 901 of the 9/11 Act adds a new section 524 to the
Homeland Security Act, codified at 6 U.S.C.321m, which requires the
Secretary of Homeland Security to, among other things:
develop and promote a program to certify the preparedness of
private sector entities that voluntarily choose to seek
certification under the program; and implement the program through
an[] entity * * * which shall accredit third parties to carry out
the certification process under this section.
This program is the PS-Prep program described in this notice.
B. The Designated Officer
In establishing and implementing the PS-Prep program, the Secretary
of Homeland Security acts through a designated officer, who may be one
of the following departmental officials: (i) The Administrator of the
Federal Emergency Management Agency (FEMA); (ii) the Assistant
Secretary for Infrastructure Protection; or (iii) the Under Secretary
for Science and Technology. 6 U.S.C. 321m(a)(2). On August 31, 2007,
the Secretary named the Administrator of FEMA as the designated
officer.
C. The PS-Prep Coordinating Council
The designated officer is statutorily required to coordinate with
the two other departmental officials named above--the Assistant
Secretary for Infrastructure Protection and the Under Secretary for
Science and Technology--as well as with the Special Assistant to the
Secretary (now Assistant Secretary) for the Private Sector, in carrying
out the program. 6 U.S.C. 321m(a)(3). This coordination takes place
through the PS-Prep Coordinating Council (the PSPCC), which is
described below. Other permanent members of the PSPCC include the DHS
General Counsel and
[[Page 79142]]
the Assistant Secretary for Policy. The PSPCC will, in consultation
with the private sector, adopt the preparedness standards to be
certified through PS-Prep as described in this notice.
D. Coordination With the Private Sector and Other Non-DHS Entities
Even before the 9/11 Act became law, DHS encouraged private-sector
owners of critical infrastructure to consider, develop and employ
sector-specific preparedness best practices. DHS did so through
communication with the Sector Coordinating Councils for the now
eighteen critical infrastructure/key resources (CIKR) sectors,
organizations that coordinate or facilitate the development of private
sector preparedness standards, and other private sector parties. The
private sector--which is responsible for roughly 85% of the critical
infrastructure of the nation--has made substantial strides in this
area, and through its and DHS's work, the private sector has become
more prepared for disasters.
Since the 9/11 Act's enactment, DHS has continued this engagement,
focusing specifically on the development and administration of PS-Prep.
Work has already been done with private sector entities and their
representatives, including representatives of organizations that
coordinate the development and use of voluntary consensus standards and
others.
This notice is designed to give all of the entities listed in 6
U.S.C. 321m(b)(1)(B) \3\ (which we refer to as the ``listed
entities''), as well as those who may seek to obtain voluntary
certification, those who may seek to perform as certifying bodies,
those who plan to develop private sector preparedness standards
(including, for example, industry groups assembled for the purpose of
developing such standards), and the public in general, additional
opportunities to inform and consult with the designated officer on
elements of PS-Prep. Anyone may submit comments on this guidance at any
time, and comments will be considered as they are received. We would,
however, appreciate any recommendations for adoption of currently-
existing private sector preparedness standards within the next thirty
(30) days, though we will accept submissions of private sector
preparedness standards for adoption at any time.
---------------------------------------------------------------------------
\3\ Those are ``representatives of appropriate organizations
that coordinate or facilitate the development and use of voluntary
consensus standards, appropriate voluntary consensus standards
development organizations, each private sector advisory council
created under section 102(f)(4), appropriate representatives of
State and local governments, including emergency management
officials, and appropriate private sector advisory groups, such as
sector coordinating councils and information sharing and analysis
centers.''
---------------------------------------------------------------------------
III. DHS's Adoption of Voluntary Preparedness Standards
A. Call for Recommendations
In consultation with the listed entities, the designated officer is
to ``adopt one or more appropriate voluntary preparedness standards
that promote preparedness, which may be tailored to address the unique
nature of various sectors within the private sector, as necessary and
appropriate, that shall be used in the accreditation and certification
program under this subsection.'' 6 U.S.C. 321m(b)(2)(B)(i). After
initially adopting one or more standards, the designated officer may
adopt additional standards or modify or discontinue the use of any
adopted standard, as necessary and appropriate to promote preparedness.
6 U.S.C. 321m(b)(2)(B)(ii).
One of the main functions of this notice is to seek recommendations
from the listed entities and the public at large regarding the private
sector preparedness standards that DHS should adopt, both initially and
over time. In order to facilitate those recommendations, we will
discuss in the next sections the principles we plan to use in
selection, and--in a question and answer format--the meaning of
``private sector preparedness standard'' and the elements that DHS will
seek in such a standard.
We would appreciate any recommendations for adoption of currently-
existing private sector preparedness standards within the next thirty
(30) days, though we will accept submissions of private sector
preparedness standards for adoption at any time. We note that the
designated officer will consider adoption of the American National
Standards Institute (ANSI) National Fire Protection Association (NFPA)
1600 Standard on Disaster/Emergency Management and Business Continuity
Programs (ANSI/NFPA 1600)--the standard specifically mentioned in both
the statute and the 9/11 Commission's recommendation--as well as any
other private sector preparedness standards submitted for adoption.
B. Principles for Standards Adoption
The main principle informing DHS's adoption of standards is the
main goal of the program: to widely encourage private sector
preparedness through creation and use of voluntary standards. For this
reason, PS-Prep is designed to maximize the number and type of private
sector preparedness standards that DHS will consider adopting. While
PS-Prep would consider adoption of--and strongly encourages the
development and submission of--standards that contain all of the
statutory elements of a private sector preparedness standard, and that
could be applied generally to all entities in the private sector, PS-
Prep will also consider more limited standards, such as those that
apply to a particular industry or a subset of an industry, or those
that cover a more circumscribed aspect of preparedness, such as
business continuity planning.
A second principle is that the program is to be almost entirely
driven by the private sector. While the designated officer, through the
PSPCC, will adopt appropriate private sector standards, and manage the
accreditation process through a non-governmental third party, the
standards that are adopted are largely the product of private sector
work--whether through voluntary consensus standards organizations, CIKR
Sector Coordinating Councils, or other private sector entities. Private
sector ingenuity is the lifeblood of the program. Understood this way,
PS-Prep is a tool for both DHS and the private sector to give greater
visibility--through a certification--to a private sector entity's
conformity with a standard, and to more widely proliferate the use of
standards in the private sector. It is emphatically not PS-Prep's
purpose to impose a single federal preparedness standard on the private
sector.
That said, the designated officer may modify or discontinue the use
of any adopted standard, as necessary and appropriate to promote
preparedness. Generally, the designated officer's review of adopted
standards will be part of the annual programmatic review, discussed
below.
A third principle--based upon both the scarcity of government
resources and the need and wisdom of DHS using a risk-based approach in
allocating those resources--is that the designated officer will have
discretion to direct the PSPCC's adoption efforts at those private
sector standards that meet needs identified by DHS. In other words, not
all recommended private sector standards--and perhaps even not all
appropriate recommended private sector standards--are guaranteed to be
adopted by DHS.
[[Page 79143]]
C. Elements to be Considered for DHS Adoption of a Standard
Given these principles, below is more specific guidance on
standards that may be recommended to DHS for adoption.
What is a voluntary preparedness standard?
The Homeland Security Act defines a voluntary preparedness standard
as ``a common set of criteria for preparedness, disaster management,
emergency management, and business continuity programs, such as * * *
ANSI/NFPA 1600.'' (6 U.S.C. 101(18)). We discuss our understanding of
this definition below.
Will there be only one standard?
While we cannot predict how many standards DHS will ultimately
adopt, the program is designed to consider and adopt multiple private
sector preparedness standards, and encourage the development of
additional standards, as well as the expansion and evolution of
existing standards. In deciding which standards to adopt, the
designated officer is required to consider standards that have already
been created within the private sector, and to take into account the
unique nature of various sectors within the private sector.
To use an example: if DHS were to adopt a general preparedness
standard like ANSI/NFPA 1600, a facility such as a large shopping mall
could seek certification of its preparedness plans and practices
against that standard under PS-Prep. DHS might also adopt a more
specific private sector preparedness standard covering that sector
(commercial facilities) or subsector (shopping malls), if such a
standard were created and if DHS determined it to be appropriate. In
that case, the facility could seek certification under either standard,
or under both.
PS-Prep will consider several types of voluntary private sector
preparedness standards, and-though describing them before the private
sector creates and proposes such standards would be unduly limiting-
they can be broken down into two major divisions. First, DHS will
consider adoption of standards that contain all of the statutory
elements of a private sector preparedness standard, and that could be
applied generally to all entities in the private sector. DHS will
likely adopt such standards first, to provide the greatest chance for
widespread adoption quickly. Such standards may contain modifications
to take into account particular unique aspects of various industries
and sectors, as well as currently-existing regulatory regimes that
apply to those standards. Second, and importantly, PS-Prep will also
consider more limited standards, such as those that apply to a
particular industry or a subset of an industry, or those that cover a
more circumscribed aspect of preparedness (i.e., an emergency
preparedness standard for hospitals over a certain number of beds).
Will DHS only adopt ``consensus standards''?
Consensus standards, described in the Office of Management and
Budget's Circular A-119, are so named because of the characteristics of
their development process: openness, balance of interest, due process,
an appeals process, and consensus.\4\ We believe that consensus
standards- and the consensus standards process-may yield some of the
most valuable private sector standards for DHS to consider for
adoption. But while the statute requires the designated officer to
consult with ``voluntary consensus standards development
organizations'' in managing the program, DHS is not limited in its
adoption of standards to those developed in this fashion. In order to
promote PS-Prep's goal of maximizing creation and adoption of private
sector preparedness standards, standards developed by industry groups,
non-profit organizations, and others--in addition to those developed by
consensus standards development organizations--will be considered for
adoption.
---------------------------------------------------------------------------
\4\ According to the circular, consensus is defined as general
agreement, but not necessarily unanimity, and includes a process for
attempting to resolve objections by interested parties, as long as
all comments have been fairly considered, each objector is advised
of the disposition of his or her objection(s) and the reasons why,
and the consensus body members are given an opportunity to change
their votes after reviewing the comments.
---------------------------------------------------------------------------
What is the difference between a ``standard'' and a ``plan''?
In discussing PS-Prep, there is sometimes confusion between
``plans'', which describe the preparedness practices and procedures
that a private sector entity has in place, and ``standards'', which
will be considered for adoption under the program. To clarify,
practices and procedures are the things a private sector entity
actually does to further its preparedness, and plans are an entity's
description of what it does generally or what it will do in a
particular situation. A certifiable private sector preparedness
standard, on the other hand, is the yardstick against which a
particular entity's practices, procedures and plans are measured.
Certainly, the boundary between standards and plans is not always
well defined, and the PSPCC will review materials submitted for
adoption to determine that they are, in fact, standards. Generally,
however, PS-Prep will not consider for adoption a private sector
entity's plan for preparedness, business continuity, emergency
management, etc.--only the standards against which such plans and
procedures are measured.
Must there be ``common elements'' in the standards adopted?
Private sector preparedness standards, according to the statutory
definition, contain ``a common set of criteria'' for preparedness,
disaster management, emergency management, and business continuity
programs. We understand this to mean that the standard itself should
have a common set of criteria for the private sector entities certified
under it--not that all private sector standards in the program have the
same criteria. Therefore, the designated officer will entertain
adoption of private sector preparedness standards that cover one or
more of the categories in the definition (i.e., preparedness, disaster
management, emergency management, and business continuity programs),
while also encouraging the development of standards that
comprehensively incorporate disaster management, business management,
and business continuity in a single framework.
Will certification be ``all or nothing''?
Some comments received to date have indicated that there is a
desire for certifications on certain standards to be incremental
(grading on a scale of conformance, for example) rather than absolute--
sometimes called a ``maturity model process improvement approach.''
While certifications will, at least in the initial stages of the
program, determine conformity or non-conformity with a particular
standard, we welcome comments on this approach.
What is an ``appropriate'' standard?
The designated officer must determine that a preparedness standard
is ``appropriate'' prior to adoption. 6 U.S.C. 324m(b)(2)(B)(i). For
these purposes, an ``appropriate'' standard is one that the designated
officer determines promotes private sector preparedness.
Included in this notice is a draft list of possible elements that
can be included in private sector preparedness standards. It is, of
course, not possible to devise uniform criteria that every standard
submitted for adoption should meet--because, among other reasons,
[[Page 79144]]
there may be industry-specific standards proposed, and standards may
seek to address something less than the full range of matters that may
be included in a preparedness standard. Even so, the list of possible
elements included as Section XII below is a good starting point for
parties developing private sector preparedness standards for adoption.
A standard need not contain all of these elements to be appropriate and
therefore be considered for adoption by DHS. Nonetheless, the list is
provided to guide the private sector in developing appropriate
standards, and will be modified as necessary.
IV. Accreditation
A. The Selected Entity
The designated officer is to:
enter into one or more agreements with a highly qualified
nongovernmental entity with experience or expertise in coordinating
and facilitating the development and use of voluntary consensus
standards and in managing or implementing accreditation and
certification programs for voluntary consensus standards, or a
similarly qualified private sector entity, to carry out
accreditations and oversee the certification process under this
subsection.
6 U.S.C. 321m(b)(3)(A)(i). On June 12, 2008, the designated officer
entered into a contract with the ANSI-ASQ National Accreditation Board,
or ANAB, to be the ``selected entity'' under the statute. As the
selected entity, ANAB will develop and oversee the certification
process, manage accreditation, and accredit qualified third parties to
carry out certifications in accordance with the accepted procedures of
the program. ANAB is an internationally recognized national
accreditation organization, is an International Accreditation Forum
(IAF) charter member, and currently is the only IAF-member
accreditation organization for process/management system certifiers
based in the United States.
B. Procedures and Requirements for the Accreditation Process
The designated officer is to develop guidelines for accreditation
and certification processes (6 U.S.C. 321m(b)(2)(A)(ii)), and ANAB is
to manage the accreditation process and oversee the certification in
accordance with those procedures (6 U.S.C. 321m(b)(3)(A)(ii)).
Initially, ANAB will offer accreditation in accordance with an
existing standard: International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC) Standard 17011,
``Conformity assessment--General requirements for accreditation bodies
accrediting conformity assessment bodies.'' This standard establishes
the general requirements for bodies accrediting entities that certify
conformity with private sector standards. They are available at http://www.ansi.org. The designated officer will determine during the course
of the PS-Prep program whether additional guidelines for accreditation
beyond ISO/IEC 17011 are necessary, and DHS welcomes comment on this
issue.
Application to become a certifying entity--known as a
``certifier''--will be voluntary and open to all entities that meet the
qualifications of the PS-Prep program. To determine whether an entity
is qualified to provide certifications, ANAB will consider whether the
entity meets the criteria- and agrees to the conditions--listed in 6
U.S.C.321m(b)(3)(F). These include important agreements about conflicts
of interest.
C. Review of Certifiers
The designated officer and the selected entity shall regularly
review certifiers to determine if they continue to comply with the
program's procedures and requirements. 6 U.S.C. 321m(b)(3)(G). DHS will
require the selected entity to review certifiers on at least an annual
basis. A finding that a certifier is not complying with PS-Prep may
result in the revocation of its accreditation. The designated officer
will, when necessary and appropriate, review the certifications issued
by any entity whose accreditation is revoked.
V. Certification of Qualified Private Sector Entities
Once ANAB accredits entities to provide certifications under the
program, those certifiers will determine whether a private sector
entity is, in fact, in conformity with one of the private sector
preparedness standards adopted by DHS. The designated officer is to
develop guidelines for certification (6 U.S.C. 321m(b)(2)(A)(ii)), and
ANAB is to oversee the certification process in accordance with those
procedures (6 U.S.C. 321m(b)(3)(A)(ii)).
Entities will certify based upon an existing standard: ISO/IEC
Standard 17021, ``Conformity Assessment-Requirements for bodies
providing audit and certification of management systems,'' available at
http://www.ansi.org. After adoption of one or more standards, the
designated officer and ANAB will work together to determine if there
are any additional procedures that a certifier should use.
One important element of certification under any adopted standard
is the following: As provided at 6 U.S.C. 321m(b)(3)(E), PS-Prep
certifiers will, at the request of an entity seeking certification,
consider non-PS Prep certifications. That is, the certifier may
consider whether an already-acquired certification satisfies all or
part of the PS-Prep certification requirement, and, if it does, the
certifier may ``give credit'' for that pre-existing certification. This
will avoid unnecessarily duplicative certification requirements.
VI. Small Business Concerns
Because the certification process may involve expense, and that
expense may cause small businesses to avoid seeking certification, the
statute calls upon the designated officer and the selected entity to
``establish separate classifications and methods of certification for
small business concerns * * *.'' 6 U.S.C. 321m(b)(2)(D). DHS is
considering several lower-cost options aside from third-party
certification for small businesses. One such option is a self-
declaration of conformity: an attestation by the small business that it
has complied with one or more DHS-adopted standards. Another option is
a second-party attestation, which would involve another entity--perhaps
one that uses the small business in its supply chain--attesting that
the small business is in conformity with one or more DHS-adopted
standards. The DHS Ready-Business Program might be the appropriate
portal for these self- and second-party attestations. DHS seeks comment
on self-attestations of conformity, second-party attestations, and the
employment of Ready-Business in this program, as well as any other
proposal for alternatives allowing small business participation in PS-
Prep.
Of course, only entities categorized as ``small business'' would be
eligible to self-declare conformity, or for the other options described
above. To determine which private sector entities are small businesses,
the designated official will use the North American Industrial
Classification System, or NAICS, which establishes a size standard for
various industrial classifications. Additional information about NAICS
is available at the Small Business Administration's Web site, http://www.sba.gov/services/contractingopportunities/sizestandardstopics/index.html.
VII. Other Relevant Issues
A. SAFETY Act
As mentioned above, DHS manages the Supporting Anti-terrorism by
Fostering Effective Technologies Act of 2002 (SAFETY Act) Program. 6
U.S.C. 441-444; 6 CFR Part 25. The SAFETY Act Program is a liability
mitigation
[[Page 79145]]
program intended to foster the development and the deployment of anti-
terrorism technologies by providing certain liability protections to
sellers and downstream purchasers of qualified anti-terrorism
technologies, (QATTs).
While the determination of whether a technology should receive
SAFETY Act protection is fact-specific, it is the case that private-
sector preparedness standards submitted to DHS for adoption into PS-
Prep may be determined to be QATTs. Similarly, the services provided by
certifying entities may be determined to be QATTs as well. In
considering the suitability of a preparedness standard for adoption
under the PS-Prep process, DHS may ask questions similar to those asked
in submission of a SAFETY Act application. Therefore, PS-Prep will seek
to streamline the process for applying for SAFETY Act protection and
PS-Prep's adoption of a private-sector preparedness standard, or
accreditation as a certifying entity.
B. Access to Sensitive Information
Under PS-Prep, certifiers will be subject to confidentiality
restrictions and will agree to use any information made available to
them only for purposes of the certification process. 6 U.S.C.
321m(b)(3)(F)(vi). As mentioned above, DHS has a tool--the PCII
Program--that may be useful in maintaining the confidentiality of
sensitive information in the PS-Prep certification process. If any
information that would be helpful to certifiers is Protected Critical
Infrastructure Information as defined in 6 CFR Part 29--and if the
private-sector entity seeking certification so requests--such
information may be shared with the certifier while maintaining the
protections of the PCII program. DHS will determine whether additional
procedures are necessary for the use of PCII in the PS-Prep program.
C. Availability of Standards
We believe that the goal of encouraging creation and use of
voluntary standards is best promoted if-once a standard is adopted into
PS-Prep-it is made public, including through posting on the PS-Prep Web
site. DHS welcomes comment on the proposed public availability of PS-
Prep standards.
VIII. Public Listing of Certified Private Sector Entities
PS-Prep will maintain a publicly available list of private sector
entities that have been certified as complying with one or more PS-Prep
standards, and all certified entities that consent will be listed. This
list will be posted on the PS-Prep Web site. This public listing will
be of assistance to third parties-such as a business that has (or is
planning to have) the certified entity in its supply chain-that need to
know whether the entity has certain preparedness plans and procedures
in place. Businesses that today must audit such entities- and in doing
so incur the cost in time and labor of site visits, document review,
and the like-may choose to rely on the public listing of PS-Prep
certifications. Using PS-Prep in that fashion may reduce the costs
associated with determining whether an entity has complied with a
standard.
IX. Ongoing and Regular Activities of the PS-Prep Coordinating Council
The PSPCC is PS-Prep's decision-making body. It will, on an ongoing
basis, determine DHS's priorities for adoption of private sector
standards, recommend which standards should be adopted into the program
based upon those priorities and the principles outlined in Section III,
above, determine if additional guidelines for accreditation or
certification are necessary, and interact with listed entities as
required by the statute.
The PSPCC will also assist the designated officer in complying with
the statutory requirement of an annual review. The statute requires the
designated officer, in consultation with the listed entities, to
annually review PS-Prep ``to ensure [its] effectiveness * * * and make
improvements and adjustments to the program as necessary and
appropriate.'' 6 U.S.C. 321m(b)(4)(A). The annual review is to include
``an assessment of the voluntary preparedness standard or standards
used in the program under this subsection.'' 6 U.S.C. 321m(b)(4)(B).
While the annual review will serve as a time to determine whether
additional private sector preparedness standards will be adopted into
the program, we envision that the PSPCC will make determinations
throughout the year as appropriate standards are submitted for
consideration.
During the annual review, the PSPCC will also review the
performance of the selected entity, and determine whether additional
entities should be considered for that role.
XI. Next Steps
This notice is part of the consultation process with the listed
entities, potential certifiers, entities that may seek certification,
and the public at large. DHS has engaged in consultation prior to the
issuance of this notice-including through speaking engagements,
discussions in the normal course of business, meetings of the CIKR
Sector Coordinating Councils, and the like- and will continue engaging
with the public after the program is established.
DHS intends to hold two public meetings in Washington, DC to
provide a forum for public comment, one in January and another in
February, 2009. Meeting details and registration information will be
published in the Federal Register and posted at http://www.fema.gov/privatesectorpreparedness.
While there may be additional notices related to PS-Prep, either in
the Federal Register or on the PS-Prep Web site (including notices
about the adoption of standards, the accreditation of certain entities,
adoption or modification of accreditation or certification procedures,
and the like), we do not plan to issue another notice before initial
standards are adopted. Instead, we will-after careful review of the
comments and recommendations for the adoption of one or more voluntary
private sector preparedness standards-announce adopted standard or
standards, as well as the logistics (such as whom to contact at DHS or
the selected entity) of accreditation and certification. Comments on
this guidance as well as recommendations of standards for DHS to adopt
into the program may be submitted at any time.
XI. Draft List of Possible Elements To Consider in Standards
Development
In order for DHS to adopt a standard to be part of PS-Prep, the
designated officer must determine that it is ``appropriate.'' An
appropriate standard is one that is determined by the designated
officer to promote private sector preparedness.
Below is a draft list of possible elements that can be included in
private sector preparedness standards and which may be used by the
designated officer in evaluating standards for adoption in the program.
The set of elements listed below can define the attributes of a
comprehensive preparedness program. It is, of course, not possible to
devise uniform criteria that every standard submitted for adoption
should meet-because, among other reasons, there may be industry-
specific standards proposed, and standards may seek to address
something less than the full range of matters that may be included in a
preparedness standard.
This list is a good starting point for parties developing private
sector preparedness standards for adoption. A standard need not contain
all of these elements to be appropriate and therefore
[[Page 79146]]
be considered for adoption by DHS, but the list is provided to guide
the private sector in developing appropriate standards, and will be
modified as necessary.
------------------------------------------------------------------------
Possible Elements to Consider
-------------------------------------------------- Examples of how to
Elements and satisfy element
Subject area content
------------------------------------------------------------------------
1. Scope and Policy........... A scope and/or 1. Establish
policy statement preparedness
that addresses management program,
preparedness, including
disaster identification of
management, appropriate
emergency resources and
management, or authorities.
business 2. Define scope and
continuity. The boundaries for
standard may development and
contain the implementation of
following: the program.
1. Scope......... 3. Establish a
1. Policy........ framework for
2. Principles.... setting objectives,
3. Purpose....... direction, and
principles for
action.
4. Demonstrate top
management and the
organization's
commitment to
preparedness
management.
2. Requirements............... A statement that 1. Identify, register
the organization and evaluate
identifies and internal and
conforms to external
applicable requirements
legal, pertinent to the
statutory, organization's
regulatory and functions,
other activities and
requirements operations.
(e.g., codes of 2. Understand
practice and potential impact of
standards of laws, regulations,
care). The codes, zoning,
standard may standards or
contain the practices concerning
following, as emergency procedures
well as a specific to the
process for location and
identifying and industry.
addressing them:
1. Legal.........
2. Statutory.....
3. Regulatory....
4. Other.........
3. Objectives and Strategies.. The standard may 1. Develop strategic
contain plans for incident
requirements for prevention,
strategies and/ preparedness,
or strategic mitigation,
plans designed response, business
to accomplish continuity, system
the resiliency, and
organization's recovery for short
objectives in: term (less than a
month) and long term
(up to one year).
1. Risk 2. Identify type and
Management. availability of
human,
infrastructure,
processing, and
financial resources
needed to achieve
the organization's
objectives.
2. Incident 3. Identify roles,
Prevention. responsibilities,
authorities and
their
interrelationships
within the
organization
required to ensure
effective and
efficient
operations.
3. Incident 4. Plan the
Preparedness. operational
processes for
actions required to
achieve the
organization's
objectives.
4. Incident 5. Consider cyber and
Mitigation. human security
elements in control
strategies and
plans.
5. Incident 6. Make arrangements
Response. and contingency
preparedness plans
that should be in
place to manage
foreseeable
emergencies.
6. Business 7. Develop crisis
Continuity. communication plans
with internal
personnel
(management, staff,
response teams,
etc.).
7. Incident 8. Ensure the
Recovery. company's
Communications
Department has
identified key
resources designated
to initiate crisis
communications with
employees, business
partners, vendors,
government and
external media.
8. Corrective and 9. Involve
Preventive appropriate external
Actions. parties during
exercise events.
4. Risk Management............ The standard may 1. Establish a
contain process for risk
consideration of identification,
risk management, analysis, and
including hazard evaluation.
and threat 2. Identify assets,
identification, needs, requirements,
risk assessment, and analysis of
vulnerability critical issues
analysis, and related to business
consequence/ disruption risks
business impact that are relevant to
analysis. The the organization and
standard may stakeholders.
provide for the 3. Identify hazards
conduct of: and threats, to
1. Hazards and include cyber and
Threats human security
Identification.. elements. These
2. Risk should include loss
Assessment.. of IT;
3. Impact telecommunications;
Analysis.. key skills; negative
4. Vulnerability publicity; employee
Assessment.. or customer health
5. Consequence/ or safety; damage to
Business Impact organization's
Analysis.. reputation; loss of
access to
organization's
assets; utility
systems; supply
chain outage/
disruption, and
insider threats.
4. Evaluate the
probability of a
disruptive event,
dependencies and
interdependencies
with other assets
and sectors, and
consequences on
business operations;
Prioritize the
issues identified as
a result of the risk
assessment and
impact analysis.
5. Set objectives and
targets (including
time frames) based
on the
prioritization of
issues within the
context of an
organization's
policy and mission.
6. Evaluate and
establish recovery
time objectives.
7. Assess
vulnerability of
organization,
systems, and
processes.
8. Define risk
treatment strategy
and resources needed
to address the
organization's risks
to business
disruption.
[[Page 79147]]
5. Operations, Control, and The standard may 1. Establish
Risk Mitigation. call for operational control
incident measures needed to
management / implement the
business strategic plan(s)
continuity and maintain control
strategy, of activities and
tactics, functions against
operational defined targets.
plans and 2. Develop procedures
procedures, and/ for controlling key
or contingency activities,
plans that will functions, and
be used during operations
emergencies, associated with the
crises and other organization,
events including possible
threatening its large extended
operation; and workforce absences;
the and alternative work
documentation sites or remote
thereof. The working procedures.
standard may 3. Establish
contain processes and
provisions for procedures for
the following: operational
1. Operational management and
Continuity.. maintenance of
2. Incident infrastructure,
Management.. plant, facilities,
3. Coordination finance, etc. which
with Public have an impact on
Authorities.. the organization's
performance and its
stakeholders.
4. Establish
processes and
procedures for
management of
documents which are
essential to the
successful
implementation and
operation of the
preparedness
management program
or system.
5. Establish
operational control
measures needed to
implement the
strategic plan(s)
and maintain control
of activities and
functions.
6. Develop insider
threat mitigation
measures.
7. Develop action
plans for increased
threat levels and
tools to enhance
situational
awareness.
8. Formalize
arrangements for
those who supply and
contract their
services to the
organization which
have an impact on
the organization's
performance,
including mutual aid
agreements.
9. Determine the
local and regional
public authorities
and their potential
impact on your
organization's plans
including, but not
limited to, the U.S.
Department of
Homeland Security,
emergency
management, fire,
police, public
utilities, and local
& nationally elected
public officials.
10. Work with local
Public Information
Officers to
understand and
follow protocol.
11. Document the
forms and processes
to be used before or
during an event or
exercise to ensure
activities and
participants, etc.,
are captured for
review and Plan
response and
recovery
improvements.
12. Collaborate with
other organizations
on preparedness
issues of mutual
concern.
6. Communications............. The standard may 1. Develop and
call for plans maintain a system
for required for
communication communications and
and warning as warning capability
they apply to in the event of an
disaster/ incident/disruption.
emergency 2. Identify
management and requirements,
business messages, and
continuity. The content required for
standard may communication within
contain the organization.
provisions for 3. Identify
the following: requirements,
Warning messages, and
and content required for
Notification.. external
Event communication.
Communication.. 4. Develop,
Crisis coordinate, evaluate
Management and exercise plans
Communications.. to communicate
information and
Information warnings with
Sharing.. internal
Public stakeholders and
Relations.. external
stakeholders
(including the
media) for normal
and abnormal
conditions.
5. Make arrangements
for communications
both within the
organization and to/
from external
sources, including
local, state and
federal law
enforcement and
first responder
organizations.
6. Document
procedures and
identify tools to
manage relationships
and communications
processes with
external partners:
business partners,
governmental
agencies, vendors,
etc.
7. Competence and Training.... The standard may 1. Assess, develop
call for review and implement
of the training/education
competence / program(s) for the
qualifications organization's
and training of personnel,
organization's contractors, and
personnel, other relevant
contractors, and stakeholders.
other relevant 2. Identify and
stakeholders establish skills,
involved in competency
emergency requirements, and
management and qualifications
business needed by the
continuity organization to
management. The maintain operations.
standard may 3. Develop
contain organizational
provisions for awareness and
the following: establish a culture
1. Competence.... to support emergency
2. Training...... / disaster
preparedness and
business continuity
management.
4. Determine
organizational
interface protocol,
identification and
training
requirements and
assign appropriate
internal staff or
support
representative(s).
8. Resource Management........ The standard may 1. Identify and
call for assure availability
management and/ of human,
or logistics infrastructure, and
plans, including financial resources
allocation of in the event of a
human, physical, disruption.
and financial 2. Establish and
resources in the document provisions
event of for adequate finance
incidents/ and administrative
emergencies that resources and
threaten procedures to
operations. The support the
standard may management program
contain or system under
provisions for normal and abnormal
the following: conditions.
1. Resource 3. Make arrangements
Management.. for mutual aid and
2. Logistics and community
Business assistance.
Processes..
[[Page 79148]]
9. Assessment and Evaluation.. The standard may 1. Establish metrics
call for and mechanisms by
assessments, which the
audits and/or organization
evaluation of assesses its ability
disaster/ to achieve the
emergency program's goals and
management and objectives on an
business ongoing basis.
continuity 2. Determine
programs. The nonconformities and
standard may the manner in which
contain these are dealt
provisions for with.
Periodic 3. Conduct internal
Assessment and audits of system or
Performance programs.
Evaluation. 4. Plan, coordinate,
and conduct tests or
exercises.
5. Evaluate and
document exercise
results.
6. Review exercise
results with
management to ensure
corrective action is
taken.
7. Report audits and
verification results
to chief executive
officer.
10. Continuing Review (ongoing The standard may 1. Conduct management
management and maintenance). call for a plan review of programs
for program and/or system to
revision and determine its
process current performance,
improvement, to ensure its
including continuing
corrective suitability,
actions. The adequacy and
standard may effectiveness, and
contain to instruct
provisions for improvements and new
the following: directions when
1. Review........ found necessary.
2. Maintenance... 2. Make provisions
3. Process for improvement of
improvement.. programs, systems,
and/or operational
processes.
------------------------------------------------------------------------
Dated: December 18, 2008.
R. David Paulison,
Administrator, Federal Emergency Management Agency.
[FR Doc. E8-30685 Filed 12-23-08; 8:45 am]
BILLING CODE 9110-14-P