BUILDING PUBLIC-PRIVATE

PARTNERSHIPS FOR A STRONGER

COMMUNITY

Greater Tampa Bay Association

of

Contingency Planners Meeting

March 31, 2010

O.T. Gagnon III

Protective Security Advisor

Central Florida District

Office of Infrastructure Protection

2

Overview

► Protective Security Advisor (PSA) Program

► Critical Infrastructure Protection Web-Site

► Homeland Security Information Network-Critical Sectors (HSIN-CS)

► Ready.gov (Ready Business)► Private Sector Preparedness (PS-Prep)► State & Local Partnerships► Questions & Answers

3

Protective Security Advisor (PSA) Program

► Provide an Infrastructure Protection (IP) security expert as the link between State, local, tribal, and territorial organizations and DHS IP resources.

► Assist with ongoing State and local Critical Infrastructure/Key Resource (CIKR) security efforts interacting with State Homeland Security Advisors and other State, local, tribal, territorial and private sector organizations.

► Support the development of the national risk picture by identifying, assessing, monitoring, and minimizing the risk to critical assets at the State, local, and regional level.

4

Protective Security Advisor (PSA) Program (continued)

► Coordinate vulnerability assessments and training, support incident management and serve as a vital channel of communication for officials and private sector owners and operators of CIKR assets seeking to communicate with DHS.

► Liaisons at the Federal Emergency Management Agency Joint Field Office and in the State and county Emergency Operations Centers, providing expert knowledge of the impacted infrastructure, maintaining communication with CIKR owners and operators, and prioritizing and coordinating response, recovery, and restoration efforts for critical infrastructure.

5

Protective Security Advisor (PSA) Program (continued)

Texas

Gulf Coast Florida

Mid-Atlantic

Northeast

Anchorage

Portland

Seattle

Sacramento

San Francisco

Salt Lake City

Denver

Las Vegas

Los Angeles

San Diego

Honolulu

Phoenix

Albuquerque

El Paso

Oklahoma City

San Antonio

Houston

Dallas

Des MoinesOmaha

Kansas City

Minneapolis

Little Rock

Springfield

Chicago

Milwaukee

Grand Rapids Detroit

Cleveland

CincinnatiIndianapolis

Louisville

Nashville

Memphis

ColumbiaAtlantaBirmingham

Mobile

Jackson

Baton RougeNew Orleans

Tampa

Miami

Charlestown

Pittsburgh

Buffalo

AlbanyBoston

NorfolkRichmond

Baltimore

Washington, D.C.

San Juan

Guam U.S. Virgin

Islands

St. Louis

Harrisburg

Tallahassee

Topeka

Raleigh

Cheyenne

Denton

Helena

Manchester

Williston

Bismarck

Pierre

Portland

Philadelphia

Dover

New Haven

Newark

New York City

Providence

Boise

Today there are 93 PSAs serving in 70 Districts in 50 States and one Territory

6

Critical Infrastructure Protection Web-Site

http://www.dhs.gov/files/programs/critical.shtm

7

Critical Infrastructure Protection Web-Site (continued)

► Provides stakeholders and the public with easily accessible information about their role in safeguarding critical infrastructure and key resources (CIKR)

► Features a link to the new CIKR Resource Center, which includes information about how to sign up for free Web-based seminars on the tools, trends, issues, and best practices for infrastructure protection and resilience

► Contains resources concerning potential vulnerabilities for chemical facilities

8

Critical Infrastructure Protection Web-Site (continued)

► Provides information about DHS’ ongoing CIKR efforts—including the National Infrastructure Protection Plan (NIPP), the U.S. Government’s unified approach, coordinated by DHS, to ensure protection and resiliency of CIKR through partnerships with thousands of public and private members

► Offers details about the National Response Framework, which outlines guidance for all response partners to prepare for and provide a unified response to disasters and emergencies

9

Homeland Security Information Network- Critical Sectors

(HSIN-CS)

► Primary objectives of HSIN-CS is to generate effective risk management decisions, and to encourage collaboration and coordination on plans, strategies, protective measures, and response/recovery efforts between government, operators, and owners in the public and private sectors.

► DHS has designated the HSIN-CS to be its primary information-sharing platform between the CIKR sectors.

► Enables DHS and the critical sector stakeholders to communicate, coordinate, and share information

10

Homeland Security Information Network- Critical Sectors

(HSIN-CS)

► Access a single DHS source for infrastructure protection alerts, information bulletins and analysis related to individual sectors

► Engage in secure discussions and document sharing with a vetted sector peer group

► Contribute to and benefit from strategic and tactical information sharing on an ongoing/periodic basis

► Conduct effective ongoing situational awareness ► Access timely information on recommended pre-incident

prevention and preparedness practices and activities ► Respond more effectively both during an incident as well as

in its aftermath

11

Ready.gov (Ready Business)

► Ready Business outlines commonsense measures business owners and managers can take to start getting ready.

► Provides practical steps and easy-to-use templates to help you plan for your company's future.

► Recommendations reflect the Emergency Preparedness and Business Continuity Standard (NFPA 1600) developed by the National Fire Protection Association and endorsed by the American National Standards Institute and the Department of Homeland Security.

Voluntary Private Sector Preparedness

Accreditation and Certification Program

PS-Prep

13

Implementing Recommendations of the 9/11 Commission

Act of 2007 (Public Law 110-53)

Mandated Action

Directs DHS to establish a “Voluntary Private Sector Preparedness Accreditation and Certification Program”

Improve Private Sector Preparedness in► Disaster Management► Emergency Management ► Business Continuity

Program Requirements► Select preparedness standards for accreditation► Establish accreditation and certification program► Small business provision

14

Program Coordination, Management

and Oversight Structure

The Act designates specific DHS program offices

– The Administrator of FEMA

– The Assistant Secretary for Infrastructure Protection

– The Assistant Secretary for the Private Sector

– The Under Secretary for S&T (DHS Standards Executive)

DHS designated FEMA as Program lead

– FEMA Administrator or designee is Council Chair

– Standards Executive (DHS S&T) is Council Executive Secretary

15

Key Program Requirements

• Voluntary participation

• Provide method to independently certify preparedness of private sector entities (3rd party certification)

• Administered by non-governmental entity

• DHS designates one or more standards

• Separate classifications and certification methods for small business

• Integrate and leverage existing regulatory requirements and programs, if feasible

• DHS maintain a listing of certified entities and make public a list of consenting participants

16

PS-Prep Certification Program

Private Sector

Entitiesthat apply for Voluntary

Preparedness Certification

Certifying Bodies ISO/IEC 17021 +

Accreditor (ANAB)

ISO/IEC 17011

ANSI-ASQ National Accreditation Board (ANAB) contracted by DHS to Implement and manage Accreditation and Certification portion of Program

Accredits Certifying Bodies

Certifies Private Sector Entities to an approved standard

ANAB Trains and Accredits Auditors to Certify Private Sector Businesses

Receives recognition of compliance to a standard

17

Proposed Certification Standards

On October 16, 2009 DHS announced the intent to adopt three standards:

NFPA 1600- Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 Edition. “ …a common set of criteria for preparedness, disaster management, emergency management, and business continuity.”

BS25999 - Business Continuity Management. “…defines requirements for a management systems approach to business continuity, and integrates risk management disciplines and processes.”

ASIS SPC.1-2009 - Organizational Resilience: Security Preparedness, and Continuity Management Systems “…defines requirements for a management systems approach to organizational resilience.”

18

Proposed Certification Standards

Why these three standards?

►Meet the target criteria set forth in Pub.L.110-53

►Are not industry specific

►Scalability

19

Proposed Certification Standards

• FEMA held a series of public meetings around the country in November and December to allow the public to engage in dialogue with DHS program managers

• Comment period closed on January 15

• FEMA is currently reviewing all comments received. Once complete, DHS will announce the formal adoption of standards

20

Next Steps

• Once standards are adopted, ANSI-ASQ National Accreditation Board (ANAB) will develop the accreditation and certification program

• At the same time, Office of Infrastructure Protection will begin work with CIKR owners/operators on sector-specific implementation guidance

• ANAB will train and accredit certifying bodies; private sector entities will be able to apply for certification.

21

Critical Infrastructure / Key Resources (CIKR)Sector-Specific Certifying Framework

DHS Office of Infrastructure

Protection Intends to Collaborate with

Sectors to:

18 CIKR Sectors• Agriculture and Food

• Defense Industrial Base

• Energy

• Healthcare and Public Health

• National Monuments and Icons

• Banking and Finance

• Water

• Chemical

• Commercial Facilities

• Critical Manufacturing

• Dams

• Emergency Services

• Nuclear Reactors, Materials, and Waste

• Information Technology

• Communications

• Postal and Shipping

• Transportation Systems

• Government Facilities

► Identify guidelines, best practices,

relevant regulations and agreed

codes of practice that already apply

to the sector

► Cross-map to standards

► Develop framework/guidance for

use by Certifying Bodies and Critical

Infrastructure sector in applying

standards

22

NERC Security Guideline: Emergency Plans

A broad description of the Emergency Management

Organization (EMO) should be considered for

inclusion in an overall company emergency plan.

5.8.3.4 The emergency

operations/response plan shall assign

responsibilities for carrying out specific

actions in an emergency.

NERC Security Guideline: Business Continuity

It is good practice to locate alternate facilities for

critical functions sufficiently distant from the primary

location to ensure rapid continuity of operations.

In addition, the company should consider its

vulnerabilities and its need to recover key financial,

information technology, and business systems, which

are typically located in, or close to, the company

headquarters facility.

5.8.3.8 The continuity plan shall

identify stakeholders that need to be

notified, the critical and time-sensitive

applications, alternative work sites, vital

records, contact lists, processes, and

functions that shall be maintained, as well

as the personnel, procedures, and

resources that are needed while the entity

is recovering.

FERC: NERC COM-002-2

Ensure Balancing Authorities, Transmission

Operators, and Generator Operators have adequate

communications and that these communications

capabilities are staffed and available for addressing a

real-time emergency condition. Ensure

communications by operating personnel are effective.

5.10.4 The Emergency communications

and warning protocols, systems,

processes, and procedures shall be

developed, periodically tested, and used to

alert people potentially impacted by an

actual or impending emergency.

Energy-Electricity Sector Example

23

Improved

Internal

Processes

Legal Liability

Protections

Rating Agency

Acknowledgement

Supply

Chain

Resilience

Insurance

Benefits

Business

Survival

Minimizing

Impact of

Business

Disruptions

Potential Benefits of Preparedness

Lower

Operating

Expenses

Improved

External

Relationships

Potential Benefits of Preparedness

24

PS-Prep Resource Center

www.fema.gov/privatesectorpreparedness

25

State & Local Partnerships

Florida’s Domestic Security Strategy

Goal 3: PROTECT Florida’s citizens, visitors, and critical infrastructure.

26