Voluntary Private Sector Accreditation and Certification Preparedness Program
The Department of Homeland Security (DHS) announces its intent to select standards for adoption in the Voluntary Private Sector Accreditation and Certification Preparedness Program (“PS-Prep”). This notice (1) finalizes the criteria to be used in selecting standards for the PS-Prep Program; (2) discusses the prospective adoption of the three identified standards, including (a) the approach for collaboration with the Critical Infrastructure and Key Resources (CIKR) sectors and (b) considerations for small business in the adoption of the three identified standards; and (3) poses specific questions for which comment is sought. Although DHS intends to select only the three identified preparedness standards at this time, DHS may select additional standards in the future.
Instructions: DHS will accept comments on PS-Prep and these standards at any time, and comments will be considered as they are received. Within 30 days after publication of this notice, DHS requests comments regarding the adoption of the standard selections or any other similar standard that satisfies the Target Criteria presented in the December 24, 2008 notice (73 FR 79140). Those interested may submit comments, identified by Docket ID FEMA-2008-0017, by one of the following methods:
•Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. (Note: This process applies to all government requests for comments—even though as in the case of PS-Prep, they may not be for regulatory purposes.)
•E-mail: FEMA-POLICY@dhs.gov. Include Docket ID FEMA-2008-0017 in the subject line of the message.
•Mail/Hand Delivery/Courier: Office of Chief Counsel, Federal Emergency Management Agency, 500 C Street, SW., Room 840, Washington, DC 20472-3100.
All submissions received must include the agency name and Docket ID FEMA-2008-0017. All submissions will be posted, without change, to the Federal eRulemaking Portal at http://www.regulations.gov, and will include any personal information you provide. Because comments are made available to the public, submitters should take caution to not include any sensitive, personal information, trade secret, or any commercial or financial information which is obtained from any person and which is deemed privileged or confidential. Submitters may wish to read the Privacy Act Notice available on the Privacy and Use Notice link on the Administration Navigation Bar of http://www.regulations.gov.
Docket: For access to the docket to read background documents or comments received, go to the Federal eRulemaking Portal at http://www.regulations.gov. Submitted comments may also be inspected at FEMA, Office of Chief Counsel, 500 C Street, SW., Room 840, Washington, DC 20472.
Availability of the Identified Standards: The three identified standards are available in two ways inaddition to being available on the individual Web sites of the three respective standards development organizations (SDOs).
1. FEMA will maintain copies of the standards proposed under this notice and make them available upon request for viewing in person at FEMA's reading room, located at 500 C Street SW., Room 835, Washington, DC 20472. Due to licensing and copyright restrictions, however, these documents will be available for review only, not for copying.
2. FEMA's PS-Prep Web site, http://www.fema.gov/privatesector/preparedness, contains links to the Web sites for each of the three SDOs. Each of these SDOs is making its standards available through this link for inspection, downloading, and printing, especially for the PS-Prep Program. Through the above link, the National Fire Protection Association and the American Society for Industrial Security have made NFPA 1600 and ASIS SPC 1-2009, respectively, available at no cost. Also through this link, the British Standards Institution has made the U.S. editions of BS25999-1 and BS25999-2 available for a reduced fee of $19.99 each. At DHS's request, the British Standards Institution reduced its regular fee for BS25999-1 from $132.00 to $19.99, and its regular fee for BS25999-2 from $152.00 to $19.99, for the comment period.
Table of Contents
- I. Background
- II. Elements Considered in the Evaluation of Standards for Selection
- III. Intent To Adopt Three Initial Standards for the PS-Prep Program
- IV. Adoption of Initial Standards in the PS-Prep Program
- V. Critical Infrastructure and Key Resources (CIKR) Sector Specific Issues
- VI. Small Business Consideration
- VII. Questions for Which Comment or Recommendations Are Specifically Sought
For further information contact: ↑
Mr. Donald Grant, Incident Management Systems Integration Division, National Preparedness Directorate, National Integration Center, 500 C Street, SW., Washington, DC 20472. Phone: 202-646-3850 or e-mail:FEMA-NIMS@dhs.gov.
Supplementary information: ↑
I. Background ↑
In the “Implementing Recommendations of the 9/11 Commission Act of 2007” (Pub. L. 110-53), Congress mandated DHS to establish a voluntary private sector preparedness accreditation and certification program. This program, now known as “PS-Prep,” will assess whether a private sector entity complies with one or more voluntary preparedness standards adopted by DHS, through a system of accreditation and certification developed by DHS in close coordination with the private sector.
DHS published a notice in the Federal Register on December 24, 2008, requesting comment on a voluntary private sector preparedness accreditation and certification program (“PS-Prep”), target criteria for voluntary preparedness standards under the program, and recommendations for standards. See73 FR 79140. DHS also held two public meetings, on January 13 and February 23, 2009, and had other interaction with stakeholders, to obtain comments on standards that DHS should approve under PS-Prep. DHS has considered the information gathered through these channels in the identification of the three standards discussed in this notice and further development of the PS-Prep Program.
II. Elements Considered in the Evaluation of Standards for Selection ↑
On December 24, 2008, DHS published and sought public comment on its proposed target criteria for preparedness standards. Upon review of comments, DHS has determined the target criteria are appropriate, valid, and consistent with the DHS mission and the goals of PS-Prep Program. DHS, therefore, will adopt standards based on the target criteria as previously listed.
III. Intent To Adopt Three Initial Standards for the PS-Prep Program ↑
Based on public comments, the suitability of standards considered to accomplish the purposes of the PS-Prep Program, and coverage of the target criteria, DHS intends to adopt the following three standards. Although the focus of each standard may be slightly different, each meets the spirit and intent of Public Law 110-53, which defines “voluntary preparedness standards” as a “* * * common set of criteria for preparedness, disaster management, emergency management, and business continuity programs. * * *” These standards were chosen because, among other things, they meet the target criteria and are not industry specific.
1. NFPA 1600—Standard on Disaster/Emergency Management and Business Continuity Programs, 2007 Edition. This standard establishes a common set of criteria for preparedness, disaster management, emergency management, and business continuity. NFPA 1600 specifies the management and essential elements of a preparedness program for disaster management, emergency management, and business continuity. The particular strength of this standard is that it focuses on planning and preparation in anticipation of a disaster and does not prescribe a program development process.
2. BS25999—Business Continuity Managemen t. This standard defines requirements for a management systems approach to business continuity, and integrates risk management disciplines and processes. BS25999 is comprised of two parts: Part 1 dated 2006; Code of Practice, and Part 2 dated 2007; Specification. The particular strength of this standard is that it specifically provides a management systems approach to business continuity and also integrates risk management disciplines and processes. The standard also provides the user the basis for understanding and implementing in business-to-business and business-to-customer dealings to reassure business resilience.
3. ASIS SPC. 1-2009—Organizational Resilience: Security Preparedness, and Continuity Management Systems—Requirements with Guidance for Use. This standard was released in 2009 and defines requirements for a management systems approach to organizational resilience. The particular strength of this standard is that it applies a management systems approach to organizational resilience. The standard encompasses an assortment of risk management mechanisms and follows a plan-do-check-act approach associated with other International Standard Organization management system based standards.
IV. Adoption of Initial Standards in the PS-Prep Program ↑
DHS, after considering the public comments received on this notice, will publish a notice in the Federal Register to announce the standards that DHS will adopt. DHS may adopt any or all of the three standards identified above.
V. Critical Infrastructure and Key Resources (CIKR) Sector Specific Issues ↑
Following adoption of the initial standards, DHS will collaborate with the CIKR sectors and their respective Sector Coordinating Councils to identify the regulations, guidelines, sector codes of practice, and best practices of the sector that may affect implementation of the adopted standards.
The DHS Office of Infrastructure Protection will then work with individual CIKR sectors to develop a framework in which the identified sector specific considerations can be built into the application of the adopted standards to individual sectors. Any such framework could be used both by an entity seeking certification of conformity to a standard and by the certifying body.
VI. Small Business Consideration ↑
Title IX of Public Law 110-53 recognized that small businesses need to be treated differently in the PS-Prep Program, and requires DHS to give special consideration to small businessconcerns (as defined by Section 3 of the Small Business Act (15 U.S.C. 632)). The December 24, 2008Federal Register notice contained an extensive discussion of DHS' approaches to best reflect the interests of small businesses and the purpose of the PS-Prep Program. DHS continues to seek comments from small businesses and others on the adoption of these standards and their impact on future decisions to seek certification under the PS-Prep Program.
VII. Questions for Which Comment or Recommendations Are Specifically Sought ↑
The Department requests comments, suggestions, or other advice regarding the PS-Prep Program, including but not limited to responses to the following questions:
1. Are there reasons that DHS should not adopt any one of the three standards listed above?
2. Are there any supporting guidance materials in addition to the three identified standards that are needed to help the private sector attain certification to one of the three standards?
3. What factors would a business consider in determining which DHS adopted standard(s) to pursue for certification under the PS-Prep Program?
4. What are the reasons for businesses to seek certification under these identified standards?
5. How would the fact that an organization is certified under the PS-Prep Program affect or otherwise influence your decision to do business with them?
6. In response to the December 2008Federal Register notice, DHS received numerous comments promoting the use of a “maturity model process improvement approach” for business preparedness and continuity. The maturity model was described as an approach whereby certifications on certain standards could be incremental, i.e., grading on a scale of conformance, rather than a conformance/non-conformance basis. The notice noted that certifications will determine conformity or non-conformity with a particular standard. How could the use of a maturity model approach be applied to certification to any of these standards?
7. What may be the potential impact (e.g., cost, return on investment, other considerations, etc.) on small businesses when attempting to implement any of the above identified standards?W. Craig Fugate, Administrator, Federal Emergency Management Agency.