Tag National Preparedness Goal

New and Timely Cyber Security Information

Tim Riecker, The Contrarian Emergency Manager Leave a comment

October is National Cyber Security Awareness Month.  With it, the DHS Private Sector Office has provided a number of resources to help organizations get involved in cyber security awareness.  These include weekly themes, such as Stop. Think. Connect., information on a weekly Twitter Chat series, and other information.

Perhaps released intentionally during National Cyber Security Awareness Month is the call for public comment on the National Cyber Incident Response Plan.  From their website, DHS’ National Protection and Programs Directorate and FEMA’s National Integration Center are leading the development of this document in coordination with the US Department of Justice, the Secretary of Defense, and other partners.  This plan is intended to provide a nation-wide approach to cyber incidents, incorporating roles for the private sector and all levels of government (TR – similar to the National Planning Frameworks, which this document rather heavily references).  The National Engagement Period ends on October 31, so be sure to review the document and provide feedback.  There are also a series of webinars referenced on the website.

In my initial and very cursory review of the plan, I was pleased to see the references to the National Preparedness Goal and National Planning Frameworks.  I’ve mentioned before that we need to strive to align and integrate all preparedness efforts along these lines and I’m thrilled to see it happening.  It’s even more encouraging to see this occurring with something that could be considered a bit fringe to traditional emergency management.  The plan directly references a number of Core Capabilities.  They take an interesting approach with this.  Instead of identifying which Core Capabilities the plan organizes under, they instead align certain Core Capabilities within what they call Lines of Effort.  These Lines of Effort include Threat Response, Asset Response, and Intelligence Support.  For each Core Capability they define the Core Capability, a la the National Preparedness Goal, and describe how that Core Capability applies to Line of Effort, along with listing associated critical tasks. (inserted is Table 2 from the plan which shows this alignment)

cyber-cc-by-loe

What I find even more interesting is the array of Core Capabilities they identified for their Lines of Effort.  While this plan is oriented toward response, the Core Capabilities they identify come from the Mission Areas of Prevention, Protection, Response, and Mitigation, along with including the three common Core Capabilities.  This further reinforces the thought that the Cyber Security Core Capability should also be included as a common Core Capability.  This is an interesting document which I look forward to reviewing in more detail.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

 

2016 National Preparedness Report Released

Tim Riecker, The Contrarian Emergency Manager 3 Comments

The fifth National Preparedness Report has been released by FEMA.  The National Preparedness Report is based upon, as the report states, input of more than 450 data sources and 190 stakeholders, including 66 non-federal organizations (which would account for state preparedness report submissions and information from Urban Area Security Initiative regions).  The report is intended as a summary of where the nation stands in regard to each of the 32 Core Capabilities outlined in the National Preparedness Goal.

As mentioned, this is the fifth National Preparedness Report to hit the streets.  While they have some value and demonstrate that the data collection that is done is actually collated, I feel that through the years they are offering less meat and more potatoes.  I appreciate the highlighting of best practices for each mission area, but, to me, there is a missed opportunity if a report is simply providing data and not recommendations.  While it’s understood that the goal of the National Preparedness Report is not to provide recommendations (it would also take longer to publish the report, and the people pulling the data together do not likely have the expertise to create recommendations), I’d like to see FEMA (and stakeholders) have follow up efforts to provide recommendations in each mission area and not miss this valuable opportunity to then apply the findings and look forward.

Below, I’ve included their overall findings with a bit of my own commentary.  Overall, I will say that there is nothing eye opening in this report for anyone who pays attention.  It’s pretty easy to guess those Core Capabilities which are at the top and those which are at the bottom.

  • Planning; Public Health, Healthcare, and Emergency Medical Services; and Risk and Disaster Resilience Assessment are the three Core Capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but that face performance declines if not maintained and updated to address emerging challenges.
    • My commentary: BULLSHIT.  If these Core Capabilities are at ‘acceptable levels’, then our standards must be pretty low.  Planning is the one that disturbs me most.  We continue to see plenty of poor plans that are not realistic, can’t be operationalized, and are created to meet requirements (which are typically met by formatting and buzzwords).  Have we improved?  Sure.  But I wouldn’t say we are at ‘acceptable levels’.  As for Public Health, Healthcare, and Emergency Medical Services, we are struggling in certain areas to simply keep our heads above water.  While we are fairly solid in some areas of public health, one only needs to look at the Ebola incident to view how fragile our state of readiness is.  The findings for Planning and Public Health, to me, are nothing but shameful pandering and we need to get realistic about where we are at and the challenges we face.  Gold stars won’t stand up to the next disaster.  As for Risk and Disaster Resilience Assessment I have admittedly less experience personally.  I do know that we have some pretty incredible tools available that can help us determine impacts of various hazards for any given area under a variety of conditions, which is an amazing application of technology.  My concerns here are that there are still many who don’t know about these tools, don’t use them, and/or don’t follow the findings of information from these tools in their hazard mitigation actions.
  • Cybersecurity, Economic Recovery, Housing, and Infrastructure Systems remain national areas for improvement. Two additional Core Capabilities – Natural and Cultural Resources, and Supply Chain Integrity and Security – emerged as new national areas for improvement.
    • My commentary: NO KIDDING. While we have made a great deal of progress on Cybersecurity, we are still far behind the criminal element in most respects.  It also needs to be fully recognized in the National Preparedness Goal that Cybersecurity is a Core Capability common to all five mission areas.  Economic Recovery will always be a challenge, as every community impacted by an incident has a certain way it heals, essentially along the lines of Maslow’s Hierarchy.  A strong local economy is important to this healing, ensuring that the community has access to the resources it needs to rebuild and a return to normalcy.  While I’m sure studies have been done, we need to examine more closely how the economic recovery process evolves after a disaster to identify how it can be best supported.  Housing is the absolutely most challenging Core Capability in the National Preparedness Goal.  While I don’t have a solution for this, I do know that our current approaches, philosophies, and ways of thinking haven’t moved us an inch toward the finish line on this one.  We need to change our current way of thinking to be successful.  As for Infrastructure Systems, I could go on for days about this.  I’ve written previously, several times, (as have many others) on the critically fragile state of our infrastructure.  It’s no big secret.
  • States and territories continue to be more prepared to achieve their targets for Response Core Capabilities, while they are least prepared to meet their targets in the Recovery Mission Area.
    • This is another NO KIDDING. While we must always have a greater focus on Response, as that’s where lives are saved and the immediate danger is addressed, we can’t lose sight of Recovery.  Some recovery activities are more clear cut than others, and FEMA often muddies the waters more by inadvertently intimidating state and local governments when it comes to disaster recovery, as the focus becomes centered more on reimbursable activities vs doing what needs to be done.  The report included some interesting findings (take a look in the Recovery Mission Area drop down on the web site) on ‘mixed trends in exercising recovery capabilities’.  Again, this is nothing earth shattering, but it’s nice to see the matter addressed.  Yes, we clearly need to exercise Recovery Mission Area Core Capabilities better and more often.

These reports are always worth looking through, even though much of the information is generally known by those of us in the profession.  There are always little nuggets of learning available, and data from the report may be used to support your own endeavors for additional funding or resources for your own program.

As always, I’m interested in your insights and thoughts on this post and the National Preparedness Report.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

 

Understanding and Using the Core Capabilities

Tim Riecker, The Contrarian Emergency Manager 7 Comments

One of the great features of WordPress (my blogging platform) is that it identifies various statistics and sets of data for me.  One of those bits of data is search terms used to find my blog.  Yesterday there were three that caught my eye:

  • Which of the 31 core capabilities are useless
  • How many of the 31 core capabilities do we really need
  • Are there any of the 31 core capabilities that we can do without

Obviously there is some interest in the Core Capabilities.  These searches are so similar they are very likely from the same person or a group of people, such as college students.  As a side, I have been flattered to find that many of my blog posts have been cited in college papers.  It’s quite an honor.

On to the Core Capabilities.  First of all, with the release of the second edition of the National Preparedness Goal, there are now 32 Core Capabilities.  The Core Capabilities can be viewed as key areas of activity.  Mass Care Services, for example, involves a broad array of activities including sheltering, feeding, hydration, mental and spiritual care, and others.  Each of the 32 Core Capabilities have applicability, although that applicability will vary from location to location.

32 Core Capabilities

NPG 32 Core Capabilities

My company recently completed a state-wide homeland security and emergency management assessment for a client.  This assessment was based upon the Core Capabilities, as they provide consistent definitions of these activity areas and are comprehensive, incorporating all key activities in all phases of emergency management and homeland security and are generally not hazard-specific.

We met face to face with a number of jurisdictions, large and small, to gather input on each Core Capability.  It was no surprise that certain Core Capabilities, specifically Planning, Operational Coordination, and Public Information and Warning were consistently identified as top concerns for stakeholders.  These three Core Capabilities, by the way, are applicable across all five Mission Areas identified in the National Preparedness Goal.

In our study, there were other Core Capabilities which we found to be important to some, but not to others.  Many smaller jurisdictions, especially those without their own law enforcement, saw little applicability to them of those Core Capabilities which are contained within the Prevention and Protection Mission Areas.  As these two Mission Areas are generally focused on criminal and homeland security issues, we found that those not in law enforcement tended to be dismissive of their importance.  Even some law enforcement professionals, at least in the state we were working in, viewed some of these Core Capabilities as being a responsibility of the State Police and generally not a local police activity.

Potential application of the Core Capabilities is quite broad with many possibilities.  Unfortunately, FEMA doesn’t seem to be marketing their applicability very well, which makes the questions about their usefullness quite understandable.  Going back about ten years, FEMA provided us with the predecessor to the Core Capabilities – these were the Target Capabilities.  The Target Capabilities were a good start, albeit a bit complex and unrefined.  The Core Capabilities are a great evolution of the same concept.  When the Target Capabilities were released, there was a big push for their integration into all aspects of preparedness.  FEMA encouraged their consideration in planning efforts, they encouraged training courses to identify what Target Capabilities were being trained to, and for exercises to identify what Target Capabilities were being exercised.  While much of that encouragement has seemed to disappear, there is no reason why we can’t still do it with the Core Capabilities.  And we should.

The most direct application of the Core Capabilities is in the THIRA process.  THIRA stands for Threat and Hazard Identification and Risk Assessment.  Many discussions on THIRA can be found here.  The annual completion of a THIRA is required of every state, territory, and Urban Area Security Initiative (UASI) funded program.  The THIRA is essentially a very thorough and in-depth hazard analysis that other jurisdictions should consider conducting.  The insights revealed from the process and the end product are widely applicable and can fully change the basis for an emergency management program.  The THIRA process centers on the Core Capabilities.

Other preparedness efforts can certainly reference the Core Capabilities, and easily so.  The greatest benefit of the Core Capabilities, from my experience, is consistency.  They provide a concise definition of these key activities.  The definition is broad enough to find applicability to any jurisdiction, which then uses that definition to identify their own capability targets.  Capability targets define how the jurisdiction is going to accomplish each Core Capability.  That is the brilliance of the system – national-level definitions for key activity areas which are then refined by each jurisdiction to identify how they will best apply them.  While the creation of capability targets is part of the THIRA process, any jurisdiction can do it.  These targets help define what they want to accomplish in their emergency management programs.

As with the Target Capabilities, the Core Capabilities can be referenced in planning, training, exercises, assessments, and other activities.  Many of the Core Capabilities may warrant their own planning efforts for many jurisdictions.  Things like Mass Care Services, Fatality Management, Situational Assessment, and Housing can all be planning annexes to a more comprehensive emergency management planning effort.  The HSEEP process still calls for the identification of Core Capabilities early in the exercise design process.  This identification, along with the creation of good exercise objectives, helps define the scope of the exercise and maintain focus.  The same application works for training programs.  From a program management perspective, Core Capabilities should be used to identify areas of focus in a Training and Exercise Plan (TEP).

The definitions that Core Capabilities provide, along with the benefit of jurisdiction-specific capability targets, can help broadly identify what emergency management and homeland security programs are focused on.  The consistency allows for increased understanding, prioritization, and connectivity between activities and programs.  Integrating the Core Capabilities into EM and HS programs is relatively easy and scalable, it just simply requires a slightly different perspective.

Questions?  Comments?

Thanks, as always, to my readers.  As mentioned, my company, Emergency Preparedness Solutions, has great experience using the Core Capabilities and applying them to all areas of preparedness.  Need help?  Give us a call!

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

National Preparedness Goal: Second Edition Just Released

Tim Riecker, The Contrarian Emergency Manager 6 Comments

Today FEMA released the second edition of the National Preparedness Goal.  This document, which only has a few substantive changes from the original, provides a vision for preparedness across the nation.  It is best known for identifying the five mission areas of Prevention, Protection, Mitigation, Response, and Recovery; along with the Core Capabilities.  Many thanks to my colleague Jon who brought this release to my attention.  The updated National Preparedness Goal and associated documents can be found here.

There are not many changes in this update, and the changes that are included should be of little surprise if you reviewed the draft released for public comment several months back.  Up front, the update provides some editorial clarification on the definitions and relationships between the federal government and tribes as well as US territories.  It also provides more emphasis on the concept of whole community and the special populations within the whole community which may require additional protections and actions.

Perhaps the most significant changes are reflected in the Core Capabilities, of which there are now 32.  In the preamble to the Core Capabilities which discusses the concept of Risk, it is interesting to note that the Core Capability of Cybersecurity was specifically highlighted as having applicability across all Mission Areas – a concept which I fully agree with.  I’m left wondering, then, why it was not re-defined as a common Core Capability.

NPG 32 Core Capabilities

NPG 32 Core Capabilities

Other changes to the Core Capabilities include the renaming of the On-Scene Security and Protection Core Capability to On-Scene Security, Protection, and Law Enforcement; and the Public Health and Medical Services Core Capability to Public Health, Healthcare, and Emergency Medical Services.  Additionally, the Public and Private Services and Resources Core Capability was renamed to Logistics and Supply Chain Management, which seems to provide better recognition of the intent of that Core Capability.  Finally, a new Core Capability was added – Fire Management and Suppression.

Three of these changes seems to revolve around a stronger recognition and inclusion of the traditional first responder services of Law Enforcement, Fire Service, and Emergency Medical Services; all of which seemed to get lost in the bigger picture of the earlier capability discussions.  I’m hopeful these changes will help bring these services to the table in more communities when capabilities are discussed.  I’m a firm believer that the Core Capabilities provide a consistent, scalable, foundation for discussion of preparedness for every community.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

Are You Really Considering All Hazards?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

NIMS Alert – FEMA Seeks Feedback on Federal Interagency Operational Plans

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Take some time to review and comment on these.  Be heard!  TR

<from press release>

FEMA is requesting stakeholder feedback on working drafts of four of the five Federal Interagency Operational Plans (FIOPs):  Protection, Mitigation, Response, and Recovery. The Prevention FIOP is Unclassified and For Official Use Only (FOUO)/Law Enforcement Sensitive (LES), Restricted Access and therefore available to appropriate personnel through separate and secure communication means. The FIOPs describe how the Federal government aligns resources and delivers core capabilities. Each FIOP outlines the concept of operations for integrating and synchronizing existing national-level Federal capabilities to support the whole community.

This update of the FIOPs focuses on discrete, critical content revisions, and confirming edits as a result of comments received on the National Preparedness Goal and National Planning Frameworks. Additional changes in the draft are the result of the lessons learned from implementing the FIOPs and recent events, as well as the findings of the National Preparedness Report.  The FIOPs and feedback submission forms may be found at http://www.fema.gov/ppd-8-news-updates-announcements.

To ensure all feedback is properly handled, reviewers are asked to use the provided feedback submission form to submit feedback and recommendations. Please provide any comments and recommendations, using the submission form, to PPD8-Engagement@fema.dhs.gov by Tuesday, September 2, 2015 at 5:00 PM EDT.

PPD-8 Revisions and National Engagement Period

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A NIMS Alert has just been released announcing the opening of the national engagement (comment) period on revisions to PPD-8 (National Preparedness Goal).  Most notably, these revisions include updated definitions for 10 Core Capabilities and the creation of one new Core Capability – Fire Management and Suppression.

These last few years I have found that FEMA has been more responsive than ever to stakeholder feedback and this is another great opportunity to ensure that their guidance and doctrine continues to be relevant and meaningful to those of us who use it.

A link to the PPD-8 revision site and national engagement period is here: http://www.fema.gov/media-library/assets/documents/103912.

TR