Guidance for Operational Security and Access

Operational security can be a big issue, especially on prolonged incidents.  An incident occurs.  Evacuations have to take place.  A scene has to be secured.  Issues like safety and evidence preservation are priorities.  Inevitably someone says they ‘need access’.  Who are they?  Do they really need access?   Are they an evacuee?  A responder?  Media?  A government official?  A critical infrastructure operator?  When is it OK to allow someone access and under what circumstances?

While NIMS has been advocating for credentialing as an effort to identify responders and their qualifications, along with ensuring that they have appropriate identification to grant them access to an incident scene and to utilize them to the best ability, there is still a lot of work to do, and little has been done beyond first responders.  I’ve been on incidents where the perimeter was not well established and anyone could stroll in to an incident site or a command post.  I’ve been on incidents where the flash of a badge or ID was good enough to get through, even though the person at the perimeter didn’t actually examine it, much less verify it.  I’ve also been on incidents where no entry was allowed with a badge, official ID, and a marked car – even though entry was necessary and appropriate. Thankfully, I’ve also been on some incidents where identification is examined, and the access request is matched to a list or radioed in for verification.  This is how it should work.

While credentialing and access control are two separate topics, they do have a degree of overlap.  Like so many aspects in incident management, little ground has been gained on more complex matters such as these because there is little to no need for them on the smaller (type 4 and 5) incidents.  Type three (intermediary) incidents generally use an ad-hoc, mismanaged, band-aid approach to these issues (or completely ignore them), while larger (type 1 and 2) incidents eventually establish systems to address them once a need (or usually a problem) is recognized.  While every incident is unique and will require an-incident specific plan to address access control and re-entry, we can map out the primary concerns, responsibilities, and resources in a pre-incident plan – just like we do with so many of our other operational needs in an Emergency Operations Plan (EOP).  Also, like most of what we do in the development of an EOP, access control and re-entry is a community-wide issue.  It’s not just about first responders.

Here’s an example of why this is important.  A number of years ago I ran a tabletop exercise for the chief information officer (CIO) agency of a state government.  The primary purpose was to address matters of operational continuity.  I used the scenario of a heavy snow storm which directly or indirectly disabled their systems.  We talked about things like notification and warning, remote systems access (the state didn’t have a remote work policy at the time), redundant infrastructure, and gaining physical access to servers and other essential systems.  Without gaining physical access, some of their systems would shut down, meaning that many state agencies would have limited information technology access.  Closed roads and perimeter controls, established with the best of intentions, can keep critical infrastructure operators from accessing their systems.  The CIO employees carried nothing but a state agency identification, which local police wouldn’t give a damn about.  Absent a couple hours of navigating state politics to get a state police escort, these personnel would have been stuck and unable to access their critical systems.  Based upon this, one of the recommendations was to establish an access control agreement with all relevant agencies where their infrastructure was located.

Consider this similar situation with someone else.  Perhaps the manager of a local grocer after a flood.  They should be able to get access to their property as soon as possible to assess the damage and get the ball rolling on restoration.  Delays in that grocer getting back in business can delay the community getting back on their feet and add to your work load as you need to continue distributing commodities.

There are a lot of ‘ifs’ and ‘buts’ and other considerations when it comes to access control, though.  There aren’t easy answers.  That’s why a pre-plan is necessary.  Like many things we do in emergency management and homeland security, there is guidance available.  The Crisis Event Response and Recovery Access (CERRA) Framework was recently published by DHS.  It provides a lot of information on this matter.  I strongly suggest you check it out and start bringing the right people to the table to start developing your own plan.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC