A Review and 3 Highlights of the DHS Active Shooter Preparedness Workshop

Last month I had the opportunity to attend a day-long active shooter workshop in Rochester, NY conducted by the DHS Office of Infrastructure Protection.  The focus was awareness of, preparedness for, and response to an active shooter event, with a lean towards a facilities-based audience rather than public safety.

The workshop began with discussions on recognition, then worked through each of the five mission areas (Prevention, Protection, Mitigation, Response, and Recovery).  The primary speaker was excellent, with real-world experience in active shooter situations.  While they referred to the offering as a pilot, the workshop has been around for a few years in various versions.  Understandably, and unfortunately, it’s difficult for the workshop to keep up with lessons learned from recent events.

As mentioned, the workshop weaves through the five mission areas, rather awkwardly trying to also align with the CPG 101 planning process.  I’m not sure that the two really fit well and it was clearly something new to the course, as the primary speaker missed some of the indicators for activities.  The workshop agenda also fell short, with the facilitators clearly offering a higher than usual number of breaks and of longer than usual length to maintain the workshop as a full day.

The activities were table-based, and focused on the primary steps as outlined in CPG 101, with the goal of giving some ideas and structure to the creation of an active shooter preparedness plan for a facility.  Ideas and discussion generated at our table and others were great, as attendees came from a broad array of facilities, such as schools, night clubs, health care, office buildings, and others.  The most disappointing comments were those about roadblocks people faced within their own organizations in planning and other preparedness activities for active shooters.  There is clearly a lot of denial about these incidents, which will only serve to endanger people.

With a number of public safety professionals in attendance, there was some great reflection on coordination with public safety in both preparedness and response.  One of the gems of the workshop was the number of audio and video clips provided throughout.  The segments included media and 911 clips, as well as post incident interviews with victims and responders.  The insight offered by these was excellent and they were a great value add.

Three pieces of information resonated above all others in this workshop:

  • Run, Hide, Fight (or variants thereof) was stressed as the best model for actions people can take in the event of an active shooter.
  • The inclusion of planning for persons with disabilities is extremely important in an active shooter situation. They may have less of an ability to Run, Hide, and/or Fight, and this should be accounted for in preparedness measures.
  • Essential courses of action for planning include:
    1. Reporting
    2. Notification
    3. Evacuation
    4. Shelter in Place
    5. Emergency Responder Coordination
    6. Access Control
    7. Accountability
    8. Communications Management
    9. Short Term Recovery
    10. Long Term Recovery

Since the workshop was in pilot form, there were no participant manuals provided, which a number of people were hopeful to have.  They did, however, provide a CD with a plethora of materials, including references, some videos, and planning guides.  Many of these I’ve seen and used before, but some were new to me.  There was a commitment to send us all an email with a link to a download of the participant manual once it was available.  Some of those resources can be found here.

All in all, this was a good workshop.  The mix of an audience (numbering over 60, I believe) contributed to great discussion and the primary speaker was great.  The presentation materials were solid and provided a lot of context.  While I was disappointed in the lack of a participant manual and the inclusion of too many breaks, I certainly understand that this is the pilot of a redeveloped program which they are trying to keep as timely and relevant as possible.  While I already knew of many of the concepts and standards, there was some great material and discussion, especially in the context of facilities rather than public safety response.  This is a good program which I would recommend to facility owners, managers, and safety/emergency management personnel as well as jurisdiction emergency management and public safety personnel.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness

2016 National Preparedness Report Released

The fifth National Preparedness Report has been released by FEMA.  The National Preparedness Report is based upon, as the report states, input of more than 450 data sources and 190 stakeholders, including 66 non-federal organizations (which would account for state preparedness report submissions and information from Urban Area Security Initiative regions).  The report is intended as a summary of where the nation stands in regard to each of the 32 Core Capabilities outlined in the National Preparedness Goal.

As mentioned, this is the fifth National Preparedness Report to hit the streets.  While they have some value and demonstrate that the data collection that is done is actually collated, I feel that through the years they are offering less meat and more potatoes.  I appreciate the highlighting of best practices for each mission area, but, to me, there is a missed opportunity if a report is simply providing data and not recommendations.  While it’s understood that the goal of the National Preparedness Report is not to provide recommendations (it would also take longer to publish the report, and the people pulling the data together do not likely have the expertise to create recommendations), I’d like to see FEMA (and stakeholders) have follow up efforts to provide recommendations in each mission area and not miss this valuable opportunity to then apply the findings and look forward.

Below, I’ve included their overall findings with a bit of my own commentary.  Overall, I will say that there is nothing eye opening in this report for anyone who pays attention.  It’s pretty easy to guess those Core Capabilities which are at the top and those which are at the bottom.

  • Planning; Public Health, Healthcare, and Emergency Medical Services; and Risk and Disaster Resilience Assessment are the three Core Capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but that face performance declines if not maintained and updated to address emerging challenges.
    • My commentary: BULLSHIT.  If these Core Capabilities are at ‘acceptable levels’, then our standards must be pretty low.  Planning is the one that disturbs me most.  We continue to see plenty of poor plans that are not realistic, can’t be operationalized, and are created to meet requirements (which are typically met by formatting and buzzwords).  Have we improved?  Sure.  But I wouldn’t say we are at ‘acceptable levels’.  As for Public Health, Healthcare, and Emergency Medical Services, we are struggling in certain areas to simply keep our heads above water.  While we are fairly solid in some areas of public health, one only needs to look at the Ebola incident to view how fragile our state of readiness is.  The findings for Planning and Public Health, to me, are nothing but shameful pandering and we need to get realistic about where we are at and the challenges we face.  Gold stars won’t stand up to the next disaster.  As for Risk and Disaster Resilience Assessment I have admittedly less experience personally.  I do know that we have some pretty incredible tools available that can help us determine impacts of various hazards for any given area under a variety of conditions, which is an amazing application of technology.  My concerns here are that there are still many who don’t know about these tools, don’t use them, and/or don’t follow the findings of information from these tools in their hazard mitigation actions.
  • Cybersecurity, Economic Recovery, Housing, and Infrastructure Systems remain national areas for improvement. Two additional Core Capabilities – Natural and Cultural Resources, and Supply Chain Integrity and Security – emerged as new national areas for improvement.
    • My commentary: NO KIDDING. While we have made a great deal of progress on Cybersecurity, we are still far behind the criminal element in most respects.  It also needs to be fully recognized in the National Preparedness Goal that Cybersecurity is a Core Capability common to all five mission areas.  Economic Recovery will always be a challenge, as every community impacted by an incident has a certain way it heals, essentially along the lines of Maslow’s Hierarchy.  A strong local economy is important to this healing, ensuring that the community has access to the resources it needs to rebuild and a return to normalcy.  While I’m sure studies have been done, we need to examine more closely how the economic recovery process evolves after a disaster to identify how it can be best supported.  Housing is the absolutely most challenging Core Capability in the National Preparedness Goal.  While I don’t have a solution for this, I do know that our current approaches, philosophies, and ways of thinking haven’t moved us an inch toward the finish line on this one.  We need to change our current way of thinking to be successful.  As for Infrastructure Systems, I could go on for days about this.  I’ve written previously, several times, (as have many others) on the critically fragile state of our infrastructure.  It’s no big secret.
  • States and territories continue to be more prepared to achieve their targets for Response Core Capabilities, while they are least prepared to meet their targets in the Recovery Mission Area.
    • This is another NO KIDDING. While we must always have a greater focus on Response, as that’s where lives are saved and the immediate danger is addressed, we can’t lose sight of Recovery.  Some recovery activities are more clear cut than others, and FEMA often muddies the waters more by inadvertently intimidating state and local governments when it comes to disaster recovery, as the focus becomes centered more on reimbursable activities vs doing what needs to be done.  The report included some interesting findings (take a look in the Recovery Mission Area drop down on the web site) on ‘mixed trends in exercising recovery capabilities’.  Again, this is nothing earth shattering, but it’s nice to see the matter addressed.  Yes, we clearly need to exercise Recovery Mission Area Core Capabilities better and more often.

These reports are always worth looking through, even though much of the information is generally known by those of us in the profession.  There are always little nuggets of learning available, and data from the report may be used to support your own endeavors for additional funding or resources for your own program.

As always, I’m interested in your insights and thoughts on this post and the National Preparedness Report.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness


National Planning Frameworks: National Engagement Webinars

FEMA is hosting a series of 60-minute engagement webinars to discuss the update of the National Planning Frameworks. All webinars are open to the whole community, which encompasses—individuals (including those with disabilities and others with access and functional needs), businesses and nonprofits, faith-based and community groups, schools, and all levels of government. The sessions are scheduled for:

• Monday, May 18, 3:00 PM EDT
• Wednesday, May 20, 11:00 AM EDT
• Wednesday, May 27, 12:00 PM EDT
• Thursday, May 28, 10:30 AM EDT

Because each engagement webinar will cover the same information, please choose the session most convenient for you. Advance registration is required due to space limitations. Registration is on a first come, first serve basis. To register, please visit: https://www.vjpo.org/private/ppd8/events/frameworksupdate.

If you require accommodations to participate in these events, please provide details in the Disability Related Accommodations field on the registration page or contact us at PPD8-Engagement@fema.dhs.gov.

To review the draft National Planning Frameworks, please visit http://www.fema.gov/learn-about-presidential-policy-directive-8. To provide comments, please complete the feedback form and submit to PPD8-Engagement@fema.dhs.gov. Comments made during the webinars are considered to be for discussion purposes only and may not be adjudicated formally.

The National Planning Frameworks, which are part of the National Preparedness System, set the strategy and doctrine for building, sustaining, and delivering the core capabilities identified in the National Preparedness Goal. They describe the coordinating structures and alignment of key roles and responsibilities for the whole community and are integrated to ensure interoperability across all mission areas.

This update of the National Planning Frameworks focuses on discrete, critical content revisions, and confirming edits as a result of comments received on the National Preparedness Goal. Additional changes in the current draft of the Frameworks are the result of the lessons from implementing the Frameworks and recent events, as well as the findings of the National Preparedness Report.

Questions can be directed to FEMA’s NIC at: PPD8-Engagement@fema.dhs.gov.

For more information on national preparedness efforts, visit: http://www.fema.gov/national-preparedness.

A Disasterous Trend: Cuts in Preparedness Funding

This post was initially inspired by an article from CBS News on funding cuts to disaster preparedness programs.  These cuts go further and deeper than the current sequester cuts we are now seeing.  These cuts are a dangerous and disastrous trend.  To quote the article…

“In fiscal year 2010, Congress appropriated $3.05 billion to FEMA for preparedness grants designed to strengthen “our nation’s ability to prevent, protect, respond to, and recover from terrorist attacks, major disasters and other emergencies, …. In fiscal year 2012, that appropriation was less than half that figure – $1.35 billion. The same trend could be seen in FEMA pre-disaster mitigation grants, which fell from $100 million in 2010 to $35.5 million two years later.”

Have all the terrorists gone away?  Has Mother Nature stopped having temper tantrums?  Have stupid people stopped doing stupid things?  I don’t think so!  So why the cuts?

Let’s put some things in perspective… On one hand, we do need to have a bit of fiscal prudence and restraint.  GAO reports have repeatedly shown that many state and local governments are simply not spending down the grant funds they have been allocated.  DHS grants are backed up several grant years with unspent funds.  That said, as we peel back the layers of the onion, there are certain facts that need to be mentioned.  Why aren’t they spending the money they have been given?  First, grant periods have generally been too short.  The most significant reason for this is the inefficiency of bureaucracy we live in.  Follow this trail… The federal fiscal year begins October 1st.  The budget gets passed at some undermined point around that.  DHS, along with all the other agencies, get their allocations.  They then need time to formulate their grant guidance for the funds going to states and locals.  By the time states see this grant guidance and their respective allocations it’s usually close to the end of the second quarter of the federal fiscal year.  States then have to formulate their own grant guidance as they pass through funds to locals.  All this bureaucracy delays the grant year about six months.  Recognizing that nothing could be done about the bureaucracy, DHS finally extended grant years only recently, giving folks a more reasonable amount of time to spend the money.

Another reason why grant funds are slow to spend is that in most cases the grantees don’t actually ask for the money, therefore they don’t have a budget prepared beforehand.  DHS distributes funds based upon a formula.  While an application exists, it’s nothing more than an afterthought and formality.  That leaves states and locals with a pile of cash and no plan on how to spend it.  Here lies the beginning of the breakdown in accountability.  Now most folks will say that it’s easy to spend money.  In government, not so much.  Especially when you consider a few factors: 1) every level of government has spending rules (accountability is a good thing, but that can get in the way of efficiency when RFPs have to be issued for darn near everything); 2) a great deal of equipment was purchased in the big push of funds immediately surrounding 9/11 – what else do we need?; and 3) grants are restricting what funds can be spent on (i.e. there are limits on personnel (salary) expenses, and the purchase of disposables and maintenance costs of equipment – which are of particular importance for exercises).

So governments don’t have a lot of time to spend the money and face a few obstacles in getting the money spent.  But how is this a factor of cuts?  One reason for these cuts is that Congress is seeing that states and locals have a lot of money left over going back several grant years.  Failing to realize the whys and wherefores of it all, they are simply giving less money (because, to them, it’s not needed – but nothing could be further from the truth!).  They are also looking to reduce spending overall, as the article cites, and that’s a hit that will impact nearly everyone.

Taking a look at the grantees, however, there are a few criticisms.  Better and more proactive fiscal planning needs to be implemented.  Costs should be forecasted out several years to better anticipate needs.  They may, sadly, have to trim programs and streamline operations (although most emergency management programs certainly are not living in the lap of luxury).  They also need to be more creative with the declining funds they receive, especially through partnerships and regionalization.  An area doesn’t need to be regarded as a UASI or Catastrophic Planning Zone to work cooperatively as a region, which should include some pooling of funds for collective projects.

What can be approached regionally?  Most preparedness efforts fit well into that category: planning, training, and exercising.  Think about it, you work with your neighbors all the time and disasters don’t seem to stop at the county line, so why not make your cooperation more effective and efficient?  In the absence of regional catastrophic planning, which most areas don’t need to do, consider planning for some credible worst case scenarios and cascading impacts such as flooding and mass care.  Obviously regional mutual aid planning is essential.  How about working with your public health partners?  What about the private sector – how can you strengthen your relationships with them?  Regional planning conferences are a good start!  Regionalized training is obviously a no-brainer and regional exercises are essential making sure that the planning and training are effective and to give folks an opportunity to practice what they have learned.  Lastly, speaking as someone who has experience working for government and as a consultant, in many cases it’s actually more cost-effective and easier to coordinate regional preparedness activities by hiring a consulting firm, some of which have proven experience and expertise in working with the multiple stakeholders that a regional effort would include.

As we face reduced funding, we have to be more creative, cooperative, and communicate specific needs on a regular basis up the chain of government.  If you are with county or local government, let the state know what your needs are.  And don’t just tell them once – be sure to repeat yourself – not in an annoying wintertime house fly kind of way, but when the appropriate opportunity presents itself.  Make sure that you show justification for your needs through after action reports and documented strategies and plans.  Ask the State to take these needs up to federal partners – and when you have the opportunity to speak with these federal partners directly, take advantage of it; be they representatives of FEMA or your local representative of Congress or US Senator.  Remember to be specific and cite the need.  Don’t complain but be direct.  With funding that emergency management programs simply receive without asking being on the decline, we need to be proactive about receiving funds.

Emergency management and, to a greater degree homeland security, have been fortunate to have a good deal of funding over the last decade.  There has been so much money, though, with such short time lines, that things haven’t been done as well as they should have.  Now is the time to re-tool and reexamine how we do business.  Conduct needs assessments to determine what should be focused on and build upon community partnerships.  Consider what the community as a whole – the citizens – are willing to help in preparedness; as well as the private sector.  Whole-community partnerships have perhaps never been so important as they are now.

The Leading Edge of CyberSecurity… Where is it?

Tim RieckerI finally had a chance to read through Homeland Security Today’s publication of The Leading Edge Today.  The January edition was focused on cyber security.  The Producer’s Corner article (i.e. letter from the editor), cites a study and report compiled by Verizon and other entities from around the globe, including the US Secret Service.  This report, called the 2012 Verizon Data Breach Investigations Report, is staggering.  They cite 855 confirmed cases of enterprise data loss and say that most entities that are hacked aren’t aware of it for weeks or months – and are usually notified by someone else of the incident (i.e. law enforcement or an enterprise internet security firm).  The remainder of the publication offers some good information and insight on trends and prevention activities in the realm of cyber security.

Obviously The Leading Edge Today was published prior to the President’s signing of the cyber security executive order just a couple of days ago.  All reports so far indicate that the executive order really has no teeth.  It’s not law and only provides recommendations, although it does call for the establishment of a Cyber Security Framework (perhaps to parallel the National Response Framework?) and calls for the NIST to establish the standards of this framework.  DHS is charged with sector-specific outreach to engage the private sector.  It’s not the full package of what our nation needs, but it’s a start.  It’s apparently a political throwing-down of the glove to challenge Congress to promulgate and pass a cyber security bill.

I’ve not had the chance to do any research on it, but what are other nations doing?  I imagine that there must be countries out there who have not dragged their feet as much as we have on this matter; and hopefully they have been able to implement not only strategic plans that outline progress, but have also implemented tighter defenses.  This may also be an opportunity for a global defense against cyber crimes – particularly in consideration of the perpetrators and the victims often times being from around the world.  In my eyes, this cyber terrorism needs to be viewed as an attack on our sovereignty, on our economy, and on our personal and corporate privacies.  To fight it is to wage war against those who perform it and those nations who sponsor it – just like any other act of terrorism.

Critical Infrastructure Dependencies

Homeland Security Today published an article recently on the FCC’s examination of wireless network issues post Hurricane Sandy.  While the article speaks mostly on the need to bolster the wireless telecom infrastructure, it does mention the obvious dependencies that wireless has on our energy infrastructure.  These types of dependencies can be seen throughout all our critical infrastructure, linking them intimately, and demonstrating how fragile we really are without proper preparedness efforts and redundancies.  The illustration below outlines eight (of eighteen) of our critical infrastructure sectors: Fuel, Communications, Water, Banking, Electric Power, Transportation, Emergency Services, and Government Services.  I take no credit for the graphic, which was simply found on Google Images, but it is a great example depicting a number of the linkages (i.e. dependencies) that each of these sectors has on one another.  Like dominos, multiple sectors can be made to topple by exploiting vulnerabilities in one or more of them.  We’re not just talking about terrorism here, although preventing the intentional interference with critical infrastructure is obviously a major concern, but we’re also looking at natural hazards.

Critical Infrastructure Dependencies

Critical Infrastructure Dependencies
















We’ve seen from real life on multiple occasions what damages to our infrastructure can cause.  Our electrical infrastructure is perhaps the most fragile, but is also the one linked to every other sector – no wonder there is so much attention paid to preparedness and mitigation efforts to make this sector more resilient.  The above graphic shows, not accidentally, the electrical sector being in the middle of all others.

There has been further attention brought to the matter recently by the National Infrastructure Coordinating Center (NICC).  In this article by Homeland Security Today, it was announced that the National Infrastructure Coordinating Center will be hiring contractor support as a force multiplier in their monitoring activities.  Last week FEMA just released IS-913, their Independent Study course on Critical Infrastructure Protection: Achieving Results Through Partnership & Collaboration.  This course compliments other critical infrastructure protection-oriented training programs of FEMA’s.  FEMA Independent Study courses are free and open to all US citizens.  I would strongly encourage that you explore what they have to offer if you haven’t already.

Critical Infrastructure Protection (CIP) is an important topic spanning all of emergency management and homeland security.  Additional information on CIP can be found from the DHS CIP website and other sources.

Homeland Security Priorities Needed – Any Ideas?

Homeland Security Today recently published an article citing the Congressional Research Service‘s study regarding DHS‘ failure to align and prioritize its variety of mission areas.  The results of this study shouldn’t be a surprise to anyone.  The massive quantity of DHS programs, including both those at the federal level as well as those pushed down to state and local governments is mind-boggling.  If you aren’t familiar with the size and complexity of DHS, see my post on the 10 year anniversary of DHS.

I won’t tackle at length the issues associated with combining 22 agencies as I did in that post, but consider the number of agency missions, directives, and requirements that DHS must have as a result of that merger.  It’s no wonder they can’t keep track of their own business!  A monster has been created, and with it a huge bureaucracy intended to manage it – but, alas, it’s impossible to manage such a beast!  Does Janet Napolitano even know all the programs and mission areas within the agency?  Doubtful.  And that’s no slight to her, it’s too big for anyone to commit to memory.  In an effort to reduce bureaucracy and streamline services and missions, they have, in fact, done the opposite.  Essentially, DHS is over-diversified.

As the HSToday article points out, DHS published a strategic plan last year, but that plan fails to give any priority to their array of missions.  It also fails to provide a cohesive strategy to the entire federal homeland security amalgamation.  This certainly is not what an agency strategic plan should do, but federal and national level strategies should be created.  DHS does require states to formulate and maintain State Homeland Security Strategies – so why can’t they do the same?

There have been a number of articles and blogs in the last few days citing the fact that ‘homeland security’ as a term, has a very loose and amorphous definition.  This is a clear signal that clarification is needed on many fronts.  I believe that part of that clarification is that homeland security is a concept, not a mission area.  There may certainly be a need for a coordinating agency to address mission areas related to the concept of homeland security, but that agency is not DHS as we now see it.  What needs to be done?  As a trainer, I say a needs assessment is a good start.  The writing is on the wall, now let’s do something about it.