Department of Homeland Security’s Proposed Voluntary Private Sector Preparedness Program
Setting Guidelines for What Your Company Should Do (and May Be Required to Do) in Case of an Attack or a Security Incident
On December 24, 2008, the Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA) published a Notice requesting recommendations for its Voluntary Private Sector Accreditation and Certification Preparedness Program (PS-Prep). It may be in your company's best interests to provide input to DHS.
Through the PS-Prep program, DHS seeks to encourage the wide adoption of private sector preparedness efforts, especially for the nation's 18 critical infrastructure and key resources (CIKR) sectors1:
1. agriculture and food;
2. commercial facilities;
5. information technology;
6. postal & shipping;
7. banking & finance;
9. defense industrial base;
10. government facilities;
11. national monuments and icons;
12. transportation systems;
14. critical manufacturing;
15. emergency services;
16. healthcare & public health;
17. nuclear reactors, materials and waste; and
This draft guidance outlines the process DHS will undertake to implement this program.
- First (through this guidance), DHS will consider, select, and adopt a wide variety of preparedness standards.
- Second, third parties will be accredited to certify that private sector entities are in compliance with a preparedness standard.
- Third, private sector entities will be certified after demonstrating compliance with preparedness standards.
DHS could adopt standards that would apply broadly to a number of industries and standards that are more limited - for example, an emergency standard for hospitals over a certain number of beds. DHS could adopt standards covering sectors - i.e., commercial facilities - and subsectors - i.e., shopping malls.
DHS is considering lower-cost certification options for small businesses, including a self-declaration of conformity. The agency welcomes comments on this and other options.
While this draft guidance makes it clear that DHS is not regulating preparedness or security in the private sector,2 it is nonetheless the case that voluntary standards sometimes, at a later date, can become mandatory. Additionally, a company with business reasons for seeking DHS certification of preparedness may want to assist the agency in establishing these standards.
FEMA has requested comments by January 23, 2009, but will accept comments at any time. Additionally, FEMA is holding two public meetings in Washington, D.C. on this subject -- one on January 13, 2009 and one in February 2009. However, DHS will not issue another Notice before initial standards are adopted.
Please contact your SGR counsel or one of the authors if you are interested in filing public comments on the FEMA draft guidance or if you have questions about how this guidance, once finalized, might affect your company or industry. We can also assist you with SAFETY Act, PCII, and C-TPAT matters.
Critical infrastructure and key resources (CIKR) "are systems and assets, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters." The private sector owns and operates approximately 85% of the country's critical infrastructure and key resources. ↩
The Notice repeatedly states that DHS seeks to adopt voluntary standards; further, it provides that it "is emphatically not PS-Prep's purpose to impose a single federal preparedness standard on the private sector." ↩
The Supporting Anti-Terrorism by Fostering Effective Technologies Act of 2002 (the SAFETY Act) program is intended to foster the development and deployment of anti-terrorism technologies by providing certain liability protections to sellers and downstream purchasers of qualified anti-terrorism technologies. ↩
Through DHS's Protected Critical Infrastructure Information (PCII) program, private sector entities can seek certification of information as protected critical infrastructure information, thereby maintaining the confidentiality of sensitive information. With this PCII, DHS can then evaluate vulnerabilities, risk, and security; ensure preparedness; and develop appropriate recovery plans for critical infrastructure. ↩
The Customs-Trade Partnership Against Terrorism (C-TPAT) programs offers a certification to the private sector owners of the international supply chain if certain security requirements are met. With certification, the program participants can enjoy a more efficient and streamlined inspection process, among other benefits. ↩