DHS proposes standards for private sector disaster preparation

The Homeland Security Department proposed standards on Thursday to guide companies and utilities in preparing for disasters or emergencies, but some groups criticized the model as a one-size-fits-all approach that will not work and charged the federal government had overstepped its bounds by dictating how businesses should manage their affairs.

DHS today proposed three standards that private organizations should follow to certify that they have developed a management plan to respond to disasters and emergencies, including how they plan to continue operations. The standards, which are part of the Voluntary Private Sector Preparedness Accreditation and Certification Program, or PS Prep, outline the roles and responsibilities companies should follow during a disaster, requirements for training employees, how to communicate, information technology requirements and other areas. PS-Prep was mandated under the 2007 9/11 Commission Recommendations Act.

But the guidance met sharp criticism from the private sector. "This allegedly voluntary program assumes one size fits all," said Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks. "It doesn't. The way we manage risk in our respective business environments is different and across industry sectors is different. This is a cure chasing a problem, and the assumption that government knows better how to ensure continuity of operations and disaster response than the businesses themselves is ludicrous."

DHS published a notice in the Federal Register about the proposed standards, which the American Society for Industrial Security, the British Standards Institution and the National Fire Protection Association established and use.

The first standard encourages organizations to establish a policy and objective to manage risks and deploy risk management controls. The second standard specifies requirements for creating and operating a process that ensures operations are maintained during an emergency situation. The third standard provides criteria to develop and assess programs for response to and recovery from emergencies.

DHS requested comment on the standards by Nov. 15.

"This program can help us get to the bottom of the following question that has gone too long unanswered: How much should I invest and where should I invest to meet my responsibilities to my shareholders, my local community and my country?" said Bob Stephan, managing director of government affairs strategy and management firm Dutko Worldwide and former assistant secretary for infrastructure protection at DHS. "In the absence of such a program, determining preparedness baselines, performance achieved and gaps is an open-ended undertaking."

DHS spokesperson Sara Kuban said the threat of the H1N1 flu virus is an example of why established standards for emergency preparedness are necessary. She said no organization is required to comply with the standards.

Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, doesn't expect the standards to affect businesses and other organizations significantly. "Why do we as a country care? Critical infrastructure companies are one thing, but all companies in the U.S. are another," he said. "It's another check-the-box exercise that most will ignore."

Dix worries about the long-term effect of the standards, which he said could result in acquisition reform that would require industry to meet federal specifications to do business with federal agencies. "I believe government intends to use this certification and accreditation process as an acquisition requirement," he said. "So we have a flawed process to start with," which could potentially drive purchasing decisions in the federal government.

"Congress handed this to DHS, and told them to do this," said Ann Beauchesne, vice president of the U.S. Chamber of Commerce's national security and emergency preparedness department. "Everyone I have spoken to insists this is a voluntary program. They have no desire to make this a regulation."

Dutko Worldwide's Stephan argued the program could help, not hurt, industry's business opportunities with federal agencies. "Many argue that this represents a first step in a future regulatory process," he said. "In fact, voluntary adherence to a set of standards officially recognized by DHS could offer potential liability relief [for industry], help target industry resource investments and initiatives, and -- if Congress is supportive -- drive other positive incentives such as tax relief."