Homeland Security Watch

The new National Emergency Communications Plan (NECP) , which was released last month is definitely a work in progress. And yet, exactly how far we have now come in general with respect to synchronizing planning and communications as we work to achieve national preparedness objectives including the NECP was apparent, for example, during the Nuclear Regulatory Commission’s meeting earlier this week with FEMA and state and local representatives.

In a free-flowing, roundtable discussion, state and local representatives spoke directly to the full Commission along with FEMA Director David Paulison. Among the issues raised was the need for federal personnel to actually take part in large-scale drills and exercises. This sort of frank exchange was unimaginable a few years ago. Today, however, it is essential. Making the NECP a coherent and user-friendly plan in a short amount of time requires a serious effort from all stakeholders.

The NECP’s stated “milestones” illustrate just how little time they have.

The first milestone calls for a review of the DHS’ emergency communications capability framework within 18 months “during a series of technical working group meetings with stakeholders from the emergency response community.” Another requires the creation within 24 months of the new emergency communications capability framework, which will be incorporated as the communications and information management capability in the DHS/FEMA National Preparedness Guidelines/TCL. This will serve as a basis for future grant policies.

The very next initiative demands that “within 12 months, tactical planning among Federal, State, local, and tribal governments occurs at the regional interstate level.”

Consider these goals set forth by the NECP:

Goal 1: By 2010, 90 percent of all high-risk urban areas designated within the Urban Areas Security Initiative (UASI) are able to demonstrate response-level emergency communications 3 within one hour for routine events involving multiple jurisdictions and agencies.

Goal 2: By 2011, 75 percent of non-UASI jurisdictions are able to demonstrate response-level emergency communications within one hour for routine events involving multiple jurisdictions and agencies.

Goal 3: By 2013, 75 percent of all jurisdictions are able to demonstrate response level emergency communications within three hours, in the event of a significant incident as outlined in national planning scenarios.

Progress toward the initial milestones appears to be underway already. According to the NECP, Regional Emergency Communications Coordination Working Groups (RECCWGs) are taking shape in each of the 10 FEMA regions, “to assess emergency communications capabilities within their respective regions, facilitate disaster preparedness through the promotion of multijurisdictional and multiagency emergency communications networks, and ensure activities are coordinated with all emergency communications stakeholders within the RECCWG’s specific FEMA region.”

The NECP makes no mention of how all this greater emphasis on regional coordination ties into the Task Force for Emergency Readiness (TFER), a new concept which has received considerable attention lately. This will have to be addressed by the DHS Office for Interoperability and Compatibility (OIC) as it fine tunes Communications Unit Leader (COML) training. OIC is charged with devising, “a tool for training (COMLs) and their command and general staff to perform the critical mission of managing interagency and cross-disciplinary communications during all hazards incidents.”

In the next 18 months, OIC must not only develop and disseminate “training program guidance and curricula for emergency communications technical staff,” but also provide, “educational and training opportunities to emergency response agencies per requests through technical assistance programs.”

Roy Jones, communications manager at the Maine Emergency Management Agency, offers an upbeat assessment of the NECP. “It is really good to have these deadlines. Some may be difficult to achieve, and others may need to be revised as with any plan. However, overall, they are reasonable and they reflect input from the stakeholders. This plan allows us to better see what is on the way and what everyone else is currently working on,” says Jones.

Yet deadlines are not the only source of pressure on the implementation of the NECP. The Association of Public-Safety Communications Officials (APCO) International stressed to Congress that motivation and organization can only get you so far.

During his testimony last month before the House Homeland Security Committee’s Subcommittee on Emergency Communications, Preparedness and Response, APCO International Vice President Richard Mirgon asserted that if “the goals of the NECP are to be successful, the Administration and Congress must ensure the NECP and the interoperable emergency communications grant programs are fully funded.”

Peter J. Brown, a freelance writer from Maine, writes frequently about the role of satellite technology in disaster response and emergency management operations.

The Office of Emergency Communications (OEC) in the Directorate for National Protection and Programs at the U.S. Department of Homeland Security will soon be releasing the new National Emergency Communications Plan (NECP). OEC’s mission is, “to support and promote the ability of government officials and emergency responders to continue to communicate in the event of a natural disaster, act of terrorism, or other disaster, and to ensure and advance interoperable emergency communications capabilities nationwide.”

The NECP will provide recommendations for ensuring interoperable emergency communications nationwide. At the same time, the ongoing DHS grants process which is driving interoperability at the state and local level in particular has been in motion for many months. First responders, public safety and emergency management personnel are well down the road with respect to ongoing and well-funded interoperability planning, and training, along with related equipment purchases.

As a result, OEC must be careful to roll out an NECP that is consistent with, and supportive of, current decisions and guidance involving policies, procedures and protocols which in turn greatly influence planning and training. To not introduce what is in effect a truly user-friendly NECP means that OEC may end up disrupting or somehow impeding current state and local efforts to address established interoperability goals.

In its March 2008 report on FEMA preparedness, the DHS Office of Inspector General (OIG) emphasizes that, “there are no fewer than 10 federal interoperability initiatives underway. In light of the importance of interoperability and such large expenditures to strengthen it, the effective management of federal interoperability grants and programs is essential.”

The OIG report added that, “there is no single mechanism in place to link and orchestrate the numerous programs and initiatives underway, nor is there a clear line of accountability. Second, OEC is currently operating with a skeletal, full-time equivalent staff. OEC has assumed a large portion of responsibilities and programs directed at improving interoperable communications, and it requires additional staff and an adequate budget.”

The long-running interoperability program at DHS known as Project SAFECOM is now split between OEC which supports SAFECOM’s development of guidance, tools and templates, and the Office for Interoperability and Compatibility (OIC) in the Science and Technology Directorate which supports SAFECOM-related research, development, testing, evaluation and standards.

Under the Interoperable Communications Technical Assistance Program (ICTAP), for example, OEC addresses technical issues, policy-making and operational concerns. Assessing and updating existing Tactical Interoperable Communications Plans (TICPs) have been an important offshoot of this activity. Along with TICPs, all states and territories have Statewide Communication Interoperability Plans (SCIPs) that have already been approved by DHS.

Besides the above-mentioned TICPs, SCIPs and ICTAP-related work, there is a Public Safety Interoperable Communications (PSIC) program and Interoperable Emergency Communications Grant Program (IECGP). IECGP is jointly run by FEMA and OEC with over $48 million awarded to states in FY08. PSIC grants will total over $1 Billion.

Although it is doubtful that anyone would want to challenge the need for the NECP, due to an unfortunate sequence of events, state and local governments may in fact be way out ahead of OEC in this instance, thanks to all these IECGP and soon PSIC grants. And for this reason, the NECP must adapt to this set of circumstances or risk annoying and possibly alienating state and local stakeholders.

Charlottesville (VA) Fire Chief Charles Werner shares good news in this respect. He chairs the SAFECOM Executive Committee, and serves on both the International Association of Fire Chiefs Communications Committee and Virginia’s Statewide Interoperability Executive Committee.

“When you see the NECP, it will begin to make sense. The NECP does not do anything to diminish the progress that has been made by the states and the SCIPs but moreover builds upon them to further define, and direct the future development of the SCIPs through realistic and measurable performance outcomes (not methods or technology),” he says. “OEC Director Chris Essid, who was Virginia’s former Interoperability Coordinator, is very aware of the states’ efforts and the dynamics. OEC and SAFECOM have been working directly with the development, review and approval of the SCIPs. The fact that every state and territory has submitted a plan demonstrates that this program is working and should be recognized as a phenomenal accomplishment.”

He points out that, among other things, more money is coming that is specifically available for additional planning at the state and local levels.

In conclusion, Chief Werner’s assurances deserve attention, given that the OEC has been described as understaffed and perhaps underfunded. Clearly the OEC has its hands full as it completes and implements the NECP which must be a user-friendly document above all else. And as OEC moves ahead, effective partnering with state and local governments is essential to ensure that the NECP is successful, and that other interoperability goals are quickly and easily achieved.

Peter J. Brown, a freelance writer from Maine, writes frequently about the role of satellite technology in disaster response and emergency management operations.

Homeland Security Secretary Chertoff and FEMA Administrator Paulison sat down yesterday with HLSwatch.com, Rich Cooper of SecurityDebrief, and John Solomon of In Case of Emergency Blog to discuss the Department’s preparedness efforts as hurricane season approaches. The dominant theme was devolution: states and individuals can and should do a lot more to prepare themselves for emergencies and to manage for the first 72 hours without federal support if necessary.

A lot was learned from Hurricane Katrina in which local and state response capabilities were overwhelmed and the federal government was caught flat footed. Paulison explained yesterday that the previous framework wherein the state would respond after the local authorities failed, and then the federal government would engage only after the states failed was proven to be flawed.

The new paradigm gets the Feds involved from the outset, but within limits. Moreover, DHS now expects states and individuals to do a lot more for themselves than was previously expected of them. For example, individuals are expected to self-select out of the government support efforts if they can help themselves. We heard the Secretary recap situations when people in Louisiana and Florida lined up for emergency food and water supplies from FEMA when they had the money and means to go to the open grocery stores and buy it for themselves.

Chertoff probably didn’t mean to imply that these hurricane victims were exploiting the government selfishly. This phenomenon may actually reflect a type of information vacuum. We did not discuss in detail the sort of communications efforts that may inform victims that other options exist than FEMA’s free supplies.

We did discuss another information/communications program that Chertoff and Paulison believe should be shouldered by the states. The Integrated Public Alert and Warning System (IPAWS) was piloted by DHS last year as a means of delivering warning and emergency response information to blind and deaf people in areas endangered by hurricanes. The program was praised, but when the pilot ended the Department did not re-up the contract. This is the responsibility of the states, according to DHS. At a cost of roughly $1 million per year per state, Chertoff suggested this was minimal for states to pay given the obvious benefits of the program. I think he’s right.

Of course, the feds have a significant responsibility in helping to minimize the impact of natural disasters. There are some things DHS just can’t devolve to states and demand of individuals. Paulison described the “prescripted mission assignments” that DHS, Defense, and other agencies drafted to preload authorities and responsibilities for more timely federal engagement in emergency response. The Department also lined up pre-signed contracts with private sector entities to provide supplies where needed. For example, Home Depot could deliver water from one of its nearly 2000 locations, likely to be closely positioned to a crisis zone.

There is no question that emergency response and preparedness are the responsibilities of the federal government, states, and individuals. Clearly a lesson this DHS leadership learned from Katrina was that states and individuals can do a lot more the next time around. Its also clear that the Administration that presided over the Katrina response is going to have a difficult time communicating a “do-it-yourself” strategy. Fortunately, the kinds of proposals we heard yesterday are not a stretch. Encouraging the capable to get out of line for a handout so that FEMA can focus on the truly needy is an American value that just about anybody will embrace. Let’s hope the message isn’t overshadowed by the messenger.

The third “blogger roundtable” convenes this afternoon, this time the Secretary of Homeland Security is accompanied by the head of FEMA to discuss the upcoming hurricane season. Topics related to this month’s hearings on the topic of a resilience-based strategy for DHS, as well as the new draft National Incident Management process, will figure into our discussion. Submit a comment below if you have any specific questions in this general subject area that you would like raised during the roundtable.

FEMA is accepting comments on the draft National Incident Management System (NIMS). NIMS is a nationwide template for federal, state/local governments, the private sector, and nongovernmental organizations to coordinate in prevention, response, and mitigation efforts. The draft NIMS document is available online at www.regulations.gov, in Docket ID FEMA–2008–0008.

On February 28, 2003, the President issued Homeland Security Presidential Directive–5 (HSPD–5), Management of Domestic Incidents, which directed the Secretary of Homeland Security to develop and administer a National Incident Management System (NIMS).

NIMS is described as a “core set of doctrines, concepts, principles, terminology, and organizational processes that enables effective, efficient, and collaborative incident management.” NIMS also supports the development of technologies that facilitate emergency management and incident response.

The changes in this revised NIMS document are described as “not substantively dramatic, and do not alter the basic NIMS doctrine published in the 2004 version.”

Comments must be received by June 2, 2008 via Federal eRulemaking Portal: http:// www.regulations.gov or through FEMA–POLICY@dhs.gov. Be sure to include the Docket ID FEMA–2008–0008.

Previous questions about the first draft NIMS document asked about the specifics of assigned roles and responsibilities for key participants from the federal, state, and local governments, nongovernmental entities, and the private sector.

According to GAO, the TOPOFF 3 exercise in April 2005 illustrated some uneven uptake of the NIMS framework at the federal level. The FBI, wrote GAO, never fully integrated into and accepted the unified command called for under NIMS…”, “did not appropriately staff the incident command post with its representatives,” and “kept management of the investigation separate from the incident management overseen by the unified command.”

The DHS Inspector General’s report on FEMA’s readiness is public. Thanks to reader William Cumming for sending in a copy. The IG identified nine areas in which FEMA must be invested in order to be ready for catastrophic emergencies. The report shows how FEMA fairs in each of the areas using a four-tiered scale of substantial progress, moderate progress, modest progress, and limited or no progress.

FEMA officials told IG investigators “that budget shortfalls, reorganizations, inadequate IT systems, and confusing or limited authorities negatively affected their progress” in these areas researched. While the IG agrees with FEMA, it also suggests that FEMA would benefit from better “knowledge management” and plans for sustaining initiatives.

After a July 31, 2007, hearing on FEMA preparedness, the House Committee on Oversight and Government Reform tasked the DHS Office of the Inspector General (OIG) with providing a high-level assessment of DHS and FEMA’s preparedness for the next catastrophic disaster.

The report identifies key areas for managing catastrophic disasters and determines the progress FEMA has made in these areas since Hurricane Katrina struck in August 2005. FEMA’s funding spiked following Hurricane Katrina, but is today approaching to pre-Katrina levels.

Click to enlarge.

The report reveals that FEMA has shown moderate progress across the board, but several FEMA shortcomings identified in the report are vital to managing this year’s upcoming hurricane season. FEMA was found to have made limited progress in establishing regulations, policies, and operating procedures for major emergencies, in staffing and training, and in the management of mission assignments.

Next, the OIG plans to review the development of FEMA’s plans, policies, and procedures for managing major disasters. This includes the development and implementation of the National Response Framework, community preparedness, and planning for catastrophic scenarios.

Only have time to make sure you have a link to this final report.

If interested, the official DHS statement about the Framework is here:

WASHINGTON – The Department of Homeland Security (DHS) today released the National Response Framework (NRF), successor to the National Response Plan. The NRF, which focuses on response and short-term recovery, articulates the doctrine, principles and architecture by which our nation prepares for and responds to all-hazard disasters across all levels of government and all sectors of communities. The NRF is responsive to repeated federal, state, local and private sector requests for a streamlined document that is less bureaucratic and more user-friendly. The NRF also focuses on preparedness and encourages a higher level of readiness across all jurisdictions.

The NRF is being released following an extensive process of outreach and coordination between DHS and key stakeholders representing federal, tribal, state and local governments, non-governmental agencies and associations, and the private sector. The latest public comment period for the base document of the NRF closed on Oct. 22, 2007 and the comment period for the support annexes closed on Nov.10, 2007. The final documents reflect the nearly 5,700 comments received from participants of the process.

“The National Response Framework is an essential tool for emergency managers at all levels,” said Homeland Security Secretary Michael Chertoff. “It helps define the roles, responsibilities, and relationships critical to effective emergency planning, preparedness and response to any emergency or disaster. Today’s release reflects the culmination of many months of hard work and collaboration within the nation’s emergency management community.”

The NRF is intended for senior elected and appointed leaders, such as federal department and agency heads, state governors, mayors, tribal leaders, city managers and the private sector. Simultaneously, it informs emergency management practitioners by explaining the operating structures and tools routinely used by first responders and emergency managers at all levels of government.

The NRF is designed to:
o be scalable, flexible and adaptable;
o always be in effect; and
o articulate clear roles and responsibilities among local, state and federal officials.

In addition to releasing the NRF base document, the Emergency Support Function Annexes and Support Annexes will be released and posted at the NRF Resource Center (www.fema.gov/nrf), an online repository of the entire component parts of the NRF. The annexes are a total of 23 individual documents designed to provide concept of operations, procedures and structures for achieving response directives for all partners in fulfilling their roles under the NRF.

Upon finalization and publication of the NRF base document and the annexes, a large focus will be to initiate an intensive nationwide training and exercise program to embed the NRF into the nation’s preparedness and response cycle. Implementation of the NRF training and exercise strategy will include awareness training, position-specific training, exercises (tabletop and functional), and sustainment training.

To make the NRF a living system that can be revised and updated in a more nimble, transparent fashion, the NRF Resource Center was developed. The Resource Center will allow for ongoing revisions as necessary to reflect real-world events and lessons learned.

The NRF and the annexes will go into effect 60 days after publication in the Federal Register.

Out of the ashes and tumult of Katrina, a new National Response Plan is near ready.  This might be considered a debut for the National Protection and Programs Directorate at DHS, but I am certain many had a hand in the drafting of this document.  CQ Homeland Security’s Eileen Sullivan obtained from Hill sources a pre-decisional draft of what is now termed the National Response Framework.

There will be no shortage of analysis by the press, but I thought a few specific items warranted highlighting as of this first glance.

Two places we witnessed painful missed opportunities in the response to Hurricane Katrina included the failure to fully tap into the resources of the private sector and the inability, or perhaps reluctance, to optimize the resources and aid donated by well intentioned allies and friends overseas.

 The National Response Framework includes this text to address the role of the private sector:

The Private Sector. A quick word about certain nomenclature used herein is appropriate. Common English usage draws a binary distinction between the public and private sectors – meaning those organizations and activities that are formally governmental at all levels, and those that are not. The private sector thus includes many distinct entities, including for-profit businesses (publicly-traded or privately owned), trade associations and nongovernmental organizations, not-for-profit enterprises, faith-based organizations and other voluntary organizations. Of course from another perspective, the private sector is comprised not only of organizations, but of individual citizens and families, who have important obligations to be prepared for emergencies, as discussed further in Chapter I. 

Private sector businesses play an essential role in protecting critical infrastructure systems and implementing plans for the rapid restoration of normal commercial activities and critical infrastructure operations in the event of disruption. The protection of critical infrastructure and the ability rapidly to restore normal commercial activities can mitigate the impact of a disaster or emergency, improve the quality of life of individuals and accelerate the pace of recovery for communities and the nation. The private sector, NGOs in particular, contributes to response efforts through engaged partnerships with each level of government to assess potential threats, evaluate risk and take actions as may be needed to mitigate threats.

Not a whole lot more than that could I find in my first run through the draft.  Several mentions of the private sector are threaded throughout the document, but it appears that the main plug-in for private sector coordination remains the Incident Command Structure.  There were some readers a while ago with significant experience in the plans that preceded the NRP and FEMA’s history in this regard.  Your comments on how this works would be greatly appreciated.  In the current draft, the ICS is depicted as follows:

 

The new Framework provides a nod to the importance of thinking ahead in terms of how the U.S. can effectively manage offers of assistance from other countries.  In what may appear to be a necessary division of labor, the NRF states rather clearly that the State Department has that task.  This may also reflect a cautious approach to accepting aid out of concern that any hasty approval or denial of aid offered could risk unintended diplomatic consequences unrelated to the emergency itself.  Here is language from the draft NRF to this effect:

For major incidents in which foreign governments, individuals or organizations wish to make donations, the U.S. Department of State is responsible for coordinating such donations. Detailed guidance regarding the process for managing international donations is provided in the International Support Annex.

DHS concluded Ardent Sentry – Northern Edge, a full scale exercise testing DOD, state/local, and interagency responses to a range of scenarios to stress test capacity and knowledge of NIMS, the NRP, etc.  Even the Canadians are involved. 

AS/NE introduced an interesting new role that reflects progress from the post-Katrina position to consider turning to the Pentagon as lead federal agency too quickly.  The “Defense Coordinating Officer” (DCO) debuted to coordinate information and requests between FEMA and the Department of Defense.  Apparently it worked so well that DCOs will be assigned to each of FEMA’s 10 regions.  It probably helps that even before Katrina the Homeland Defense team at DOD was steadily writing up “prescripted requests for assistance” to anticipate the kinds of state and local needs that might arise in any of the 15 national planning scenarios. 

But I digress.  The Ardent Sentry-Northern Edge war game kicked off a five-year schedule of national level exercises.  It began with FEMA Regions I and II dealing with hurricanes from New York to Maine.  Region X’s (Alaska) scenario even involved terrorist threats to energy infrastructure.  FEMA Region V got the real deal with managing response mechanisms and practices following the fictitious detonation of a 10-kiloton nuclear device in Indianapolis.

I’m traveling until Memorial Day.

On Sunday, in an incident at the Port of Miami, three men of Middle Eastern origin were briefly arrested following an encounter at a checkpoint that included the failure of the driver to reveal that two additional men were in the truck. Charges were dropped against them today. Today, a smell resembling that of natural gas permeated Manhattan, prompting early concerns about a terror-related chemical attack, and overloading the city’s emergency communications system. Although the source of the odor has not yet been determined, officials are confident that the incident was not harmful and not related to terrorism. And then this afternoon, again at the Port of Miami, a pallet that was to be loaded on a cruise ship tested positive for plastic explosives; upon further examination, the pallet contained sprinkler system parts.

These three incidents were all headline stories on the cable news channels over the past 24 hours. Each incident clearly raised local anxieties during the span of time between awareness and resolution. And each incident served as a valuable exercise for the officials involved, forcing them to utilize the procedures and protocols that are applicable in the detection of and response to terrorist acts.

Overall, the responses seem to have been well-executed today, a tribute to the federal, state and local officials in Florida, New York, and New Jersey who were involved with these incidents. It’s true that the exact source of the New York “odor” has not yet been determined, but emergency management officials acted quickly to determine that it posed no imminent threat and encourage the general public to stay calm.

As long as we face threats to our security, these types of “false alarms” will occur with regularity. Such is the nature of our systems of prevention and detection that false alarms and false positives are inevitable in many circumstances. There’s always a risk that false alarms will lead to a “boy who cried wolf” complacency, but overall, such incidents are ultimately valuable as a tool to get people prepared for the real thing, in a way that even the most sophisticated TOPOFF exercise can’t match.

The Congressional Research Service released a report in late December that examine the rebuilding of housing in the Gulf Coast region affected by Hurricane Katrina:

RL33761: Rebuilding Housing After Hurricane Katrina: Lessons Learned and Unresolved Issues, December 19, 2006

The full HLS Watch collection of CRS reports is available here.

Yesterday DHS released a major report on the state of interoperable communications, giving scores to 75 urban/metropolitan areas on their current capabilities. You can download the full report here, and this webpage summarizes the scores in each area. This AP story summarizes some of the findings in the report:

The report found that while emergency agencies in more than 60 percent of the communities studied had the ability to talk to each other during a crisis, only 21 percent overall showed “the seamless use” of equipment needed to also communicate with state and federal officials.

The report’s highest ratings went to the Washington, D.C., area; San Diego; Minneapolis-St. Paul; Columbus, Ohio; Sioux Falls, S.D.; and Laramie County, Wyo.

The lowest scores went to Chicago; Cleveland; Baton Rouge, La.; Mandan, N.D.; and American Samoa. The report includes large and small cities and their suburbs, along with U.S. territories.

The report led members of the House Homeland Security Committee to argue yesterday in favor of a dedicated grant program for emergency communications, instead of providing this funding within broader homeland security grant programs. This issue is expected to arise in the 9/11 Commission recommendations legislation that will be brought to the House floor next Tuesday.

The Trust for America’s Health released an annual report yesterday on the nation’s public health preparedness, giving each of the 50 states grades on their level of preparedness. Oklahoma and Kansas come away with the highest grade, and the four states tied for the lowest ranking are California, Iowa, Maryland, and New Jersey. The complete report is available here.

The Government Accountability Office released a report on Wednesday entitled “Hurricane Katrina and Rita Disaster Relief: Continued Findings of Fraud, Waste and Abuse” as part of testimony before the Senate Homeland Security and Government Affairs Committee. The report chronicles dozens of examples of waste and abuse, as summarized in this AP story:

One year after Katrina, the government is still squandering tens of millions of dollars in wasted disaster aid, including $17 million in bogus rental payments to people who had already received free trailers and apartments, federal investigators said today.

At the same time, the Federal Emergency Management Agency has recovered less than 1 percent of the $1 billion it wasted on fraudulent hurricane assistance after the August 2005 storm, highlighting a need for stronger controls the next time a major hurricane strikes.

The report by the Government Accountability Office paints a picture of an agency still struggling - at substantial taxpayer expense - to find the balance between distributing quick aid to those in need while guarding against substantial abuse.

….Among the audit’s findings:

-Fraud detection is inadequate. Even though GAO found at least $1 billion in disaster aid waste, FEMA has identified about $290 million in improper payments and recouped just $7 million.

-Control procedures remain weak. FEMA was unable to locate dozens of laptops, printers and other items that federal employees purchased with government-issued credit cards for Katrina disaster work. In one case, FEMA purchased 20 flat-bottom boats, but could not find two of them and lacked titles to any of them.

It will be an uphill battle to recoup losses due to waste and fraud in this case, given the passage of time, but the federal government should continue to investigate this nonetheless, if only to deter similarly unacceptable behavior in the wake of future natural disasters.

On Monday, DHS released a bulletin announcing the FY 2007 Emergency Management Performance Grants, and opening them for competition, with a due date of December 29, 2006. There is $194 million of funding for the EMPG in FY 2007. You can find the grant guidance and application kit at this link.

GovExec published a long story on Wednesday that looks at the role of exercises and simulations as a tool to improve emergency preparedness and response capabilities. It’s a solid piece, discussing the benefits and limitations of different types of exercises and highlighting a few imperatives for these exercises, such as the importance of issuing after-action reports and working seriously to address their implications.

A new report from the Congressional Research Service surveys legislation that has been enacted to reform FEMA and the broader preparedness and response system in the wake of Hurricane Katrina:

RL33729: Federal Emergency Management Policy Changes After Hurricane Katrina: A Summary of Statutory Provisions, November 15, 2006

The majority of the report is focused on summarizing Title VI of P.L. 109-295, post-Katrina reform legislation that was tacked onto the FY 2007 DHS approiations bill (H.R. 5441).

The full HLS Watch collection of CRS reports is available here.

A DOJ-affiliated organization hosted a conference in Atlanta on “Technologies for Public Safety in Critical Incident Response” in early September. The slides from numerous homeland security-related presentations at that event are now available online at this link. Some specific examples:

David Boyd, “The Role of Risk Assessments in Preparedness Planning”

David Heaven, “Technology’s Role in Response to VBIED’s”

John Milne, “SBI’s Role in Securing the U.S. Border”

T.J. Wright, “Role of the National Guard in Securing the U.S. Border”

Rebecca Denlinger and Michael Ferrara, “Homeland Security Information Network”

These are just a sampling of at least 30-40 relevant presentations at this page. And note that many of the links above are very large files.

As I mentioned earlier in the week, I traveled last week to London and spoke at the Global Security Challenge conference. While there, I met a fellow panelist from the British think tank Demos, Charlie Edwards, who was the co-author (along with Rachel Briggs) of a report entitled “The Business of Resilience” released a few months ago.

I read through the report earlier today, and it’s an excellent treatise on the evolving roles and responsibilities of the security function within the private sector. Briggs and Edwards offer a number of insightful observations regarding why security and resilience should be considered as core strategic imperatives, and what companies can do to align security with core business imperatives. They identify six characteristics exhibited by successful companies, which are worth listing here in full:

1. They [companies] understand that security is achieved through the everyday actions of employees right across the company. It is not something that the corporate security department can do to or for the company on its behalf and its functional success is therefore dependent on its ability to convince others to work differently. This places emphasis on communication and requires security departments to value the views of non-security professionals just as much as those of the experts.
2. They recognise the limitations of command and control approaches to change management. Behaviour is altered experience. The power of the corporate security function is now directly proportionate to the quality of its relationships, not the depth of its content knowledge.
3. They understand that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimise damage when things go wrong. Risk-taking is essential to successful business and corporate security departments must not behave as security purists whose work detracts from, rather than contributes towards, the company’s goals.
4. They embrace and contribute towards their company’s key business concerns, and as a result are expanding the security portfolio significantly. Corporate security departments now have responsibilities in areas such as corporate governance, information assurance, business continuity, reputation management and crisis management, which is causing many to question the relevance of the term ‘security’ to describe what they do. The term resilience now more accurately reflects the range of their responsibilities.
5. They draw a clear distinction between the strategic and operational aspects of security management, and have created group corporate security departments to lead on strategy, leaving operational work to be carried out by business units. They all have a clear philosophy to guide their approach to security, which provides direction for non-security professionals, makes it easier to communicate across the company, sell itself to the board, and be credible alongside other functions.
6. Finally, and most important symbolically, the corporate security departments that are leading the way have abandoned old assumptions about where their power and legitimacy come from. Their position does not rest on that which makes them different – their content knowledge – but on business acumen, people skills, only by convincing, persuading, influencing and explaining why a new way of working is in each person’s interest. This requires departments to work through trusted social networks, which places greater emphasis on people, management and social skills than security management ability and communication expertise. In other words, they have to compete on the same terms as every other function in the company. This is leading many organisations to place greater emphasis on these skills than on a security background and some have people working on security who don’t have any security experience at all.

The authors go into great detail on each of these points in the course of the 109-page report. I found their argument in Chapter 10 in favor of greater diversity in the backgrounds and skill sets of security executives to be especially compelling, arguing that senior-level security managers need to be drawn from broader sources than the traditional ones, i.e. former law enforcement, military, and intelligence officials. They argue that security officials need strong business skills, the capability to operate across a flat and/or matrixed organization, and people who are comfortable with the trade-offs inherent in risk management - all skills which are not necessarily found in sufficient depth within the traditional talent pools.

For more on this subject, check out the new Conference Board report entitled “Navigating Risk: The Business Case for Security” (I’ll be writing about it within the next few days).

The Journal of American Physicians and Surgeons published an article in their latest issue entitled “Homeland Security for Physicians,” a short piece that provides key facts of what doctors need to know in the event of a radiological or nuclear incident. It’s a useful and concise primer of steps that can and should be taken in a post-incident situation to minimize exposure to radiation and improve survivability.

Reuters reports today on a new study by the American Highway Users Alliance that examines 37 major urban areas in the U.S. on how prepared they are to manage emergency evacuation, either in the event of a natural disaster or a terrorist attack. The results are not good, as Reuters notes:

The American Highway Users Alliance study of the 37 largest urban areas showed that 25 of the biggest cities were less prepared for a major evacuation than New Orleans, which struggled during Hurricane Katrina in 2005 to empty the city before and as it flooded.

The only city to score a top grade for evacuation capability and preparedness was Kansas City, Missouri. The cities that received the lowest scores included Los Angeles, Chicago, New York, Miami and the San Francisco/San Jose area.

“The big cities with the biggest traffic problems right now face the biggest challenge,” said Greg Cohen, president of the organization. “Los Angeles did the worst. It has legendary traffic jams on a daily basis.”

The cities were evaluated on internal traffic flow, highway capacity of major exit routes and residents’ accessibility to automobiles.

You can see the comprehensive list of city scores on page 6 of the report. Every first tier risk city in the U.S. gets an ‘F’ on the study.

The report’s recommendations are fairly general: better standards and reporting, better planning, and increased roadway capacity and automobile access. I would go a step further, and argue that this set of vulnerabilities needs to be a stronger factor in homeland security grants (particularly the UASI program) and federal highway spending allocations.

The DHS Inspector General released a report today that looks at TSA’s Continuity of Operations (COOP) plan, finding it “cumbersome” and non-compliant with federal regulations. From page 6 of the report:

As shown in Table 1, the TSA Headquarters (HQ) COOP Plan and Program do not fully comply with FPC 65. The TSA HQ COOP Plan and Program only partially address the 11 required elements that define a viable COOP.

TSA has developed a cumbersome COOP plan that would require more than 200 agency personnel to conduct 138 mission-essential functions at two or more different locations during the most extreme emergency situations. However, the plan provides only a minimal COOP capability because: TSA management has not adequately analyzed and approved the plan to ensure that only essential functions and associated emergency staff are included in the plan; established a viable alternate work site; or [REDACTED TEXT]. In addition, TSA program offices have not made COOP planning a priority and TSA management, until FY 2006, has provided only a fraction of requested COOP funding.

Given TSA’s relative young history as an agency, this isn’t all that surprising, and it sounds like TSA is finally working to address these deficiencies. It’s critical that all of the key operating entities within DHS have strong COOP plans, because a large part of their whole reason for existing is contingent upon operational continuity after an attack or disruptive event.

A new issue of the Journal of Homeland Security and Emergency Management is now online. The titles of the articles in it:

• A Critical Evaluation of the Incident Command System and NIMS
• A Risk Assessment Methodology for Intentional Chemical and Biological Contamination of Distribution Systems
• Homeland Security Administration and Finance: A Survey of Texas County Officials
• Navigating the Maze of Disaster Mental Health: The Journey of the Palo Alto Medical Reserve Corps
• Estimating the Economic Consequences of Terrorist Disruptions in the National Capital Region: An Application of Input-Output Analysis

There are also several book reviews and shorter pieces in the issue.

The GAO issued a report today entitled “Federal Efforts to Respond to Nuclear and Radiological Threats and to Protect Emergency Response Capabilities Could Be Strengthened,” which takes a look at a couple of issues related to the nation’s abilities to respond to a catastrophic radiological or nuclear attack.

The report makes two key points: first, that DOE’s two key emergency response facilities, at Andrews and Nellis AFB, have inadequate physical security; and second, that DOE should conduct additional aerial surveys of major cities to establish a baseline for background radiation and potentially locate existing unknown radiation sources - as was the case when New York City conducted an aerial survey in 2005 and found an old industrial site that was previously unknown to be contaminated with radium.

The DC metropolitan area issued a new homeland security strategic plan yesterday, available at the website of the Metropolitan Washington Council of Governments, and discussed in a story in today’s Washington Post:

After two years of painstaking effort, officials from the Washington region approved a homeland security strategic plan yesterday, listing steps to improve disaster response in everything from decontaminating victims of a chemical attack to providing for stranded pets.

The 118-page plan takes aim at one of the main problems in coping with a disaster: the fragmentation of the region, which includes more than 20 cities and counties and scores of federal agencies, spread out over two states and the District.

“This is actually a very significant milestone in regional preparedness,” said Gerald E. Connolly (D), chairman of the Fairfax County Board of Supervisors. He oversaw a meeting of officials from local and state governments and the Department of Homeland Security at which the document was unanimously approved.

“Trying to bring all these folks and cultures to the table . . . is not an easy task. But it’s an essential task,” Connolly added.

The report was delivered a year later than promised, and several months after a hearing in which U.S. senators blasted regional officials and the Department of Homeland Security for moving too slowly. The plan outlines goals for homeland security spending and activities for the next three years.

Some projects, however, have already begun — for example, the development of an evacuation plan for the region, and a high-tech communications system for emergency responders.

As a resident of the DC metro area, I’m hopeful that this is a sign that the local governments in the region are improving their preparedness for a terrorist attack. Incidents in recent years such as the DC sniper shootings and the flooding of key segments of the DC metro have raised concerns about DC’s preparedness for the consequences of a terrorist attack, and efforts to move forward on many of the items discussed in the strategic plan - such as a comprehensive evacuation plan - are long overdue.

The Department of Homeland Security released a report today on the Cyber Storm exercise held several months ago to test cybersecurity response capabilities. The DHS announcement of the report indicates eight major findings in it:

1. Interagency Coordination: Interagency and cross-sector information sharing enhanced overall coordination, communication and response.
2. Contingency Planning, Risk Assessment and Roles and Responsibilities: Clearly defined processes and procedures increased overall ability to plan for and assess situations.
3. Correlation of Multiple Incidents between Public and Private Sectors: The cyber community was effective in addressing individual threats and attacks, but faced challenges in cross-sector situational awareness during a coordinated cyber attack campaign.
4. Exercise Program: Ongoing exercises will strengthen awareness of cyber incident response, roles, policies, and procedures.
5. Coordination between Entities of Cyber Incidents: Establishing expectations, roles, processes and communications in advance will dramatically improve coordination and response.
6. Common Framework for Response to Information Access: Early and ongoing information sharing across governments and sectors created a common framework for response and strengthened relationships between domestic and international response partners.
7. Strategic Communications and Public Relations: Public messaging is an important aspect of incident response and empowers individuals and industry to take appropriate action to protect themselves and the nation’s critical infrastructure.
8. Improvement of Process, Tools and Technology: Improved processes, tools and technology focused on the physical, economic and national security affects of a cyber incident will benefit the quality, speed and coordination of a response.

The most interesting of these findings is #3, indicating that officials found it much more difficult to deal with multiple simultaneous attacks. Here’s the full report.

New from the Congressional Research Service, an updated version of their earlier report surveying the state of FEMA-related legislation in the 109th Congress:

RL33522: FEMA Reorganization Legislation in the 109th Congress, September 1, 2006

The full Homeland Security Watch collection of CRS reports is available here.

The C-Span website links today to an interesting new report from the Partnership for Public Service that analyzes the media coverage of Hurricane Katrina and its aftermath over the last twelve months:

Covering Katrina: Trends in Katrina Media Coverage Initial Analysis from the Top Ten National Newspapers and Ten Gulf Coast Newspapers

The three key findings from the report, none of which are particularly surprising:

– Katrina Received 10x the Coverage as Florida Hurricanes. The top ten papers in the country published 13,901 articles mentioning Hurricane Katrina in the eleven months following the storm. The ten selected Gulf Coast papers published 23,348 articles during that time. By comparison, all four of the hurricanes that struck Florida in 2004 drew less than 10% of coverage of Katrina in both the top ten and the Gulf Coast newspapers.
– Stories Were More Likely to Connect FEMA, Government with Fraud, Waste. ‘Fraud’ and ‘waste’ are more than twice as likely to appear in articles that mention FEMA as in those that do not. About 9% of the stories in the top ten papers and 11% of the stories in the Gulf Coast papers that mention FEMA also mention waste or fraud.
– Poverty and Lessons Learned Received Little Coverage. Poverty coverage was initially very limited and even less sustained than overall coverage. By November 2005, less than 4% of national coverage and less than 2% of Gulf Coast coverage mentioned poverty. Discussion of issues related to governmental reform and lessons learned from the event were even less a part of the stories. Overall, less than 1% of the Katrina stories in top ten or Gulf Coast newspapers mentioned ‘lessons learned’.

And the report concludes by suggesting the need for more stories on the following topics:

These topics include issues such as improving human capital management, emphasizing better collaboration and coordination between government agencies and among government and non-government organizations during a disaster, and focusing on long-term prevention and mitigation strategies that reduce the likelihood of another disaster like Katrina.