
[Federal Register: October 16, 2009 (Volume 74, Number 199)]
[Notices]               
[Page 53286-53288]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr16oc09-111]                         

-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Federal Emergency Management Agency

[Docket ID FEMA-2008-0017]

 
Voluntary Private Sector Accreditation and Certification 
Preparedness Program

AGENCY: Federal Emergency Management Agency, DHS.

ACTION: Notice of availability; request for comments.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security (DHS) announces its intent 
to select standards for adoption in the Voluntary Private Sector 
Accreditation and Certification Preparedness Program (``PS-Prep''). 
This notice (1) finalizes the criteria to be used in selecting 
standards for the PS-Prep Program; (2) discusses the prospective 
adoption of the three identified standards, including (a) the approach 
for collaboration with the Critical Infrastructure and Key Resources 
(CIKR) sectors and (b) considerations for small business in the 
adoption of the three identified standards; and (3) poses specific 
questions for which comment is sought. Although DHS intends to select 
only the three identified preparedness standards at this time, DHS may 
select additional standards in the future.
    Instructions: DHS will accept comments on PS-Prep and these 
standards at any time, and comments will be considered as they are 
received. Within 30 days after publication of this notice, DHS requests 
comments regarding the adoption of the standard selections or any other 
similar standard that satisfies the Target Criteria presented in the 
December 24, 2008 notice (73 FR 79140). Those interested may submit 
comments, identified by Docket ID FEMA-2008-0017, by one of the 
following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments. (Note: This process 
applies to all government requests for comments--even though as in the 
case of PS-Prep, they may not be for regulatory purposes.)
     E-mail: FEMA-POLICY@dhs.gov. Include Docket ID FEMA-2008-
0017 in the subject line of the message.
     Fax: 703-483-2999.
     Mail/Hand Delivery/Courier: Office of Chief Counsel, 
Federal Emergency Management Agency, 500 C Street, SW., Room 840, 
Washington, DC 20472-3100.
    All submissions received must include the agency name and Docket ID 
FEMA-2008-0017. All submissions will be posted, without change, to the 
Federal eRulemaking Portal at http://www.regulations.gov, and will 
include any personal information you provide. Because comments are made 
available to the public, submitters should take caution to not include 
any sensitive, personal information, trade secret, or any commercial or 
financial information which is obtained from any person and which is 
deemed privileged or confidential. Submitters may wish to read the 
Privacy Act Notice available on the Privacy and Use Notice link on the 
Administration Navigation Bar of http:// www.regulations.gov.
    Docket: For access to the docket to read background documents or 
comments received, go to the Federal eRulemaking Portal at http://
www.regulations.gov. Submitted comments may also be inspected at FEMA, 
Office of Chief Counsel, 500 C Street, SW., Room 840, Washington, DC 
20472.
    Availability of the Identified Standards: The three identified 
standards are available in two ways in

[[Page 53287]]

addition to being available on the individual Web sites of the three 
respective standards development organizations (SDOs).
    1. FEMA will maintain copies of the standards proposed under this 
notice and make them available upon request for viewing in person at 
FEMA's reading room, located at 500 C Street SW., Room 835, Washington, 
DC 20472. Due to licensing and copyright restrictions, however, these 
documents will be available for review only, not for copying.
    2. FEMA's PS-Prep Web site, http://www.fema.gov/privatesector/
preparedness, contains links to the Web sites for each of the three 
SDOs. Each of these SDOs is making its standards available through this 
link for inspection, downloading, and printing, especially for the PS-
Prep Program. Through the above link, the National Fire Protection 
Association and the American Society for Industrial Security have made 
NFPA 1600 and ASIS SPC 1-2009, respectively, available at no cost. Also 
through this link, the British Standards Institution has made the U.S. 
editions of BS25999-1 and BS25999-2 available for a reduced fee of 
$19.99 each. At DHS's request, the British Standards Institution 
reduced its regular fee for BS25999-1 from $132.00 to $19.99, and its 
regular fee for BS25999-2 from $152.00 to $19.99, for the comment 
period.

FOR FURTHER INFORMATION CONTACT: Mr. Donald Grant, Incident Management 
Systems Integration Division, National Preparedness Directorate, 
National Integration Center, 500 C Street, SW., Washington, DC 20472. 
Phone: 202-646-3850 or e-mail: FEMA-NIMS@dhs.gov.

SUPPLEMENTARY INFORMATION: 

I. Background

    In the ``Implementing Recommendations of the 9/11 Commission Act of 
2007'' (Pub. L. 110-53), Congress mandated DHS to establish a voluntary 
private sector preparedness accreditation and certification program. 
This program, now known as ``PS-Prep,'' will assess whether a private 
sector entity complies with one or more voluntary preparedness 
standards adopted by DHS, through a system of accreditation and 
certification developed by DHS in close coordination with the private 
sector.
    DHS published a notice in the Federal Register on December 24, 
2008, requesting comment on a voluntary private sector preparedness 
accreditation and certification program (``PS-Prep''), target criteria 
for voluntary preparedness standards under the program, and 
recommendations for standards. See 73 FR 79140. DHS also held two 
public meetings, on January 13 and February 23, 2009, and had other 
interaction with stakeholders, to obtain comments on standards that DHS 
should approve under PS-Prep. DHS has considered the information 
gathered through these channels in the identification of the three 
standards discussed in this notice and further development of the PS-
Prep Program.

II. Elements Considered in the Evaluation of Standards for Selection

    On December 24, 2008, DHS published and sought public comment on 
its proposed target criteria for preparedness standards. Upon review of 
comments, DHS has determined the target criteria are appropriate, 
valid, and consistent with the DHS mission and the goals of PS-Prep 
Program. DHS, therefore, will adopt standards based on the target 
criteria as previously listed.

III. Intent To Adopt Three Initial Standards for the PS-Prep Program

    Based on public comments, the suitability of standards considered 
to accomplish the purposes of the PS-Prep Program, and coverage of the 
target criteria, DHS intends to adopt the following three standards. 
Although the focus of each standard may be slightly different, each 
meets the spirit and intent of Public Law 110-53, which defines 
``voluntary preparedness standards'' as a ``* * * common set of 
criteria for preparedness, disaster management, emergency management, 
and business continuity programs. * * *'' These standards were chosen 
because, among other things, they meet the target criteria and are not 
industry specific.
    1. NFPA 1600--Standard on Disaster/Emergency Management and 
Business Continuity Programs, 2007 Edition. This standard establishes a 
common set of criteria for preparedness, disaster management, emergency 
management, and business continuity. NFPA 1600 specifies the management 
and essential elements of a preparedness program for disaster 
management, emergency management, and business continuity. The 
particular strength of this standard is that it focuses on planning and 
preparation in anticipation of a disaster and does not prescribe a 
program development process.
    2. BS25999--Business Continuity Management. This standard defines 
requirements for a management systems approach to business continuity, 
and integrates risk management disciplines and processes. BS25999 is 
comprised of two parts: Part 1 dated 2006; Code of Practice, and Part 2 
dated 2007; Specification. The particular strength of this standard is 
that it specifically provides a management systems approach to business 
continuity and also integrates risk management disciplines and 
processes. The standard also provides the user the basis for 
understanding and implementing in business-to-business and business-to-
customer dealings to reassure business resilience.
    3. ASIS SPC. 1-2009--Organizational Resilience: Security 
Preparedness, and Continuity Management Systems--Requirements with 
Guidance for Use. This standard was released in 2009 and defines 
requirements for a management systems approach to organizational 
resilience. The particular strength of this standard is that it applies 
a management systems approach to organizational resilience. The 
standard encompasses an assortment of risk management mechanisms and 
follows a plan-do-check-act approach associated with other 
International Standard Organization management system based standards.

IV. Adoption of Initial Standards in the PS-Prep Program

    DHS, after considering the public comments received on this notice, 
will publish a notice in the Federal Register to announce the standards 
that DHS will adopt. DHS may adopt any or all of the three standards 
identified above.

V. Critical Infrastructure and Key Resources (CIKR) Sector Specific 
Issues

    Following adoption of the initial standards, DHS will collaborate 
with the CIKR sectors and their respective Sector Coordinating Councils 
to identify the regulations, guidelines, sector codes of practice, and 
best practices of the sector that may affect implementation of the 
adopted standards.
    The DHS Office of Infrastructure Protection will then work with 
individual CIKR sectors to develop a framework in which the identified 
sector specific considerations can be built into the application of the 
adopted standards to individual sectors. Any such framework could be 
used both by an entity seeking certification of conformity to a 
standard and by the certifying body.

VI. Small Business Consideration

    Title IX of Public Law 110-53 recognized that small businesses need 
to be treated differently in the PS-Prep Program, and requires DHS to 
give special consideration to small business

[[Page 53288]]

concerns (as defined by Section 3 of the Small Business Act (15 U.S.C. 
632)). The December 24, 2008 Federal Register notice contained an 
extensive discussion of DHS' approaches to best reflect the interests 
of small businesses and the purpose of the PS-Prep Program. DHS 
continues to seek comments from small businesses and others on the 
adoption of these standards and their impact on future decisions to 
seek certification under the PS-Prep Program.

VII. Questions for Which Comment or Recommendations Are Specifically 
Sought

    The Department requests comments, suggestions, or other advice 
regarding the PS-Prep Program, including but not limited to responses 
to the following questions:
    1. Are there reasons that DHS should not adopt any one of the three 
standards listed above?
    2. Are there any supporting guidance materials in addition to the 
three identified standards that are needed to help the private sector 
attain certification to one of the three standards?
    3. What factors would a business consider in determining which DHS 
adopted standard(s) to pursue for certification under the PS-Prep 
Program?
    4. What are the reasons for businesses to seek certification under 
these identified standards?
    5. How would the fact that an organization is certified under the 
PS-Prep Program affect or otherwise influence your decision to do 
business with them?
    6. In response to the December 2008 Federal Register notice, DHS 
received numerous comments promoting the use of a ``maturity model 
process improvement approach'' for business preparedness and 
continuity. The maturity model was described as an approach whereby 
certifications on certain standards could be incremental, i.e., grading 
on a scale of conformance, rather than a conformance/non-conformance 
basis. The notice noted that certifications will determine conformity 
or non-conformity with a particular standard. How could the use of a 
maturity model approach be applied to certification to any of these 
standards?
    7. What may be the potential impact (e.g., cost, return on 
investment, other considerations, etc.) on small businesses when 
attempting to implement any of the above identified standards?

W. Craig Fugate,
Administrator, Federal Emergency Management Agency.
[FR Doc. E9-24968 Filed 10-15-09; 8:45 am]

BILLING CODE 9111-46-P
