Update on Title IX – Feedback Requested

Brian Zawada, FBCI Brian Zawada, FBCI | Oct 06, 2008

updateAvalution Consulting co-sponsored the seventh plenary session of ANSI’s Homeland Security Standards Panel (HSSP) held on October 2nd.  The seven-hour meeting offered attendees a number of valuable insights into how the public and private sectors would engage to implement Title IX of Public Law 110-53.  Although a definitive path forward did not emerge, public and private sector participants shared ideas that will lead to an improved program implementation effort (most likely in 2009).

Background
The 9/11 Commission recommendations evolved into Public Law 110-53, which provides for a voluntary preparedness standard and certification process for private sector organizations managed by the Department of Homeland Security (DHS).  This legislation was signed by President Bush on August 3, 2007.  Title IX, a section of Public Law 110-53, refers to the voluntary private sector preparedness certification and accreditation program.

In order to provide private sector recommendations to the Department of Homeland Security, the Sloan Foundation convened a cross functional group of fifteen subject matter experts on October 23, 2007.  Participant backgrounds included business continuity, security, crisis management, emergency management and risk management.  The National Fire Protection Association (NFPA), the Disaster Recovery Institute International (DRII), the American Society for Industrial Security (ASIS) and the Risk and Insurance Management Society (RIMS), among others, provided input.  The Sloan Foundation produced a report of recommendations to DHS designed to influence the design of the program, as well as the identification / selection of standards for use in the voluntary certification program.

A Committee of Experts was also convened by the American National Standards Institute’s (ANSI) American Society for Quality (ASQ) National Accreditation Board (ANAB) to assist in offering accreditation activity recommendations.  DHS appointed ANAB as the entity charged with developing the accreditation and certification program.  ANAB is responsible for defining requirement criteria for the certification bodies, the audit teams, oversight assessors and an application process to be accredited by ANAB.

The Players
A number of entities are actively participating in the development of the voluntary certification initiative.  The following list is not meant to be all-encompassing, but is only offered to help explain the interrelationships among the many players and participants.

  • DHS
    Appointed by Public law 110-53 as the lead agency charged with developing, implementing and administering the voluntary certification program (including the selection of a standard); key DHS participants include the Office of Infrastructure Protection, Science & Technology (S&T) Office of Standards and the Federal Emergency Management Agency.
  • FEMA Director
    Appointed program administrator for the voluntary certification effort.
  • Sloan Foundation
    Sponsor of a report detailing a number of private sector recommendations for DHS consideration.
  • NYU
    Sponsor of InterCEP, an entity that has taken a leadership role in framing the issues and offering private sector insight to DHS and other public sector stakeholders.
  • American National Standards Institute’s (ANSI) American Society for Quality (ASQ) National Accreditation Board (ANAB)
    Charged by DHS with developing, implementing and administering the accreditation and certification program.

Standard(s)
DHS did not present a final list of standards authorized for use in the voluntary certification program, and according to DHS representatives, such a list does not yet exist.  As stated in the Title IX legislation, DHS will select one or more standards, and ANAB will be responsible for creating a certification program based on international expectations (ISO 17021), but also based on selected standards.  Today, only one auditable business continuity standard exists (BS 25999), although the legislation mentions NFPA 1600 (which is currently undergoing a revision).  Other standards may include the FFIEC handbook, ISO 27001 and other existing standards with business continuity and enterprise risk-related content.

As many business continuity professionals are aware, ASIS filed a notice with ANSI that it intended to author a U.S. business continuity management standard.  During the HSSP meeting, ASIS announced that it is partnering and co-branding with the British Standards Institution and basing the new, emerging standard on BS 25999, with plans to add additional management system rigor (consistent with Guide 72, which defines the characteristics of a management system) and other content that aligns to broader organizational resilience efforts.  ASIS held a meeting the following day at its headquarters in Alexandria, Virginia, where attendees offered broad support for this new initiative. During the meeting, ASIS explained that this will not become a physical security-focused business continuity standard, but a management systems-aligned standard consistent with auditable ISO principles.  Of note, ASIS (and the meeting attendees) currently plan to author this standard and seek DHS endorsement for its inclusion in the voluntary certification program.

Since the meeting, a press release has been issued by ASIS stating currently “ASIS is seeking key input from business continuity professionals to develop potential membership on the technical committee that would draft and critique the new standard…Interested parties may contact ASIS at [email protected]

Target Criteria
During the HSSP meeting, attendees were provided a working paper titled Voluntary Private Sector Preparedness Accreditation and Certification Program Proposed Target Criteria for Preparedness Standard. This document, authored by DHS, introduces target criteria that may be used to select one more standards as the basis for the voluntary certification program.  According to DHS, this document is not meant to outline the characteristics by which the government will author a new standard, but rather the characteristics that one or more standards should have in order to participate in the voluntary certification initiative.

Attendees reaction to the target criteria was mixed, although largely negative, questioning the intent of the target criteria and why it differed from the report authored by the Sloan Foundation.  Based on this reaction, and also commentary offered by DHS in rebuttal, the target criteria document is an early working draft, and it will most likely change before DHS published a final draft for public comment in the later part of October.

Timing
ANAB expects to introduce the structure of the voluntary certification program by February 14, 2009, recognizing this announcement is dependent on the selection of one or more standards authorized by DHS for use in the program.  As such, the identification of participating standards is expected before this date, assuming the target criteria comment process progresses smoothly.

Business Case
During the HSSP, InterCEP’s Director, Bill Raisch, led an interesting panel discussion that debated the business case for a voluntary certification program.  As expected, the panel failed to reach consensus on a specific business case for certification, disagreeing about the current-state value of certification in terms of insurance, credit rating, business reporting, supply chain and legal benefits.  All agreed that a strong business case, with business incentives that resonate with the C-suite, is needed to enable this program to obtain boardroom support.

Outside of the HSSP, InterCEP continues to sponsor a number of workshops that explore five specific elements of a potential business case, including:

  • BusinessReporting
  • Insurance
  • Legal
  • RatingAgency
  • Supply Chain

More information specific to each of these five topics may be found on InterCEP’s website.

Conclusions (and concerns)
The design and implementation of Title IX’s voluntary certification program is far from over.  A number of private sector professionals remain skeptical in terms of the program’s value and the role of government in influencing private sector preparedness.  Many question whether a voluntary program will become “highly recommended” or even mandatory.  Others worry that the effort will only scale to large businesses, while many question how a single standard (or group of standards) can apply and enable certification for a very diverse private sector.  Although the answers to these concerns were far from finalized, these issues were presented and the architects of the future voluntary certification program heard them loud and clear.

Additional information regarding the voluntary certification program may be found at http://www.fema.gov/business/certification/index.htm.  Additionally, be sure to keep an eye out for the official publication of the draft target criteria, which will be found in a federal register posting later in October.