National Firefighter Cancer Registry – Show Support!

Last week US Representatives Bill Pascrell (D-NJ) and Richard Hanna (R-NY) introduced a bi-partisan bill to create a national cancer registry for firefighters (paid and volunteer).  This bill, HR 4625, is known as the Firefighter Cancer Registry Act.  It calls for the registry to be established and managed by the Centers for Disease Control and Prevention (CDC).  The site for the bill is here, although as of the time of my post, little information is available.

According to Rep Pascrell’s website, the national cancer registry would:

  • Store and consolidate epidemiological information submitted by healthcare professionals related to cancer incidence among firefighters.
  • Make anonymous data available to public health researchers to provide them with robust and comprehensive datasets to expand groundbreaking research.
  • Improve our understanding of cancer incidence as the registry grows, which could potentially lead to the development of advanced safety protocols and safeguards.
  • Increase collaboration between the CDC and epidemiologists, public health experts, clinicians and firefighters through regular and consistent consultations to improve the effectiveness and accuracy of the registry.

According to an email received from Rep Hanna’s office, the bill has the support of the National Volunteer Fire Council, the International Association of Fire Chiefs, the International Association of Fire Fighters, the New York State Association of Fire Chiefs, the Congressional Fire Services Institute, the National Fallen Firefighters Foundation, and the International Fire Services Training Association.

Firefighters are exposed to a variety of harmful chemicals on a regular basis.  Fairly routine fires, such as car fires and room and contents fires contain a variety of toxins due to the quantity of synthetics used in manufacturing common materials.  More advanced incidents, such as full structure fires, industrial, and hazardous materials incidents contain even more dangerous chemicals that, despite protections, firefighters are still exposed to.

I urge everyone to keep an eye on this bill and contact your representatives to express support for it. 

– TR

Advertisements

FBI vs Apple – iPhone Security

The struggle over encryption and device security continues.  This time it’s more visceral, representing the most relevant case on the side of criminal justice yet.  In the wake of the San Bernardino shooting, the FBI is seeking to gain access to an iPhone discovered in the vehicle where the shooters made their last stand with law enforcement.  The FBI is hoping to find additional evidence on this phone – phone records, emails, texts, etc. that might lead them to information on other conspirators of the attack, other potential targets and attackers, and anything else that might lead to prosecuting those involved in this attack or stopping future attacks.  Gaining access to this information is obviously extremely important.

The problem – the phone is locked with a passcode, and the FBI doesn’t know what that code is. While trial and error is certainly a viable methodology, Apple’s architecture limits passwords attempts to 10.  Once the tenth attempt fails, the iPhone will go into a sort of self-destruct, wiping all data from the device.  The FBI needs help, and they are seeking it from Apple.  Apple declined requests and is now being compelled by a federal judge who ordered Apple to assist the FBI in gaining access to the phone.  Apple is fighting the order – but why?

First of all, Apple states there is no ‘back door’ into their system that will allow them to bypass a security code.  On principal, they decided not to create one since if it exists, it can be exploited.  Based upon this, the FBI has requested that Apple at least disable the 10 attempt fail safe in the iOS programming, allowing the FBI to press on with many more attempts to crack the code.  Apple continues to refuse, again citing the potential for someone with criminal intent exploiting this.  Essentially, Apple feels they are protecting their customers from criminal acts and loss of personal information.  The CEO of Google recently voiced support for Apple’s stand.

This debate poses two strong arguments, each pulling at our values.  On one side, we need to support the efforts of law enforcement to prevent, protect, and prosecute.  The evidence gathered from a situation such as this can potentially lead to finding co-conspirators in these horrible shootings, and can potentially stop other crimes from occurring.

On the other side, there is also concern over preventing future criminal activity by those who would steal information.  Keeping in mind that what we have on our phones is not only a browsing history and Disney World selfies, but also private information such as bank accounts, and even access to business information; the theft of which can be devastating to individuals and entire organizations.

There are valid arguments on both sides, and consequences to action and inaction all around, with implications much broader than this one case.  I’m interested in seeing how this shakes out.

What are your thoughts?

© 2016 – Timothy Riecker

Adjustment of Public Assistance Cost Share per Capita

The following was provided in today’s FEMA Daily Digest Bulletin…

Based on an increase of 0.8 percent in the Consumer Price Index for All Urban Consumers for the 12-month period that ended December 2015, FEMA adjusted the calendar year 2016 statewide per capita indicator for recommending a cost share adjustment for the public assistance program to $137.

FEMA will recommend an increase in the standard 75 percent federal cost share to not more than 90 percent of eligible costs when a disaster is so extraordinary that actual federal obligations under the Stafford Act, excluding administrative costs, meet or exceed $137 per capita of state population. This adjustment applies to all disasters declared on or after January 1, 2016 through December 31, 2016.”

It’s always interesting that there are ‘rules’, yet so much of the declaration process is political.

TR

Book Review – Failures of Imagination by Michael McCaul

Failures of Imagination: The Deadliest Threats to our Homeland – and how to Thwart Them by Michael McCaul.  A few months ago I put up a short post when I heard about this book coming out.  I speculated a bit on what I anticipated and fortunately those were good assumptions.

Michael McCaul is chairman of the House Homeland Security Committee.  Congressman McCaul (R-TX) has served with the US Department of Justice and was chief of Counterterrorism and National Security for the US Attorney’s Office in Texas.  Along with chairing the House Homeland Security Committee, he is also a member of the Committee on Foreign Affairs.  The background all contributes to some interesting insights and perspectives on the threats our nation faces.  Several of those threats have been presented to us in this book. FoI

Failures of Imagination presents several scenarios including an attack on our seat of government, a radiological dispersion device (RDD), foreign influence on an election, a mass shooting in a public space, a cyberattack on finance and infrastructure, a bioterrorism attack, an airplane bombing, and an invasion by foreign powers.  Each scenario is introduced with what I will term a short story, followed by a fictionalized executive situation report, and concluded with a factual review of how the scenario is plausible.

The short stories that introduce each scenario are fairly compelling.  They read like any popular thriller novel, establishing two or three converging story lines with a brief bit of character development which quickly establish motive, plot, and execution.  The timelines are set anywhere from two to 10+ years from now.

With the those scenarios set further in the future, I feel the author has taken some liberties assuming that little has changed in comparison to the current global politics and state of affairs, but that doesn’t bother me too much.  I expect that some readers might feel these fictionalized stories sensationalize the scenarios a bit.  While on the surface that is understandable, consider that the plots as they unfold in these stories may not be far from reality, and that the Congressman has discovered that a mix of fiction and non-fiction can help enhance the readers’ experience and sell more books.  Also consider that we often do the same thing when doing scenario-based planning, training, and exercises.

As a follow-on to each scenario’s short story, a mock executive-level situation report is provided which gives an overview of the impacts of each scenario as presented in the short story.   The basis of this is something we also do in many of our preparedness efforts as we try to gauge a realistic scope of impact.  The Congressman outlines in many of these not only the casualties, but broader impacts such as those to the economy, and takes some realistic stabs at longer term recovery matters.  These situation reports give a good perspective to the reader about the potential impacts of each scenario beyond the more narrow scope of the short story.

Lastly, McCaul provides some narrative on how each scenario presented is rooted in reality.  These summaries provide information on the current situation as it relates to each scenario, typically regarding the modus operandi of certain terrorist groups or state sponsors of terrorism, relationships these groups may have with each other across the globe, and weaknesses in our own security construct which may permit these groups to gain access to the US and do us harm.  While much of the information and recommendations provided by Mc Caul in these sections are factual, practical, and eye-opening, I have to admit that I was significantly turned off by several instances of what I can only call antagonistic political finger pointing.  While I don’t disagree with what the Congressman was saying about certain policies and actions of other elected officials which have influenced our ability to prevent, protect, and prepare for these types of attacks, the messages often came across as snarky and partisan – something I have little patience for, especially in this election cycle.

Failures of Imagination certainly delivered.  While the focus of this book is on threats to the US, I would suggest that the foundational issues identified can apply to most nations and are a good read for anyone in emergency management and homeland security.  The short stories included in each scenario feed our desire to be entertained and contribute to the book being a quick read.  While the scenarios overall don’t serve as much of a resource for emergency management planning, as many of these types of scenarios are already in use in our efforts, the book does provide some context for each scenario which could be referenced, especially in regard to impacts.  Of most importance are the recommendations which Congressman McCaul provides for each scenario.  Many of the recommendations indicate higher-level actions we as a government need to take to prevent, protect, and prepare for attacks of these types.  Increased awareness of these actions will hopefully lead to development, funding, and implementation.

© 2016 – Timothy Riecker

ICS: Who doesn’t need it?

In a recent discussion thread, someone shared some material for a new program that promotes resiliency for disaster housing.  While the intent of the program is good, there was one thing that struck me – it stated that it was based on the incident command system (ICS).  My question – why?

ICS is a great system.  It’s proven to be effective WHEN APPLIED PROPERLY.  That’s the catch, though, isn’t it?  A great many after action reports (AARs) identify areas for improvement relative to various facets of ICS after incidents, events, and exercises.  The organizations that the AARs are usually focused on are professional response organizations – fire, police, EMS, public works, public health, emergency management, etc.  These are organizations that generally get LOTS OF PRACTICE in applying ICS.  So what’s the problem?

The problem is that most organizations that do use ICS don’t get enough practice in applying ICS beyond smaller incidents.  So if responders, who are using ICS, have difficulty with expanded application despite some practice and more advanced training, how are organizations who don’t use it all expected to be able to remember it much less apply it properly on even the most basic of incidents?  (More on my issues with ICS training here, in case you’ve missed posts over the last year or so.)

So back to the main topic of this post – who doesn’t need ICS training?  I would suggest that those persons and organizations that don’t fit the broad definition of responders DON’T NEED IT.  While this may be blasphemous to some, consider the time and effort wasted on getting people trained to understand ICS who will NEVER USE IT.  “But what if they do need it?” you ask?

I’m challenged to really find that need.  Why does the management of an apartment complex need to know or understand ICS?  I find the thought of that foolish and wasteful.  Sure, they can be a partner in disaster preparedness, response, and recovery.  Does that make them a responder?  No. Will they become part of the ICS organization?  NO!  Is there any reason why they would need to use ICS to manage their own organization?  NO!!! They manage their organization every day through what should be a very effective model for them.  Why the hell do we want to change that?  We need to stop pushing our complex shit on other people who don’t need it.

I’m of two thoughts on this… One, there are people who are so gung-ho over including everyone under the sun into emergency management that they feel compelled to bring them into the profession.  News flash people – if they wanted to be emergency managers, they would.  There is no practical reason for them to be trained in the vast complexities of emergency management.  Two, there are people who don’t really understand the applications of emergency management themselves, and therefore try to make adaptations of the system for every variety of stakeholder out there.  This is something I’ve struggled with very often as people try to adapt ICS to their organization and, in doing so, change the foundational principles of ICS (span of control, terminology, organizational structure, etc.).  Further, every organization thinks they have an INCIDENT COMMANDER.  STOP!!!

ICS is not for everyone.  I’m not being elitist or exclusionary, I’m being practical.  That’s not to say that certain stakeholders shouldn’t at least be familiar with what it is, but still not every stakeholder or partner, and they certainly don’t need to know how to actually apply it.  For many, simply having a point of contact with certain departments or through the 911 center is enough.  Certainly if some have an interest in it they can ask, or take a class either in person or online.  (I would never withhold a training opportunity from anyone.)  This should certainly give them enough to satisfy their curiosity.

Along with my crusade to make better ICS training for responders (even non-traditional ones), I would suggest that we need to do a better job of advising other organizations about how they interact with the system.  Simply throwing ICS training at them DOESN’T WORK.  It creates false expectations and generates more confusion.

So please, fire away with your thoughts.  Who do you think shouldn’t have ICS training?  What would you change about the current ICS training model/requirements? 

Shameless plug time: Need ICS training or training in other areas of emergency management?  How about meaningful and practical emergency plans you can actually implement?  Exercises to test those plans and give staff an opportunity to practice implementing plans?  Emergency Preparedness Solutions can help!  Link to info below!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Failed Attempts to Measure NIMS Compliance – How can we get it right?

Yesterday the US Government Accountability Office (GAO) released a report titled Federal Emergency Management Agency: Strengthening Regional Coordination Could Enhance Preparedness Efforts.  I’ve been waiting for a while for the release of this report as I am proud to have been interviewed for it as a subject matter expert.  It’s the second GAO report on emergency management I’ve been involved in through my career.

The end game of this report shows an emphasis for a stronger role of the FEMA regional offices.  The GAO came to this conclusion through two primary discussions, one on grants management, the other on assessing NIMS implementation efforts.  The discussion on how NIMS implementation has thus far been historically measured shows the failures of that system.

When the National Incident Management System (NIMS) was first created as a nation-wide standard in the US via President Bush’s Homeland Security Presidential Directive (HSPD) 5 in 2003, the NIMS Integration Center (NIC) was established to make this happen.  This was a daunting, but not impossible task, involving development of a standard (lucky much of this already existed through similar systems), the creation of a training plan and curricula (again, much of this already existed), and encouraging something called ‘NIMS implementation’ by every level of government and other stakeholders across the nation.  This last part was the really difficult one.

As identified in the GAO report: “HSPD-5 calls for FEMA to (1) establish a mechanism for ensuring ongoing management and maintenance of the NIMS, including regular consultation with other federal departments and agencies and with state and local governments, and (2) develop standards and guidelines for determining whether a state or local entity has adopted NIMS.”

While there was generally no funding directly allocated to NIMS compliance activities for state and local governments, FEMA/DHS associated NIMS compliance as a required activity to be eligible for many of its grant programs.  (So let’s get this straight… If my jurisdiction is struggling to be compliant with NIMS, you will take away the funds which would help me to do so????)  (the actual act of denying funds is something I heard few rumors about, but none actually confirmed).

NIMS compliance was (and continues to be) a self-certification, with little to no effort at the federal level to actually assess compliance.  Annually, each jurisdiction would complete an online assessment tool called NIMSCAST (the NIMS Compliance Assistant Support Tool).  NIMSCAST ran until 2013.

NIMSCAST was a mix of survey type questions… some yes/no, some with qualified answers, and most simply looking for numbers – usually numbers of people trained in each of the ICS courses.  From FEMA’s NIMS website: “The purpose of the NIMS is to provide a common approach for managing incidents.”  How effective do you think the NIMSCAST survey was at gauging progress toward this?  The answer: not very well.  People are good at being busy but not actually accomplishing anything.  It’s not to say that many jurisdictions didn’t make good faith efforts in complying with the NIMS requirements (and thus were dedicated to accomplishing better incident management), but many were pressured and intimidated, ‘pencil whipping’ certain answers, fearing a loss of federal funding.   Even for those will good faith efforts, churning a bunch of people through training courses does not necessarily mean they will implement the system they are trained in.  Implementation of such a system required INTEGRATION through all realms of preparedness and response.  While NIMSCAST certainly provided some measurable results, particularly in terms of the number of people completing ICS courses, that really doesn’t tell us anything about IMPLEMENTATION.  Are jurisdictions actually using NIMS and, if so, how well?  NIMSCAST was a much a show of being busy while not accomplishing anything as some of the activities it measured.  It’s unfortunate that numbers game lasted almost ten years.

In 2014, the NIC (which now stands for the National Integration Center) incorporated NIMS compliance questions into the Unified Reporting Tool (URT), including about a dozen questions into every state’s THIRA and State Preparedness Report submission.  Jurisdictions below states (unless they are Urban Area Security Initiative grant recipients) no longer need to provide any type of certification about their NIMS compliance (unless required by the state).  The questions asked in the URT, which simply check for a NIMS pulse, are even less effective at measuring any type of compliance than NIMSCAST was.

While I am certainly being critical of these efforts, I have and continue to acknowledge how difficult this particular task is.  But there must be a more effective way.  Falling back to my roots in curriculum development, we must identify how we will evaluate learning early in the design process.  The same principal applies here.  If the goal of NIMS is to “provide a common approach to managing incidents”, then how do we measure that?  The only acceptable methodology toward measuring NIMS compliance is one that actually identifies if NIMS has been integrated and implemented.  How do we do that?

The GAO report recommends the evaluation of after action reports (AARs) from incidents, events, and exercises as the ideal methodology for assessing NIMS compliance.  It’s a good idea.  Really, it is.  Did I mention that they interviewed me?

AARs (at least those well written) provide the kinds of information we are looking for.  Does it easily correlate into numbers and metrics?  No.  That’s one of the biggest challenges with using AARs, which are full of narrative.  Another barrier to consider is how AARs are written.  The HSEEP standard for AARs is to focus on core capabilities.  The issue: there is no NIMS core capability.  Reason being that NIMS/ICS encompasses a number of key activities that we accomplish during an incident.  The GAO identified the core capabilities of operational coordination, operational communication, and public information and warning to be the three that have the most association to NIMS activities.

The GAO recommends the assessment of NIMS compliance is best situated with FEMA’s regional offices.  This same recommendation comes from John Fass Morton who authored Next-Generation Homeland Security (follow the link for my review of this book).  Given the depth of analysis these assessments would take to review AAR narratives, the people who are doing these assessments absolutely must have some public safety and/or emergency management experience.  To better enable this measurement (which will help states and local jurisdictions, by the way), there may need to be some modification to the core capabilities and how we write AARs to help us better draw out some of the specific NIMS-related activities.  This, of course, would require several areas within FEMA/DHS to work together… which is something they are becoming better at, so I have faith.

There is plenty of additional discussion to be had regarding the details of all this, but its best we not get ahead of ourselves.  Let’s actually see what will be done to improve how NIMS implementation is assessed.  And don’t forget the crusade to improve ICS training!

What are your thoughts on how best to measure NIMS implementation?  Do you think the evaluation of AARs can assist in this?  At what level do you think this should be done – State, FEMA Regional, or FEMA HQ?

As always, thanks for reading!

© 2016 – Timothy Riecker

Emergency Management: Coordinating a System of Systems

Emergency management, by nature, is at the nexus of a number of other practices and professions, focusing them on solving the problems of emergencies and disasters.  It’s like a Venn diagram, with many entities, including emergency management, having some overlapping interests and responsibilities, but each of them having an overlap in the center of the diagram, the place where coordination of emergency management resides. That’s what makes the profession of emergency management fairly complex – we are not only addressing needs inherent in our own profession, we are often times doing it through the application of the capabilities of others.  It’s like being the conductor of an orchestra or a show runner for a television show. It doesn’t necessarily put emergency management ‘in charge’, but they do become the coordination point for the capabilities needed.

Presentation1

 

This high degree of coordination depends on the functioning and often integration of a variety of systems.  What is a ‘system’?  Merriam-Webster offers that a system is a “regularly interacting or interdependent group of items forming a unified whole.”  Each agency and organization that participates in emergency management has its own systems.  I’d suggest that these broadly include policies, plans, procedures, and the people and technologies that facilitate them – and not just in response, but across all phases or mission areas.  Like the Venn diagram, many of these systems interact to (hopefully) facilitate emergency management.

There are systems we have in many nations that are used to facilitate components of emergency management, such as the National Incident Management System (NIMS), the Incident Command System (ICS) (or other incident management systems), and Multi-Agency Coordination Systems (MACS).  These systems have broad reach, working to provide some standardization and common ground through which we can manage incidents by coordinating multiple organizations and each of their systems.  As you can find indicated in the NIMS doctrine, though, NIMS (and the other systems mentioned) is not a plan.  While NIMS provides us with an operational model and some guidance, we need plans.

Emergency Operations Plans (EOPs) help us accomplish a coordination of systems for response, particularly when written to encompass all agencies and organizations, all hazards, and all capabilities.  Likewise, Hazard Mitigation Plans do the same for mitigation activities and priorities.  Many jurisdictions have smartly written disaster recovery plans to address matters post-response.  We also have training and exercise plans which help address some preparedness measures (although generally not well enough).  While each of these plans helps to coordinate a number of systems, themselves becoming systems of systems, we are still left with several plans which also need to be coordinated as we know from experience that the lines between these activities are, at best, grey and fuzzy (and not in the cuddly kitten kind of way).

The best approach to coordinating each of these plans is to create a higher level plan.  This would be a comprehensive emergency management plan (CEMP).  Those of you from New York State (and other areas) are familiar with this concept as it is required by law.  However, I’ve come to realize that how the law is often implemented simply doesn’t work. Most CEMPs I’ve seen try to create an operational plan (i.e. an EOP) within the CEMP, and do very little to actually address or coordinate other planning areas, such as the hazard mitigation plan, recovery plans, or preparedness plans.

To be successful, we MUST have each of those component plans in place to address the needs they set out to do so.  Otherwise, we simply don’t have plans that are implementation-ready at an operational level.  Still, there is a synchronicity that must be accomplished between these plans (for those of you who have experienced the awkward transition between response and recovery, you know why).  The CEMP should serve as an umbrella plan, identifying and coordinating the goals, capabilities, and resources of each of the component plans.  While a CEMP is generally not operational, it does help identify, mostly from a policy perspective, what planning components must come into play and when and how they interrelate to each other.  A CEMP should be the plan that all others are built from.

Presentation2

I’m curious about how many follow this model and the success (or difficulty) you have found with it.

As always, if you are looking for an experienced consulting firm to assist in preparing plans or any other preparedness activities, Emergency Preparedness Solutions is here to help!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC