Preparedness: Integrating Community Lifeline Considerations

Much of preparedness is about getting us ready to conduct situational assessment and prioritization of actions.  We train people and develop resources, such as drones, field-deployed apps, and geographic information systems (GIS) to support situational assessment.  The information we obtain from these assessments help in the development and maintenance of situational awareness and, when shared across disciplines, agencies, and jurisdictions, a common operating picture.  Based upon this information, leaders at all levels make decisions.  These decisions often involve the prioritization of our response and recovery actions.  Ideally, we should have plans in place that establish standards for how we collect, analyze, and share information, and also to support the decision making we must do in prioritizing our actions.  Exercises, of course, help us to validate those plans and practice associated tasks.

One significant hurdle for us is how overwhelming disasters can be.  With just slight increases in the complexity of a disaster, we experience factors such as large geography, extensive damages, high numbers of lives at risk, hazardous materials, and others.  Certainly, we know from Incident Command System training that our broad priorities are life safety, incident stabilization, and property conservation – but with all that’s happening, where do we start?

One thing that can help us both assessment and prioritization are community lifelines.  From FEMA: “Community lifelines reframe incident information to provide decision-makers with impact statements and root causes.”  By changing how we frame our data collection, analysis, thinking, and decision-making, we can maximize the effectiveness of our efforts.  This shouldn’t necessitate a change in our processes, but we should incorporate community lifelines into our preparedness activities.

The community lifelines, as identified by FEMA, are:

  • Safety and Security
  • Food, Water, and Sheltering
  • Health and Medical
  • Energy
  • Communications
  • Transportation
  • Hazardous Materials

If this is your first time looking at community lifelines, they certainly shouldn’t be so foreign to you.  In many ways, these are identified components of our critical infrastructure.  By focusing our attention on this list of items, we can affect a more concerted response and recovery.

FEMA guidance goes on to identify essential elements of information (EEI) we should be examining for each community lifeline.  For example, the lifeline of Health and Medical includes the EEIs of:

  • Medical Care
  • Patient Movement
  • Public Health
  • Fatality Management
  • Health Care Supply Chain

Of course, you can dig even deeper when analyzing any of these EEIs to identify the status and root cause of failure, which will then support the prioritization of actions to address the identified failures.  First we seek to stabilize, then restore.  For example, within just the EEI of Fatality Management, you can examine components such as:

  • Mortuary and post-mortuary services
  • Transportation, storage, and disposal resources
  • Body recovery and processing
  • Family assistance

The organization of situation reports, particularly those shared with the media, public, and other external partners might benefit from being organized by community lifelines.  These are concepts that are generally tangible to many people, and highlight many of the top factors we examine in emergency management.

Back in March of this year, FEMA released the Community Lifelines Implementation Toolkit, which provides some great information on the lifelines and some information on how to integrate them into your preparedness.  These can go a long way, but I’d also like to see some more direct application as an addendum to CPG-101 to demonstrate how community lifelines can be integrated into planning.  Further, while I understanding that FEMA is using the community lifeline concept for its own assessments and reporting, the community aspect of these should be better emphasized, and as such identifying some of the very FEMA- and IMAT-centric materials on this page as being mostly for federal application.

Has your jurisdiction already integrated community lifelines into your preparedness?  What best practices have you identified?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC℠®

Advertisements

Guidance for Operational Security and Access

Operational security can be a big issue, especially on prolonged incidents.  An incident occurs.  Evacuations have to take place.  A scene has to be secured.  Issues like safety and evidence preservation are priorities.  Inevitably someone says they ‘need access’.  Who are they?  Do they really need access?   Are they an evacuee?  A responder?  Media?  A government official?  A critical infrastructure operator?  When is it OK to allow someone access and under what circumstances?

While NIMS has been advocating for credentialing as an effort to identify responders and their qualifications, along with ensuring that they have appropriate identification to grant them access to an incident scene and to utilize them to the best ability, there is still a lot of work to do, and little has been done beyond first responders.  I’ve been on incidents where the perimeter was not well established and anyone could stroll in to an incident site or a command post.  I’ve been on incidents where the flash of a badge or ID was good enough to get through, even though the person at the perimeter didn’t actually examine it, much less verify it.  I’ve also been on incidents where no entry was allowed with a badge, official ID, and a marked car – even though entry was necessary and appropriate. Thankfully, I’ve also been on some incidents where identification is examined, and the access request is matched to a list or radioed in for verification.  This is how it should work.

While credentialing and access control are two separate topics, they do have a degree of overlap.  Like so many aspects in incident management, little ground has been gained on more complex matters such as these because there is little to no need for them on the smaller (type 4 and 5) incidents.  Type three (intermediary) incidents generally use an ad-hoc, mismanaged, band-aid approach to these issues (or completely ignore them), while larger (type 1 and 2) incidents eventually establish systems to address them once a need (or usually a problem) is recognized.  While every incident is unique and will require an-incident specific plan to address access control and re-entry, we can map out the primary concerns, responsibilities, and resources in a pre-incident plan – just like we do with so many of our other operational needs in an Emergency Operations Plan (EOP).  Also, like most of what we do in the development of an EOP, access control and re-entry is a community-wide issue.  It’s not just about first responders.

Here’s an example of why this is important.  A number of years ago I ran a tabletop exercise for the chief information officer (CIO) agency of a state government.  The primary purpose was to address matters of operational continuity.  I used the scenario of a heavy snow storm which directly or indirectly disabled their systems.  We talked about things like notification and warning, remote systems access (the state didn’t have a remote work policy at the time), redundant infrastructure, and gaining physical access to servers and other essential systems.  Without gaining physical access, some of their systems would shut down, meaning that many state agencies would have limited information technology access.  Closed roads and perimeter controls, established with the best of intentions, can keep critical infrastructure operators from accessing their systems.  The CIO employees carried nothing but a state agency identification, which local police wouldn’t give a damn about.  Absent a couple hours of navigating state politics to get a state police escort, these personnel would have been stuck and unable to access their critical systems.  Based upon this, one of the recommendations was to establish an access control agreement with all relevant agencies where their infrastructure was located.

Consider this similar situation with someone else.  Perhaps the manager of a local grocer after a flood.  They should be able to get access to their property as soon as possible to assess the damage and get the ball rolling on restoration.  Delays in that grocer getting back in business can delay the community getting back on their feet and add to your work load as you need to continue distributing commodities.

There are a lot of ‘ifs’ and ‘buts’ and other considerations when it comes to access control, though.  There aren’t easy answers.  That’s why a pre-plan is necessary.  Like many things we do in emergency management and homeland security, there is guidance available.  The Crisis Event Response and Recovery Access (CERRA) Framework was recently published by DHS.  It provides a lot of information on this matter.  I strongly suggest you check it out and start bringing the right people to the table to start developing your own plan.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

2017 Health Security Index

The 2017 National Health Security Preparedness Index has been released by the Robert Wood Johnson Foundation.  The Index provides measures of data nationally and for each state in the US across six public health domains, which include:

  1. Health security surveillance
  2. Community planning and engagement
  3. Information and incident management
  4. Healthcare delivery
  5. Countermeasure management
  6. Environmental and occupational health

The documents found on the website indicate a continued trend of improvement across the nation, but progress is slow, with some states lagging behind significantly according to the study, particularly in the deep south and mountain west regions.

The report identifies the following factors as having the greatest influence on the increase and intensity of US and global health threats:

  • Newly emerging and resurgent infectious diseases like Zika, MERS, and Ebola.
  • Growing antibiotic resistance among infectious agents.
  • Incomplete vaccination coverage.
  • Globalization in travel and trade patterns.
  • Political instability, violence and terrorism risks.
  • Aging infrastructure for transportation, housing, food, water, and energy systems.
  • Extreme weather events including storms, fires, floods, droughts, and temperature extremes.
  • Cyber-security vulnerabilities.

I think it’s important to note that while some of the factors listed above are distinctly within the public health realm, others are more universal in nature.  So not only are the findings of this study relevant to everyone, because public health is relevant to everyone, but many of the factors that influence the threats fall within areas of responsibility of broader emergency management and homeland security.

Public health matters are near the top of my list of greatest concern.  This report clearly shows that while we have made great strides in public health preparedness, we have a long way to go.  There is also no end game.  We don’t get to say we won after playing four quarters, three periods, or nine innings.  These are efforts in which we must persist, and not only with today’s tools and capabilities, but we must constantly look toward new tools.  However, as we do this, new threats will emerge.  It may seem intimidating, but it’s essential.

What are you doing to further public health preparedness capabilities?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Do We Need Different Systems for Catastrophic Incidents?

We’ve long heard, albeit in small pockets, people proclaiming that emergency management and public safety need different systems for larger incidents vs smaller incidents.  For years, the Incident Command System (ICS) fought that stigma, with many saying that ICS is only used for hazardous materials incidents (specifically because of OSHA requirements) or for large incidents that required such a high degree of organization.  Following the release of HSPD-5 and the resultant requirements for everyone to use the National Incident Management System (NIMS), we finally seemed to transcend that mentality – although we are still seeing people apply ICS poorly, and often with the thought that it will all work out fine when a large incident occurs.

Since the mid-2000s, coupled with the push for ‘catastrophic planning’, I’ve been hearing people proclaiming that catastrophic incidents require different systems – be it for planning or management.  Recently, I’m hearing this mentioned again.  Yet, interestingly enough, none of the arguments identify specifically what it is about our current systems of preparedness or incident management that fail at the sight of a catastrophic incident.

While I’m a critic of various aspects of our current systems, I’m a believer in them overall.  Do we need a new system of planning?  No, we just need to do it better.  When we plan for a catastrophic level event, we must consider that NOTHING will work in the aftermath of such an incident.  I’m shocked that some people are still counting on the existence and functionality of critical infrastructure following a catastrophic event.  No roads, no communications, no life lines.  These surprised disclosures are revealed in the After Action Reports (AARs) of incidents and exercises that test catastrophic incidents, such as the recent Cascadia Rising exercise.

Fundamentally, are these losses all that different than what we experience in smaller disasters?  Not so much.  Smaller disasters still take out our roads and disable our communications systems – but such disasters are small enough that we can work around these issues.  So how is it a surprise that a large hurricane or earthquake will do even more damage?  It really shouldn’t be.  It’s essentially a matter of scale.

That said, I certainly acknowledge the difficulties that come with the combined impacts of a catastrophic disaster, coupled with the sheer magnitude of it all.  There are challenges offered that we don’t normally see, but a new system of planning is not the answer.  The current frameworks and standards, such as CPG-101 and NFPA 1600 are absolutely substantial.  The processes are not flawed.  The issue is a human one.  We can’t blame the standards.  We can’t blame the plans.  The responsibility lies with the people at the table crafting the plan.  The responsibility lies with them to fully understand the hazards and the potential impacts of those hazards.  Conducting a hazard analysis is the first step for a planning team to accomplish, and I think this is often taken for granted.  While the traditional hazard analysis has value, the current standard is the Threat and Hazard Identification and Risk Assessment (THIRA).  It is an exhausting and detailed process, but it is highly effective, with engaged teams, to reveal the nature and impacts of disasters that can impact a community.  Without a solid and realistic understanding of hazards, including those that can attain catastrophic levels, WE WILL FAIL.  It’s that simple.

As we progress through the planning process and identify strategies to accomplish objectives, alternate strategies must be developed to address full failures of infrastructure and lack of resources.  Assumptions are often made in plans that we will be able to apply the resources we have to fix problems; and if those resources are exhausted, we will ask for more, which will magically appear, thus solving our problems.  Yes, this works most of the time, but in a catastrophic incident, this is pure bullshit.  This assumption needs to be taken off the table when catastrophic incidents are concerned.  The scarcity of resources is an immediate factor that we need to address along with acknowledging that a severely damaged infrastructure forces us out of many of the technological and logistical comforts we have become accustomed to.  It doesn’t require a new system of planning – just a realistic mentality.

This all logically ties to our incident management system – ICS.  ICS is fully able to accommodate a catastrophic-level incident.  The difficulties we face are with how we apply it (another human factor) and integration of multiple ICS organizations and other incident management entities, such as EOCs.  The tenant in ICS is that one incident gets one incident command system structure.  This is obviously not a geo-political or practical reality for a catastrophic incident that can have a large footprint.  This, however, doesn’t mean that we throw ICS out the window.  This is a reality that we deal with even on smaller disasters, where different jurisdictions, agencies, organizations, and levels of government all have their own management system established during a disaster.  Through implementations such as unified command, multi-agency coordination, agency representatives and liaison officers, and good lines of communication we are able to make effective coordination happen.  (Side note: this is absolutely something I think we need to plan for and tighten up conceptually.  It’s often pulled together a bit too ad-hoc for my comfort).

While some time and effort needs to be applied to develop some solid solutions to the issues that exist, I’m confident that we DO NOT need to create alternate preparedness or response systems for addressing catastrophic incidents – we simply need to apply what we have better and with a more realistic perspective.  The answers won’t come easy and the solutions might be less than ideal, but that’s the nature of a catastrophic event.  We can’t expect it to be easy or convenient.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

New and Timely Cyber Security Information

October is National Cyber Security Awareness Month.  With it, the DHS Private Sector Office has provided a number of resources to help organizations get involved in cyber security awareness.  These include weekly themes, such as Stop. Think. Connect., information on a weekly Twitter Chat series, and other information.

Perhaps released intentionally during National Cyber Security Awareness Month is the call for public comment on the National Cyber Incident Response Plan.  From their website, DHS’ National Protection and Programs Directorate and FEMA’s National Integration Center are leading the development of this document in coordination with the US Department of Justice, the Secretary of Defense, and other partners.  This plan is intended to provide a nation-wide approach to cyber incidents, incorporating roles for the private sector and all levels of government (TR – similar to the National Planning Frameworks, which this document rather heavily references).  The National Engagement Period ends on October 31, so be sure to review the document and provide feedback.  There are also a series of webinars referenced on the website.

In my initial and very cursory review of the plan, I was pleased to see the references to the National Preparedness Goal and National Planning Frameworks.  I’ve mentioned before that we need to strive to align and integrate all preparedness efforts along these lines and I’m thrilled to see it happening.  It’s even more encouraging to see this occurring with something that could be considered a bit fringe to traditional emergency management.  The plan directly references a number of Core Capabilities.  They take an interesting approach with this.  Instead of identifying which Core Capabilities the plan organizes under, they instead align certain Core Capabilities within what they call Lines of Effort.  These Lines of Effort include Threat Response, Asset Response, and Intelligence Support.  For each Core Capability they define the Core Capability, a la the National Preparedness Goal, and describe how that Core Capability applies to Line of Effort, along with listing associated critical tasks. (inserted is Table 2 from the plan which shows this alignment)

cyber-cc-by-loe

What I find even more interesting is the array of Core Capabilities they identified for their Lines of Effort.  While this plan is oriented toward response, the Core Capabilities they identify come from the Mission Areas of Prevention, Protection, Response, and Mitigation, along with including the three common Core Capabilities.  This further reinforces the thought that the Cyber Security Core Capability should also be included as a common Core Capability.  This is an interesting document which I look forward to reviewing in more detail.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness