Q: What is PS-Prep™?
A: PS-Prep™ is a program by which DHS seeks to encourage private sector preparedness by providing formal recognition of businesses whose processes conform to recognized standards for disaster and emergency preparedness and business continuity. Voluntary certification under the PS-Prep™ Program will assess whether a private sector entity complies with one or more preparedness standards adopted by DHS and applied through a system of accreditation and certification set up by DHS in close coordination with the private sector.
The program is based on established conformance assessment processes widely used in business and industry.
Q: How did PS-Prep™ come about?
A: In Title IX of "Implementing the Recommendations of the 9/11 Commission Act of 2007" (the 9/11 Act), Congress authorized the DHS to establish a voluntary private sector preparedness accreditation and certification program.
Additionally, the 9/11 Commission found that the private sector was not prepared for the aftermath of the 9/11 attacks and that, despite 9/11, the private sector remained largely unprepared at the time of its final report. The 9/11 Commission's central recommendation in this area was that DHS promote private sector preparedness standards that establish a program with a common set of criteria and terminology. This recommendation was the genesis of the PS-Prep™ program.
Q: What is the purpose of the program?
A: Simply stated, the purpose of PS-Prep™ is to encourage private sector preparedness. The program does so by providing a mechanism for a private sector entity a company, facility, non-profit corporation, hospital, stadium, university, etc. to receive a certification from an accredited third party that it is in compliance with a private sector preparedness standard adopted by DHS.
Q: The program is voluntary. What does that mean?
A: Seeking certification is voluntary: no private sector entity is required by DHS to seek or obtain a PS-Prep™ certification.
However, DHS encourages all private sector entities to seriously consider seeking certification to an appropriate standard adopted by DHS, once those standards become available.
Q: Why would a private sector entity want to participate in PS-Prep™?
A: There are several business reasons that a private sector entity may consider becoming involved with PS-Prep™, three of which are:
- The obvious advantages of having a third party determine whether the entity is prepared to deal with various hazards. Natural and man-made disasters occur too frequently and can result in anything from data loss from a power outage, to potentially more severe and prolonged consequences from pandemic flu, malicious cyber attacks or other major disasters.
- By conforming to the standard, a private entity will be better able to minimize damage and loss from a disaster.
- By getting its conformance certified, the private entity's management can be confident that the entity is prepared.
The second is competitiveness and efficiency. By a private entity's conforming to and being certified against a PS-Prep™ standard, it will likely have minimized the damage to operations from the disaster and be resilient and be among the first businesses affected to resume its operations. This could lead to the entity's gaining market share in the post-disaster environment.
Another reason is that businesses today operate in the global supply chain. Frequently, large international firms audit their suppliers to determine if the suppliers have a viable plan for business continuity or disaster management. The large firms pursue such processes to avoid disruption of that supply chain in case a disaster strikes. By conforming to and being certified against the PS-Prep™ standard or standards, a business may save the time, effort and cost associated with those audits, because large firms could recognize certification under the PS-Prep™ Program as equivalent to its own audit. Additionally, other large firms may prefer to do business with suppliers that have a certified preparedness plan in place.
Q: How does it work?
A: PS-Prep™ has three separate but interrelated components: adoption, accreditation and certification.
- Adoption is DHS's selection of appropriate private sector preparedness standards for the program. Given DHS's goal of broadly encouraging private sector preparedness, we have developed a process that allows a wide variety of standards to be considered and adopted.
- Accreditation is a process managed by a DHS-selected non-governmental entity to confirm that a third party is qualified to certify that a private sector entity complies with a preparedness standard adopted by DHS. Third parties are accredited to provide certifications and may be accredited on one, some or all of the DHS-adopted standards.
- Certification is the process by which an accredited third party determines that a private sector entity is, in fact, in compliance with one of the private sector preparedness standards adopted by DHS.
Q: What DHS offices are involved in PS-Prep™?
A: The Administrator of FEMA is the designated officer of PS-Prep™. He relies upon a PS-Prep™ Coordinating Council, made up of experts from the DHS Science and Technology Directorate, the Office of Infrastructure Protection, the Private Sector Office and advice from the Office of the General Counsel, to manage the program. The Designated Officer and the PS-Prep™ Coordinating Council work with the Selected Entity to manage the program.
Q: Has DHS selected any standards under PS-Prep™?
A: Yes, based on public comments, DHS has formally adopted three initial standards, including:
- ASIS SPC.1-2009 "Organizational Resilience: Security Preparedness, and Continuity Management Systems
- British Standards Institution 25999 (2007 Edition) - Business Continuity Management. (BS 25999:2006-1 Code of practice for business continuity management and BS 25999:2007-2 Specification for business continuity management)
- National Fire Protection Association 1600: 2007/2010 Standard on Disaster / Emergency Management and Business Continuity Programs
Q: Who is the "selected entity" that DHS contracted with to provide accreditations?
A: On June 12, 2008, the designated officer for PS-Prep™ entered into a contract with the ANSI-ASQ National Accreditation Board, or ANAB, to be the "selected entity." As the selected entity, ANAB will develop and oversee the certification process, manage accreditation and accredit qualified third parties to carry out certifications in accordance with the accepted procedures of the program.
ANAB was chosen because it is an internationally recognized accreditation organization, it is an International Accreditation Forum Mutual Recognition Arrangement Signatory and, currently, is the only accreditation organization for process/management system certifiers based in the United States.
Q: What will ANAB's role be?
A: Under the PS-Prep™ Program and with direction of DHS, ANAB will be responsible for developing the accreditation process, accrediting qualified third parties to carry out the certification process and overseeing the certification process.
Q: Did DHS seek recommendations for standards to adopt?
A: Yes. DHS published a notice in the Federal Register on December 24, 2008, describing the implementation of the program and to seek recommendations from the public regarding the private sector preparedness standards that DHS should adopt, both initially and over time.
After reviewing the responses to the December 24, 2008, notice, DHS published a notice in the Federal Register in October 2009 which proposed the adoption of three standards for use in the program and sought public comment.
DHS considered the comments gathered in the response to the October 2009 Federal Register notice and found that there were no significant concerns expressed about the adoption of any proposed standards.
DHS will continue to accept comments on PS-Prep™, the three adopted standards or proposals to adopt any other similar standard that satisfies the target criteria presented in the December 28, 2008, notice. DHS will review any comments received or proposals for DHS adoption of additional standards and, when merited, will publish a Federal Register notice providing the results of that review or notifying the public of an intention to adopt additional standards.
Q: What is DHS looking for in a standard?
A: Most importantly, DHS is interested in standards that promote private sector planning for, preparedness for, response to and recovery from a natural or man-made disaster. DHS published formal PS-Prep™ criteria for comment in the December 8, 2008, Federal Register notice. Those criteria were formally adopted in the October 2009, Federal Register notice.
DHS will consider adoption of standards that are comprehensive, addressing all of the elements of a private sector preparedness standard that are applicable to all private sector entities. The three standards that DHS has formally adopted fall into this category. DHS will also consider more limited standards, such as those that apply to a particular industry or a subset of an industry or those that cover a more circumscribed aspect of preparedness (i.e., an emergency preparedness standard for hospitals over a certain number of beds).
Q: The 2008 notice contains a list of possible elements for standards. How should they be used?
A: The December 24, 2008, Federal Register notice associated with the PS-Prep™ Program includes a list of elements that standards may contain. It is, of course, not possible to devise uniform criteria that every standard submitted for adoption should meet because, among other reasons, there may be industry-specific standards proposed and standards may seek to address something less than the full range of matters that may be included in a preparedness standard. Even so, the list of possible elements in the Federal Register notice is a good starting point for parties developing private sector preparedness standards for adoption. A standard need not contain all of these elements to be appropriate and therefore be considered for adoption by DHS. Nonetheless, the list is provided to guide the private sector in developing appropriate standards and will be modified as necessary.
Q: Will DHS work with standards organizations to improve existing standards?
A: Yes. As part of the PS-Prep™ Program, DHS will work with standards development organizations as future preparedness standards are developed, in order to assist those organizations in developing, updating and revising their current standards and developing new standards to comprehensively deal with issues of preparedness.
Additionally, when DHS adopts more general standards, we will work with the standards development organization to allow tailoring of the standard to different industries and sizes. We also anticipate that standards will meet the needs of critical infrastructure and key resources sectors and other businesses and other private sector entities.
Q: How many standards will DHS adopt?
A: Currently, DHS has adopted three standards but we cannot predict how many standards DHS will ultimately adopt. The program is designed to consider and adopt multiple private sector preparedness standards and encourage the development of additional standards, as well as the expansion and evolution of existing standards. In deciding which standards to adopt, DHS is required to consider standards that have already been created within the private sector and to take into account the unique nature of various sectors within the private sector.
Q: How will PS-Prep™ work since DHS adopted multiple standards?
A: Since DHS adopted multiple standards, entities can apply for certification against any or all standards.
Q: Is there a simple timeline for each step of the process?
A: The process is self-paced and varies with the knowledge level and experience of each entity seeking certification. In general there are two parts, putting the preparedness program in place and evaluating the processes against a standard. Each business is unique in its operation, as well as its ability to understand the requirements and implement the necessary processes.
Q: How long does certification under the PS-Prep™ Program take from start to finish?
A: As with the implementation of any standard, the time involved will differ depending on the size and complexity of the organization and could be weeks or months. Upon implementation, the organization must undergo the actual review of the organization's processes. The time varies based upon the size of the entity being audited, the number of locations to be included under the certificate and the complexity of the processes to be examined. Potentially, an individual review could be from one to five days. Additional time may be needed to remedy areas found not to comply with the specific standard.
Q: How long does a certification under the PS-Prep™ Program last? How much does it cost?
A: In adopting a standard, DHS, ANAB and the standard development organization will determine how long a certification under the standard will last. The cost of certification will be determined by the certifying entity chosen by the private organization seeking certification. The cost will likely depend to a large degree upon the size and complexity of the private organization.
Private Sector Role
Q: What is the role of the private sector in the PS-Prep™ Program?
A: The PS-Prep™ Program is to be almost entirely driven by the private sector. The standards that have been and will be adopted by DHS have been developed by the private sector generally under the auspices of private standards development organizations. The standards that are adopted are the product of private sector work whether through voluntary consensus standards organizations, sector coordinating councils or other private sector entities or groups. Private sector ingenuity is the lifeblood of the program.
ANAB will manage the accreditation process. Private sector firms will be accredited to certify private entities against one or more of the adopted PS-Prep™ standards.
The private entities will decide whether, if at all, they wish to be certified under the PS-Prep™ Program. Should a firm decide to participate, it will choose the PS-Prep™ standard against which it will be evaluated.
Understood this way, PS-Prep™ is a tool for both DHS and the private sector to give greater visibility "through a certification" to a private sector entity's compliance with a standard.
The Department of Homeland Security has no plans to impose federal preparedness standards on the private sector.
Q: How should entities get involved in the PS-Prep™ Program?
A: There are several ways to get involved. First, we encourage organizations to submit comments and participate in one of the public forums on the topic.
Second, by suggesting private sector standards to be adopted by DHS as part of the program.
Third, if you are an entity that would like to be accredited to certify on DHS-adopted standards, please watch the PS-Prep™ Program Web site for information on how to become accredited.
Finally, entities may be certified on the standards once DHS announces the initiation of the availability of the PS-Prep™ Program certification process on the PS-Prep™ program Web site.
Notices of other opportunities to engage will be distributed through many sources, including FEMA's Infrastructure Protection Directorate and the DHS Private Sector Office. Anyone may subscribe to these updates from the www.fema.gov and www.fema.gov/privatesectorpreparedness web pages. Interested parties are encouraged to monitor these web pages for program updates.
Q: Out of the public comments received, how many were from or about small business?
A: Thirty-eight or nearly one third of the Federal Register Notice (FRN) submissions included a comment related to small business. About 10% of the comments made during the Regional stakeholder meetings were related to small business.
Q: Are there different considerations for small businesses?
A: Yes. Because the certification process may involve expense and that expense may cause small businesses to avoid seeking certification, the statute calls upon the designated officer and the selected entity to "establish separate classifications and methods of certification for small business concerns...."
DHS is considering several lower-cost options aside from third-party certification for small businesses. One such option is a self-declaration of conformity: an attestation by the small business that it has complied with one or more DHS-adopted standards. Another option is a second-party attestation, which would involve another entity "perhaps one that uses the small business in its supply chain" attesting that the small business is in conformity with one or more DHS-adopted standards. The DHS Ready-Business Program might be the appropriate portal providing instructions and forms that may be involved in any self- and second-party attestations. DHS seeks comment on self-attestations of conformity, second-party attestations and the employment of Ready-Business in this program, as well as any other proposal for alternatives allowing small business participation in PS-Prep™.