All submissions received must include the agency name and Docket ID FEMA20080017. All submissions will be posted, without change, to the Federal eRulemaking Portal at http://www.regulations.gov, and will include any personal information you provide. Because comments are made available to the public, submitters should take caution to not include any sensitive, personal information, trade secret, or any commercial or financial information which is obtained from any person and which is deemed privileged or confidential. Submitters may wish to read the Privacy Act Notice available on the Privacy and Use Notice link on the Administration Navigation Bar of www.regulations.gov.

Docket: For access to the docket to read background documents or comments received, go to the Federal eRulemaking Portal at http:// www.regulations.gov. Submitted comments may also be inspected at FEMA, Office of Chief Counsel, 500 C Street, SW., Room 840, Washington, DC 20472.

Availability of the Identified Standards: The three identified standards are available in two ways in
[[Page 53287]]
addition to being available on the individual Web sites of the three respective standards development organizations (SDOs).

1. FEMA will maintain copies of the standards proposed under this notice and make them available upon request for viewing in person at FEMA's reading room, located at 500 C Street SW., Room 835, Washington, DC 20472. Due to licensing and copyright restrictions, however, these documents will be available for review only, not for copying.

2. FEMA's PSPrep Web site, http://www.fema.gov/privatesector/ preparedness, contains links to the Web sites for each of the three SDOs. Each of these SDOs is making its standards available through this link for inspection, downloading, and printing, especially for the PS Prep Program. Through the above link, the National Fire Protection Association and the American Society for Industrial Security have made NFPA 1600 and ASIS SPC 12009, respectively, available at no cost. Also through this link, the British Standards Institution has made the U.S. editions of BS259991 and BS259992 available for a reduced fee of $19.99 each. At DHS's request, the British Standards Institution reduced its regular fee for BS259991 from $132.00 to $19.99, and its regular fee for BS259992 from $152.00 to $19.99, for the comment period.

SUMMARY:

Voluntary Private Sector Accreditation and Certification Preparedness Program

SUPPLEMENTAL INFORMATION

I. Background

In the ``Implementing Recommendations of the 9/11 Commission Act of 2007'' (Pub. L. 11053), Congress mandated DHS to establish a voluntary private sector preparedness accreditation and certification program. This program, now known as ``PSPrep,'' will assess whether a private sector entity complies with one or more voluntary preparedness standards adopted by DHS, through a system of accreditation and certification developed by DHS in close coordination with the private sector.

DHS published a notice in the Federal Register on December 24, 2008, requesting comment on a voluntary private sector preparedness accreditation and certification program (``PSPrep''), target criteria for voluntary preparedness standards under the program, and recommendations for standards. See 73 FR 79140. DHS also held two public meetings, on January 13 and February 23, 2009, and had other interaction with stakeholders, to obtain comments on standards that DHS should approve under PSPrep. DHS has considered the information gathered through these channels in the identification of the three standards discussed in this notice and further development of the PS Prep Program.
II. Elements Considered in the Evaluation of Standards for Selection

On December 24, 2008, DHS published and sought public comment on its proposed target criteria for preparedness standards. Upon review of comments, DHS has determined the target criteria are appropriate, valid, and consistent with the DHS mission and the goals of PSPrep Program. DHS, therefore, will adopt standards based on the target criteria as previously listed.
III. Intent To Adopt Three Initial Standards for the PSPrep Program

Based on public comments, the suitability of standards considered to accomplish the purposes of the PSPrep Program, and coverage of the target criteria, DHS intends to adopt the following three standards. Although the focus of each standard may be slightly different, each meets the spirit and intent of Public Law 11053, which defines ``voluntary preparedness standards'' as a ``* * * common set of criteria for preparedness, disaster management, emergency management, and business continuity programs. * * *'' These standards were chosen because, among other things, they meet the target criteria and are not industry specific.

1. NFPA 1600Standard on Disaster/Emergency Management and Business Continuity Programs, 2007 Edition. This standard establishes a common set of criteria for preparedness, disaster management, emergency management, and business continuity. NFPA 1600 specifies the management and essential elements of a preparedness program for disaster management, emergency management, and business continuity. The particular strength of this standard is that it focuses on planning and preparation in anticipation of a disaster and does not prescribe a program development process.

2. BS25999Business Continuity Management. This standard defines requirements for a management systems approach to business continuity, and integrates risk management disciplines and processes. BS25999 is comprised of two parts: Part 1 dated 2006; Code of Practice, and Part 2 dated 2007; Specification. The particular strength of this standard is that it specifically provides a management systems approach to business continuity and also integrates risk management disciplines and processes. The standard also provides the user the basis for understanding and implementing in businesstobusiness and businessto customer dealings to reassure business resilience.

3. ASIS SPC. 12009Organizational Resilience: Security Preparedness, and Continuity Management SystemsRequirements with Guidance for Use. This standard was released in 2009 and defines requirements for a management systems approach to organizational resilience. The particular strength of this standard is that it applies a management systems approach to organizational resilience. The standard encompasses an assortment of risk management mechanisms and follows a plandocheckact approach associated with other
International Standard Organization management system based standards. IV. Adoption of Initial Standards in the PSPrep Program

DHS, after considering the public comments received on this notice, will publish a notice in the Federal Register to announce the standards that DHS will adopt. DHS may adopt any or all of the three standards identified above.
V. Critical Infrastructure and Key Resources (CIKR) Sector Specific Issues

Following adoption of the initial standards, DHS will collaborate with the CIKR sectors and their respective Sector Coordinating Councils to identify the regulations, guidelines, sector codes of practice, and best practices of the sector that may affect implementation of the adopted standards.

The DHS Office of Infrastructure Protection will then work with individual CIKR sectors to develop a framework in which the identified sector specific considerations can be built into the application of the adopted standards to individual sectors. Any such framework could be used both by an entity seeking certification of conformity to a standard and by the certifying body.

VI. Small Business Consideration

Title IX of Public Law 11053 recognized that small businesses need to be treated differently in the PSPrep Program, and requires DHS to give special consideration to small business
[[Page 53288]]
concerns (as defined by Section 3 of the Small Business Act (15 U.S.C. 632)). The December 24, 2008 Federal Register notice contained an extensive discussion of DHS' approaches to best reflect the interests of small businesses and the purpose of the PSPrep Program. DHS continues to seek comments from small businesses and others on the adoption of these standards and their impact on future decisions to seek certification under the PSPrep Program.
VII. Questions for Which Comment or Recommendations Are Specifically Sought

The Department requests comments, suggestions, or other advice regarding the PSPrep Program, including but not limited to responses to the following questions:

1. Are there reasons that DHS should not adopt any one of the three standards listed above?

2. Are there any supporting guidance materials in addition to the three identified standards that are needed to help the private sector attain certification to one of the three standards?

3. What factors would a business consider in determining which DHS adopted standard(s) to pursue for certification under the PSPrep Program?

4. What are the reasons for businesses to seek certification under these identified standards?

5. How would the fact that an organization is certified under the PSPrep Program affect or otherwise influence your decision to do business with them?

6. In response to the December 2008 Federal Register notice, DHS received numerous comments promoting the use of a ``maturity model process improvement approach'' for business preparedness and continuity. The maturity model was described as an approach whereby certifications on certain standards could be incremental, i.e., grading on a scale of conformance, rather than a conformance/nonconformance basis. The notice noted that certifications will determine conformity or nonconformity with a particular standard. How could the use of a maturity model approach be applied to certification to any of these standards?

7. What may be the potential impact (e.g., cost, return on investment, other considerations, etc.) on small businesses when attempting to implement any of the above identified standards? W. Craig Fugate,
Administrator, Federal Emergency Management Agency.
[FR Doc. E924968 Filed 101509; 8:45 am]
BILLING CODE 911146P

FOR FURTHER INFORMATION CONTACT

Mr. Donald Grant, Incident Management Systems Integration Division, National Preparedness Directorate, National Integration Center, 500 C Street, SW., Washington, DC 20472. Phone: 2026463850 or email: FEMANIMS@dhs.gov.