The United States has made significant progress since the terrorist attacks in September 2001 in developing an infrastructure for standards and conformity assessment for a range of homeland security products. The 9/11 Commission, in their final report in 2004, recommended several steps to make the nation safer and better prepared to respond to national-level disasters. In particular, they recommended that private-sector organizations follow standards such as NFPA 1600-2002: Standard on Emergency Management and Business Continuity. Then-Department of Homeland Security (DHS) Secretary Tom Ridge agreed with these recommendations, and thus NFPA 1600 became “the first” DHS-adopted standard. However, it took eight years to implement a DHS program such that individual corporations could demonstrate compliance with emergency management/business continuity standards.

Why did it take eight years to establish a program that everyone agreed from the start was a great idea? Multiple factors contributed to the timeline. There were two different communities involved: public sector preparedness and corporate business continuity. These two communities were represented by two different, very large agencies within DHS. The public sector was a responsibility of the Emergency Preparedness Directorate in the Federal Emergency Management Agency (FEMA); corporate interests were represented by the Office of Infrastructure Protection in the National Protection and Programs Directorate (NPPD).

As the first standards executive for DHS and the director of the new DHS Office of Standards in the Science & Technology Directorate, I was responsible for assisting the department in meeting the requirements of Public Law 104-1995, the National Technology Transfer and Advancement Act. My office focused from the beginning on developing voluntary consensus standards for equipment for first responders. Although we felt we were pushing the U.S. system of standards as fast as it could go, it was not fast enough to meet the immediate needs. We constantly heard from DHS leadership that we needed Consumer Reports (CR) or UnderWriters Laboratories (UL) “certifications” for homeland security products.

But the leaders at DHS did not appreciate that these private-sector organizations have developed time-honored processes to ensure that products that are accepted for comparison (by CR) or receive a label (from UL) have undergone rigorous tests to demonstrate how they perform. Neither CR nor UL, for example, had the facilities or test methods to assess whether detectors for chemical, biological, radiological/nuclear and explosives agents met basic requirements. And neither wanted to support a manufacturer's claims that these detectors could detect dangerous agents or prevent terrorists’ attacks.

They were not unique in wanting to limit their corporate liabilities in these uncharted waters. The best protection for manufacturers was the “government contractor defense” (Boyle v. United Technologies Corp., 487 U.S. 500 (1988)). Suppliers of military weapons and aircraft have limited liability because the contract between the government and the supplier defines potential liabilities, with a risk-based determination of who would be responsible when they procure the defense systems.

In the absence of voluntary consensus standards of performance, many public and private organizations and some federal agencies began to develop “lists” of equipment and push these lists out to potential buyers. Lists that received a lot of our attention were authorized equipment for purchase with FEMA grants monies, equipment for state and local emergency responders, and products for use in aviation protection.

We worked from the outset to provide FEMA, the Transportation Security Administration (TSA), and other DHS agencies with lists of voluntary consensus standards (from ASTM International, IEEE International, the National Fire Protection Association, and others) so they could provide users with an appropriate standard alongside the homeland security product (or category of products) on their suggested buyer guides. The first standards DHS adopted were personal protective equipment (PPE) standards from NFPA and NIOSH and the American National Standards Institute's N42 IEEE standards for radiation detectors.

Our approach was intended to add some rigor to the term certification by requiring third-party testing with agreed-upon test and evaluation protocols. Further, we pushed for product testing to be performed by International Organization for Standards (ISO) 17025-accredited test facilities. There were two major U.S. accrediting bodies (ABs) that already had a foothold in product testing: the NIST National Voluntary Laboratory Accreditation Program (NVLAP) and the private sector's American Association for Laboratory Accreditation (A2LA).

NVLAP

NVLAP is not supposed to compete with the other programs unless they have a direct request from a federal agency. As director of the Office of Standards at DHS, I could request NVLAP to establish such programs, and I did that twice. We requested that they work with the DHS Domestic Nuclear Detection Office to set up the Graduated Radiation Detector Evaluation (GRaDER) program for radiation detectors. The framework for this program was the ANSI N42 IEEE standards for four classes of radiation detectors used in homeland security applications.

The GRaDER program represented a great success. First responder organizations had confidence that instruments were being tested in accredited laboratories against published consensus IEEE standards. The GRaDER program was our template for how to use the U.S. system of standards to improve performance of commercial off-the-shelf equipment for homeland security applications.

My second request to NVLAP was to establish a program for accredited laboratories for testing biometrics equipment. NVLAP assisted TSA in identifying appropriate standards and conformity assessment procedures for a qualified products list (QPL) for airport access control biometrics equipment. The accredited laboratories test a range of biometrics readers for personnel identification (e.g., face, fingerprint and iris).

A2LA

The A2LA organization already had a good foothold in the DHS legacy agencies. A signature program was their accreditation of the field office laboratories of the DHS Customs and Border Protection.

A2LA was to play a much more important role with the Transportation Security Laboratory (TSL) in Atlantic City, New Jersey. The TSL had the lead for DHS testing for trace explosives detectors and x-ray scanners for aviation. TSA spends up to $2 billion per year on aviation security equipment and has an elaborate system of selecting, testing and deploying equipment to hundreds of airports. We were looking for ways to insert the U.S. system of standards into their qualified products list.

ANAB

The third accrediting body we worked with, the American National Accreditation Board (ANAB), was for an entirely different aspect of homeland security: private-sector preparedness.

Here is where it gets interesting: the DHS Office of Policy in the Obama administration decided that the nation needed something beyond “preparedness.” They asserted that the nation's public and private sectors needed to be “resilient.” (The experts can better explain the fine distinctions among preparedness, resilience, and sustainability.) The Office of Policy began fashioning a program they called Resilience Star. This program took on a life of its own for a several years. I did my bit to assist in these efforts on resilience, including organizing conferences sponsored by the ANSI Homeland Security Standards Panel on resilience.

Fortunately, the U.S. private sector, as well as state, local and tribal entities, realized soon after 9/11 that they had to take steps to protect their organizations from adverse events, whether those were terrorists’ attacks or natural disasters. Corporations had responded quickly after Hurricane Katrina in 2005 to look at their distribution systems and how they could assist communities in need. The corporate world also recognized the need for attention to business continuity standards without too much concern about umbrella labels like preparedness, resilience, sustainability, and supply chain security. The checklists provided in the business continuity standards would address all these concerns.

After the terrorists’ attacks of 2001, the U.S. standards community came together with local, state and federal agencies to begin fast-track development of a number of standards to protect the nation from what were seen as imminent threats. Not all the tools for standards and conformity assessment put in place during that first decade are still in use today. The threats today have evolved to include infectious diseases, cyber security, wildfires, and other natural disasters.

A national response to these threats requires new standards and conformity assessment measures. Standards development organizations and accreditation bodies are again answering the calls in these new areas, in addition to continuing their efforts to revise and update the critical standards developed to mitigate terrorists’ attacks. The priorities for new standards will always be driven by the perceived risks. The leaders at DHS S&T and NIST are continuing to work with all the DHS components and other federal agencies and partners in the private sector to strengthen the standards and conformity assessment infrastructure for homeland security and protect the nation.

Bert Coursey is a guest researcher in the Standards Coordination Office at NIST.

Bert Coursey is a guest researcher in the Standards Coordination Office at NIST.

Close modal