[Senate Hearing 110-317]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 110-317
 
                      PRIVATE SECTOR PREPAREDNESS 

=======================================================================

                                HEARING

                               before the

                  AD HOC SUBCOMMITTEE ON STATE, LOCAL,
                    AND PRIVATE, SECTOR PREPAREDNESS
                            AND INTEGRATION

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 21, 2007

          PART I: DEFINING THE PROBLEM AND PROPOSING SOLUTIONS

                               __________

                             JULY 12, 2007

            PART II: PROTECTING OUR CRITICAL INFRASTRUCTURE

                               __________

        Available via http://www.access.gpo.gov/congress/senate

       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs

                     U.S. GOVERNMENT PRINTING OFFICE

36-615 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001












































        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska
THOMAS R. CARPER, Delaware           GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas              NORM COLEMAN, Minnesota
MARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma
BARACK OBAMA, Illinois               PETE V. DOMENICI, New Mexico
CLAIRE McCASKILL, Missouri           JOHN WARNER, Virginia
JON TESTER, Montana                  JOHN E. SUNUNU, New Hampshire

                  Michael L. Alexander, Staff Director
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
                  Trina Driessnack Tyrer, Chief Clerk


 AD HOC SUBCOMMITTEE ON STATE, LOCAL, AND PRIVATE SECTOR PREPAREDNESS 
                            AND INTEGRATION

                   MARK L. PRYOR, Arkansas, Chairman
DANIEL K. AKAKA, Hawaii              JOHN E. SUNUNU, New Hampshire
MARY L. LANDRIEU, Louisiana          GEORGE V. VOINOVICH, Ohio
BARACK OBAMA, Illinois               NORM COLEMAN, Minnesota
CLAIRE MCCASKILL, Missouri           PETE V. DOMENICI, New Mexico
JON TESTER, Montana                  JOHN WARNER, Virginia

                     Kristin Sharp, Staff Director
                Michael McBride, Minority Staff Director
                        Amanda Fox, Chief Clerk










































                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Pryor................................................     1
    Senator Akaka................................................     2
    Senator Sununu...............................................    19

                               WITNESSES
                        Thursday, June 21, 2007

Alfonso Martinez-Fonts, Jr., Assistant Secretary, Private Sector 
  Office, U.S. Department of Homeland Security...................     4
Marko Bourne, Director of Policy and Program Analysis, Federal 
  Emergency Management Administration, U.S. Department of 
  Homeland Security..............................................     7
F. Duane Ackerman, Former Chairman and CEO, BellSouth 
  Corporation, Business Response Task Force, Business Executives 
  for National Security (BENS)...................................    10
Hon. John Breaux, Former U.S. Senator from the State of 
  Louisiana, Co-Chair, Business Response Task Force, Business 
  Executives for National Security (BENS)........................    12
Richard Andrews, Ph.D., Senior Advisor for Homeland Security, 
  National Center for Crisis and Continuity Coordination.........    15

                        Thursday, July 12, 2007

Colonel Robert B. Stephan, Assistant Secretary for Infrastructure 
  Protection, U.S. Department of Homeland Security...............    37
Eileen Regan Larence, Director, Homeland Security and Justice 
  Issues, U.S. Government Accountability Office..................    42
Lieutenant Colonel Kenneth C. Watson, (Retired), Vice Chairman, 
  Partnership for Critical Infrastructure Security, Inc., and 
  Senior Manager, Critical Infrastructure Assurance Group, Cisco 
  Systems, Inc...................................................    45

                     Alphabetical List of Witnesses

Ackerman, F. Duane:
    Testimony....................................................    10
    Prepared statement...........................................    85
Andrews, Richard, Ph.D.:
    Testimony....................................................    15
    Prepared statement...........................................    97
Bourne, Marko:
    Testimony....................................................     7
    Prepared statement...........................................    72
Breaux, Hon. John:
    Testimony....................................................    12
    Prepared statement...........................................    91
Larence, Eileen Regan:
    Testimony....................................................    42
    Prepared statement...........................................   115
Martinez-Fonts, Alfonso, Jr.:
    Testimony....................................................     4
    Prepared statement...........................................    59
Stephan, Colonel Robert B.:
    Testimony....................................................    37
    Prepared statement...........................................   104
Watson, Lieutenant Colonel Kenneth C.:
    Testimony....................................................    45
    Prepared statement...........................................   140

                                APPENDIX

``Getting Down to Business: An Action Plan for Public-Private 
  Disaster Response Coordination,'' The Report of the Business 
  Response Task Force, January 2007..............................   148
Responses to Questions for the Record from:
    Mr. Bourne...................................................   208
    Mr. Ackerman.................................................   223


          PART I: DEFINING THE PROBLEM AND PROPOSING SOLUTIONS

                              ----------                              


                        THURSDAY, JUNE 21, 2007

                                 U.S. Senate,      
             Ad Hoc Subcommittee on State, Local, and      
           Private Sector Preparedness and Integration,    
                    of the Committee on Homeland Security  
                                        and Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:06 p.m., in 
Room SD-342, Dirksen Senate Office Building, Hon. Mark Pryor, 
Chairman of the Subcommittee, presiding.
    Present: Senators Pryor, Akaka, and Sununu.

               OPENING STATEMENT OF SENATOR PRYOR

    Senator Pryor. Let me convene our inaugural meeting of the 
Subcommittee and welcome my colleagues. Senator Sununu is on 
his way. I want to thank the panel for being here today.
    This is a new Subcommittee of the Homeland Security and 
Governmental Affairs Committee. It was created with the start 
of this Congress to focus attention on the coordination between 
the American business community and the government in disaster 
preparedness and response.
    When you look at Hurricane Katrina, you see that some 
Federal agencies were prepared--for example, the National Guard 
and the Coast Guard--while others weren't. We all remember 
stories about ice trucks driving around the country or people 
overpaying for things when they could have been given for free. 
We are not here to revisit all of that today, but we really 
want to learn lessons from the private sector to get ideas on 
how the government can be more prepared and also how we, as a 
Nation, can be more prepared for disasters.
    Hurricane Katrina was one of the most horrific natural 
disasters in our Nation's history, but one of the good news 
stories that came out of it was that there were 254 different 
companies contributing $1 million or more in connection with 
Hurricane Katrina. Wal-Mart, one of my home State companies, 
provided $13.5 million to employees affected by the storm, $17 
million to non-employee disaster relief funds, and almost $4 
million in merchandise and in-kind donations. But like I said, 
there were 254 companies that made over $1 million of 
contributions in one way or the other, so the American business 
community has a lot that it can be proud of.
    And we have seen for years good working relationships in 
the business community with the government in various ways. One 
example is the Highway Watch Program, basically was started in 
the 1990s when law enforcement agencies approached the trucking 
industry to help report road hazards, to be the eyes and ears 
out there on the roads when the law enforcement agencies 
weren't around. And now, the American Trucking Association and 
Department of Homeland Security together train nearly every 
trucker on the road to watch for suspicious terrorist activity.
    So we know that public and private partnerships work. We 
know there is a great track record when we work together and I 
am very pleased to mention that in June 2006, a non-partisan 
business executive group, the Business Executives for the 
National Security (BENS), formed a task force to specifically 
address the integration of public and private preparedness. 
They came out with a report, which I think we all have copies 
of, called ``Getting Down to Business: An Action Plan for 
Public-Private Disaster Response Coordination.''
    There is a lot in this report, but basically, there are 
three main findings.
    One, is that the private sector must be systematically 
integrated into national preparedness and response efforts. 
Two, is that commercial supply chains can provide a wider range 
of goods and services than government entities. And three, 
regulatory and credentialing improvements should be made, and 
these recommendations have sparked a lot of interest and 
discussion about public-private partnerships, which I think is 
very healthy.
    The hearing today will examine the current state of public-
private collaboration. Our witnesses will talk about how they 
view the current state of public-private partnerships. It is my 
understanding that DHS and FEMA have embraced many of the 
recommendations and have taken some initial steps on that. The 
Subcommittee would love to have a progress report on how that 
is going and how you see that unfolding over the next few 
months.
    And I also hope that today's review will help us determine 
whether the government and the private sector have the tools 
they need to continue to improve our response capabilities.
    Senator Akaka, would you like to make an opening statement? 
Go ahead.

               OPENING STATEMENT OF SENATOR AKAKA

    Senator Akaka. Thank you very much, Mr. Chairman. I want to 
join you in welcoming our witnesses, all of you here, to this 
hearing. Also, I want to note my good friend and colleague John 
Breaux. John, will you please give my aloha to Lois. We have 
had many good years together here in the House and in the 
Senate.
    I want to thank you, Mr. Chairman, for organizing this 
important hearing to begin discussions on how the public and 
private sectors can collaborate more effectively to prepare for 
and respond to natural and manmade disasters.
    Despite the catastrophe of September 11, 2001, and the 
renewed focus on disaster planning in its aftermath, Hurricane 
Katrina starkly demonstrated that much more must be done at all 
levels of the government and the private sector to plan and 
prepare for disasters. We need innovative approaches to 
incident management.
    The government cannot succeed without forging a partnership 
with the private sector. The private sector owns approximately 
85 percent of our Nation's critical infrastructure. The private 
sector has the expertise and the resources to play a leading 
role at every stage of response and recovery. With improved 
disaster planning and response, cooperation between the two 
will result in a reduction in the loss of life and property, 
which is the overall goal of emergency management.
    Because of its unique geography, my home State of Hawaii is 
at risk of many natural catastrophes. Just last year, an 
earthquake measuring 6.7 on the Richter Scale caused extensive 
property damage on the big Island of Hawaii as well as on Maui. 
I am acutely aware of the need for an all-hazards approach to 
disaster preparedness and response, and I believe that in order 
to be effective, this approach must include public, private, 
and non-profit cooperation in the development of guidance, 
standards, plans, and solutions.
    I hope today's witnesses will address their agency and 
organizational efforts to ensure that disaster preparedness and 
emergency response planning is inclusive of all stakeholders 
affected by disasters.
    I also was interested in the conclusion of the BENS task 
force that the government should do a better job of tapping 
commercial supply chains to get relief to those in need after a 
disaster. This type of collaboration is especially important to 
Hawaii. Because of our separation from the mainland, it takes 
much longer for relief to be sent by other States to reach 
those in need.
    My Subcommittee on Oversight of Government Management, 
which recently held a hearing on procurement at DHS, has taken 
a keen interest in government procurement practices. It is 
essential that DHS work closely with FEMA to put contracts into 
place with the private sector that can ensure that when 
disasters strike, we have the resources necessary to respond 
and that we can move supplies quickly to where they are needed. 
I look forward to hearing more about this topic. Dialogues like 
this are an important part of ensuring that when the next major 
disaster strikes, we will have systems in place to provide 
needed relief in a way that is swift, comprehensive, 
coordinated, and cost-effective for the American people.
    Again, Mr. Chairman, I thank you for holding this hearing. 
I look forward to learning more about the private sector 
preparedness initiatives that are being considered and 
implemented. Thank you very much.
    Senator Pryor. Thank you, Senator Akaka. Thank you for 
being here. We will have other Senators join us. We have a 
quorum call on the floor right now and they are trying to work 
out some amendments down on the floor, so it is a busy day, but 
hopefully we will have people coming in and out of the 
Subcommittee hearing.
    What I would like to do now is take a couple of minutes to 
introduce all five of our panelists and then I thought I would 
allow you all to make your opening statement, and then we will 
have questions.
    Our first witness will be Alfonso Martinez-Fonts, Assistant 
Secretary for the Private Sector Office at the Department of 
Homeland Security. Mr. Martinez-Fonts works to provide 
America's private sector with a line of communication to the 
Department.
    Our second panelist will be Marko Bourne, Director of 
Policy and Program Analysis for the Federal Emergency 
Management Administration. He has had over 20 years of 
experience in governmental and legislative affairs, marketing, 
and the emergency services and management fields.
    Our next panelist will be Duane Ackerman, member of the 
BENS Business Response Task Force and former Chairman and CEO 
of BellSouth Corporation. Mr. Ackerman is the immediate Past 
Chairman of the National Council on Competitiveness and the 
National Security Telecommunications Advisory Committee.
    Next, the panelist who needs no introduction here, Senator 
John Breaux, a very respected member of the Senate family. He 
is a former Senator of Louisiana and Co-Chairman of the BENS 
Business Response Task Force. He is currently Senior Counsel at 
Patton Boggs, where he has provided strategic advice on public 
policy matters since his retirement from the U.S. Senate in 
2005.
    And last but not least is Dr. Richard Andrews, Senior 
Advisor for Homeland Security at the National Center for Crisis 
and Continuity Coordination. Dr. Andrews is also a member of 
the President's Homeland Security Advisory Council, the World 
Bank's Disaster Management Operations Group, and former 
Director of the Office of Homeland Security for the State of 
California.
    Mr. Martinez-Fonts, we will turn it over to you.

    TESTIMONY OF ALFONSO MARTINEZ-FONTS, JR.,\1\ ASSISTANT 
 SECRETARY, PRIVATE SECTOR OFFICE, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Martinez-Fonts. Thank you, Mr. Chairman. Chairman 
Pryor, Members of the Subcommittee, thank you very much for the 
opportunity to appear before you today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Martinez-Fonts appears in the 
Appendix on page 59.
---------------------------------------------------------------------------
    My written statement goes into great detail on how the 
Department and specifically the Private Sector Office, which I 
head up, communications and collaborates with the private 
sector. We also illustrate how we work with the component 
agencies like FEMA to promote the creation and sustainability 
of public-private partnerships.
    In my remarks before you today, I would like to first give 
you some background on the statutory mandate of the Department 
of Homeland Security's Private Sector Office. Then I will talk 
about how we approach partnership building with the private 
sector. And finally, I would like to conclude my remarks by 
illustrating how we work with FEMA, CVP, and ICE,
    IP, and other component agencies at the Department, 
encourage and foster public-private partnerships which assist 
in the integration of the private sector in emergency 
preparedness, response, and recovery while maintaining the 
economic health of the economy.
    To begin with, let me introduce to you the unique function 
of Homeland Security's Private Sector Office. As part of the 
2002 Homeland Security Act, specifically Title I, Section 
102(f), Congress created the position of Special Assistant to 
the Secretary for the Private Sector. Comprised of a staff of 
14 employees, the Private Sector Office executes outreach, 
research, and analysis based on its statutory mandates to 
communicate, engage, and cultivate partnership-building with 
the private sector. We also act as an advocate for the private 
sector when we advise the Secretary on the impact of the 
Department's policies, regulations, processes, and actions.
    In order to carry out our mission and to reach 
approximately 30 million businesses in America, we must have 
partners. Our principal partners in this task are trade 
associations and Chambers of Commerce that businesses belong 
to. Without them, we really simply can't do our job. These 
associations and Chambers of Commerce include the U.S. Chamber 
of Commerce, the Business Roundtable, the National Association 
of Manufacturers, Business Executives for National Security 
(BENS), National Federation of Independent Businesses, and 
hundreds of others. We believe partnership-building enhances 
our Nation's ability to prepare for, respond, and recover from 
acts of terrorism and natural disasters.
    Public-private partnerships cover a range of purposes and 
members. They come together to exchange information, facilitate 
dialogue, or focus on a particular set of issues. They can be 
diverse in composition, ranging from individual businesses to 
non-governmental organizations.
    Partnerships, like organizations, have characteristics 
which lend to its success. We believe there needs to be a 
defined mutual goal, a champion on each of the two sides of the 
partnership, and a business case for action.
    As with any collaborative effort, there are challenges 
which can make a public-private partnership vulnerable. There 
are three areas that we consider to be potential risks. One is 
the issue of liability and who bears it. The second is the lack 
of commitment to the partnership. And the third one is a 
conflict of interest, which can be real or perceived, that 
prevents the private sector from fully engaging with the 
government for fear of losing an economic opportunity.
    Homeland Security actively promotes and coordinates public-
private partnerships.
    It is woven into the very fabric of our mission. We reach 
out across our Department to our components, who assist them in 
the outreach efforts to the private sector.
    For example, we work with the Office of Infrastructure 
Protection and their Sector Coordinating Councils where private 
sector partners represent the 17 critical infrastructures and 
key resources. We also work with the Office of Intelligence and 
Analysis to encourage States to include private sector 
representatives in their Fusion Centers, and we have helped 
them to develop a model on how to include them.
    The Private Sector Office staff is assigned to a portfolio 
that cover all of the operating components, such as Customs and 
Border Protection, Immigration and Customs Enforcement, TSA, 
and Coast Guard within the Department of Homeland Security. The 
Private Sector Office often acts as a catalyst with Homeland 
Security component agencies to cultivate and foster these 
public-private partnerships.
    We especially work with component agencies to assist in 
establishment of relationships, integration, and partnership 
building with the private sector.
    What I would like to do today is take FEMA as an example. 
We have detailed a senior staff person from our office to 
assist FEMA in their efforts to integrate the private sector 
into their communications, operations, and logistics. We 
currently are working to develop a Loaned Executive Program 
where FEMA can benefit from private sector expertise in 
logistics and other missions.
    We are implementing lessons learned. For example, the 
Private Sector Office created the National Emergency Resource 
Registry (NERR), as a result of the 2004 Florida hurricanes. 
This electronic system was created to manage offers of 
unsolicited goods and services. However, a year later during 
Hurricane Katrina, NERR was operational, but was unable to 
adequately handle all of the offers made to the system. To 
replace NERR and to address the need for a robust donation 
management system during a crisis, we assisted FEMA in reaching 
out to AIDMATRIX, a nonprofit organization who through a grant 
from FEMA has created a virtual superhighway for all levels of 
government, private sector, and nonprofits to connect and share 
unsolicited offers of products, services, and volunteers. 
Subsequently, the NERR framework has been retooled to create 
FEMA's Debris Contractor Registry. We are also working with 
FEMA's National Exercise Program to incorporate private sector 
in major exercises like TOPOFF 4.
    In addition to working with FEMA, we also reach across the 
Department to find ways where we can encourage the use of 
standards and best practices just to get things done.
    We also work to encourage the adoption of the NFPA 1600 at 
the local level. For example, we recently held with the U.S. 
Chamber of Commerce a pilot initiative to create a Regional 
Business Preparedness Summit in Charlotte, North Carolina. This 
event brought together local leaders in the emergency 
management area, public health, and the private sector.
    We also collaborate with our Federal partners, for example, 
with the Office of Infrastructure Protection. We reached out to 
the Department of Energy to encourage owners and operators of 
gasoline stations to wire and install generators to operate 
fuel pumps in case of a power outage.
    Public-private partnerships are not disguised charity by 
the private sector. Good public-private partnership provides 
common ground towards working towards mutual goals. Public-
private partnerships are not a means to shift the public burden 
away from the government. However, a partnership in its truest 
state is where both partners contribute their skills and 
services as a joint effort. This collaboration creates an 
environment which builds trust, communication, and cooperation. 
These results only enhance our Nation's ability to better 
prepare for, respond to, recover from, and mitigate against an 
act of terrorism or natural disaster.
    This concludes my opening remarks. I look forward to 
answering any questions that you may have.
    Senator Pryor. Thank you. Mr. Bourne.

 TESTIMONY OF MARKO BOURNE,\1\ DIRECTOR OF POLICY AND PROGRAM 
  ANALYSIS, FEDERAL EMERGENCY MANAGEMENT ADMINISTRATION, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Mr. Bourne. Thank you, Mr. Chairman, Members of the 
Subcommittee, and thank you for the opportunity to appear here 
today on behalf of FEMA and the Department of Homeland 
Security. My written statement goes into a lot of detail on 
many of the new business and management processes that we are 
putting in place at FEMA in what Administrator Paulison calls 
the new FEMA. In my remarks to you, though, I would like to 
focus on some of the key elements of our strengthening 
relationships with the private sector and our other partners 
that we are already beginning to see the benefits of.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Bourne appears in the Appendix on 
page 72.
---------------------------------------------------------------------------
    We are working diligently to build a new FEMA that is 
stronger and more nimble. With expanded authorities and 
resources provided to us by this Congress and the 
Administration, we have implemented a reorganization which I 
had the privilege to lead, and that we have begun to strengthen 
our existing structure and fully incorporate the core elements 
of the former DHS Preparedness Directorate into our 
organization as part of the new FEMA.
    One of the first ways we used our relationships in the 
private sector can be seen in how we got the ball rolling on 
many of these organizational reforms. At the end of last year, 
Administrator Paulison instituted a series of 17 independent 
assessments. They were agency-wide and they reviewed our 
existing processes and business practices and included 
recommendations for reform that were built upon public and 
private sector best practices. FEMA has already instituted many 
of the recommendations and we are continuing to do so for the 
remainder of this year and into the next fiscal year. These 
assessments have also been an essential resource during our 
reorganization process.
    With our new structure in place, today, FEMA is focused on 
improving its relationships with the private sector in key 
areas, such as preparedness partnerships, internal 
organizational assessments, enhanced supply stream management, 
logistics, contracting, catastrophic planning, strong community 
coalition building, and industry fairs and outreach programs.
    As the Subcommittee considers private sector preparedness 
efforts and challenges, at FEMA, we are working closely with 
the Private Sector Office, the Office of Infrastructure 
Protection, the Office of Public Affairs, and others to 
strengthen the outreach to our critical partners in our 
response to any emergency.
    I am happy to note that it has been a two-way street. Many 
of the businesses that we reach out to and work with are taking 
active steps to implement recommendations contained in the 
Ready Business Program, which FEMA had a part in creating, and 
we are looking at more ways for business to reach out to 
emergency management at the community, State, and Federal level 
to participate in planning for disasters that may affect the 
cities and regions in which they work and serve.
    FEMA is also engaging the private sector to assist us in 
our efforts to build an even stronger emergency management 
system. We are doing so through our Infrastructure Protection 
Programs, which consists of legacy grants, namely the Port 
Security Grant Program, Transit Security Grant Program, the 
Inner City Bus Security Grant Program, and the Trucking 
Security Program, as well as through our exercises and training 
venues. The details of many of those programs are contained in 
my written testimony.
    Increasingly, we are leveraging the resources and expertise 
of our partners in the private sector and nonprofit world, even 
above and beyond the important role they played in the past. 
This increased reliance comes about because the new FEMA is 
developing some innovative ways to move forward to be forward-
leaning, quicker to respond appropriately to disasters and 
emergencies as a partner to our State and local emergency 
management partners.
    One way we are doing this is through a dramatic increase in 
our pre-scripted mission assignments and our pre-negotiated 
contracts to provide the necessary resources. Since Hurricanes 
Katrina and Rita, FEMA has worked aggressively to award 
hundreds of pre-negotiated competed contracts and these are in 
place and ready for the 2007 hurricane season. This is allowing 
us to be prepared ahead of a disaster so we are not negotiating 
contracts in the heat of battle. Contract agreements are in 
place covering all aspects of FEMA's disaster management, to 
include logistics, mitigation, individual assistance, recovery 
programs, management, and integration center support.
    Perhaps the most visible example of how the private sector 
has influenced FEMA's reorganization is through the creation of 
our Logistics Management Directorate. Our goal is to have our 
logistics management look at business practices that are in 
place and understood by the community across the country rather 
than reinventing the wheel ourselves. We are moving towards an 
increased ability not only to track the commodities that we do 
keep and maintain, but to begin to shorten our supply chains 
and look to third-party logistics to handle the majority of the 
resource needs in a just-in-time delivery. We have looked at 
AIDMATRIX and adopted it to support our supply of donated goods 
and services.
    Through our Citizen Corps Program, we are bringing 
community and government leaders together in all-hazards 
emergency preparedness planning. There are 2,200 Citizen Corps 
Councils with a presence in every State and territory. Councils 
are encouraged to include business representation and to work 
with business to integrate those resources with community 
preparedness and response plans.
    As we look to FEMA's preparedness efforts, we believe the 
private sector should continue to build upon their preparedness 
efforts in several key areas. First of all, to continue their 
development of strong business continuity plans for all of 
their locations and critical data centers. Develop employee 
support plans for their employees' office locations that are 
damaged or if they have employees that have lost their homes. 
Part of the issue in quick recovery from a disaster, or quicker 
recovery, is the element of getting people back to work as soon 
as possible in the affected areas.
    We encourage them to engage in prudent risk management 
practices and have strong health and safety programs, working 
closely with their local emergency managers and first 
responders and elected officials to be involved in disaster 
planning that begins at the local level and builds to the 
State. To build protocols to assist with recovery efforts 
before a disaster strikes.
    Through business associations, we are continuing to work 
with State emergency management and FEMA to support 
preparedness planning, disaster response, and donation 
management. The private sector has also engaged FEMA and State 
emergency management and offered to provide liaisons to State 
Emergency Operations Centers, Joint Field Offices, and we are 
working with the Chamber of Commerce, BENS, and the Business 
Roundtable and others in developing a private sector 
association liaison, which we hope to be able to put into the 
National Response Coordination Center here in Washington.
    FEMA is also integrating the private sector in a myriad of 
initiatives across the agency. For example, we are working 
closely with Homeland Security's Private Sector Office to 
utilize their concept of relationship and partnership building. 
We have welcomed the Homeland Security Private Sector Office 
Staff as part of our senior advisors. And a number of 
initiatives that we are undertaking will involve communications 
outreach and operations in mission critical areas, like 
logistics.
    Just a highlight of our new approach to the private sector 
include many things which also involves a meeting next week 
that we had scheduled prior with BENS, BRT, and the Chamber 
together to discuss new initiatives that we can take to move 
this agenda forward. We want to take a proactive approach to 
leading the way for the private sector to be incorporated in 
our emergency operations and especially working for ways to 
find access that we can bring in association representatives 
into the Joint Field Office and Regional Response Coordination 
Centers.
    We are incorporating private sector expertise by creating a 
new FEMA Loaned Business Executive Program. We hope to, in the 
next few days, close an agreement with a business foundation 
which we will name after we have the agreement finally signed 
which would bring a seasoned expert from the private sector 
into FEMA operations to serve as an advisor and collaborator on 
mission critical programs. This is a start of a program we hope 
to expand in the future after we have had an opportunity to see 
how it works.
    Private sector participation in our Regional Emergency 
Communication Coordination Groups, which we will be standing up 
over the next several months, is also critical.
    We are developing a Memorandum of Understanding with the 
Stadium Owners and Operators Association for sheltering.
    We have funded a pilot program in Denver with InfraGard and 
BENS to support a resource registry that can be utilized at the 
local level to improve the private-public partnership.
    We encourage mutual aid programs for businesses. We can 
provide mutual aid training through our online systems at the 
Emergency Management Institute, and we can provide a pilot 
website to serve as a repository to post information about all 
of the above activities, training opportunities, and business 
continuity programming.
    Our regional offices have been reaching out to the business 
community. For example, Verizon wire and wireless has met with 
our Region 1 office in the last 2 weeks with regard to 
hurricane planning, and our Region 5 office is working with 
ChicagoFIRST on preparedness planning for financial 
institutions.
    We are also going to be establishing a credentialing 
working group within the NIMS Integration Center to pinpoint 
some of the issues on credentialing and develop some viable 
options to address the credentialing concerns.
    There will certainly be a continuing role for the private 
sector in the future at FEMA. FEMA needs to ensure that we are 
adapting to new conditions and the ever-changing needs. It is 
important that as we build these relationships, we continue 
that effort so that it is understood by all parties that you 
can't just show up on game day and expect to play without being 
part of the practices. Our job is to make those practices 
available, open, and valuable for both us and the private 
sector. FEMA realizes that a successful, robust, coordinated 
response is needed and that the private sector, both 
horizontally and vertically across the full spectrum of 
emergency management, is a partner.
    Thank you for the opportunity to be here today and I look 
forward to answering any questions you might have.
    Senator Pryor. Thank you. Mr. Ackerman.

  TESTIMONY OF F. DUANE ACKERMAN,\1\ FORMER CHAIRMAN AND CEO, 
BELLSOUTH CORPORATION, BUSINESS RESPONSE TASK FORCE, AND MEMBER 
      OF BUSINESS EXECUTIVES FOR NATIONAL SECURITY (BENS)

    Mr. Ackerman. Mr. Chairman, Members of the Subcommittee, I 
want to thank you for the opportunity to be here today. When I 
think about the work that has been done on the task force, I 
did have the privilege of serving on this task force and 
developing the report which you have had. And while we don't 
have time to go through every single detail, I would like to 
just stipulate, or I would like to ask that my written 
testimony be submitted along with the complete report for the 
record. Then I would like to focus my time on this issue of the 
public-private partnership and some of the work that we did on 
the task force to look at the private sector and examine its 
role in disasters.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Ackerman appears in the Appendix 
on page 85.
---------------------------------------------------------------------------
    First of all, we found that on a local scale, disasters do 
happen right regularly, and business routinely plans and 
interacts with first responders and collaborates on those 
disasters at the local level. We have also found that after 
securing their own businesses, they invariably turn towards the 
rest of the community because without community continuity and 
without business continuity, surely there is no recovery in 
that community and there is no business done. So it is clear 
that business does have an interest that goes beyond their own 
operations.
    We have dealt with many hurricanes, but indeed, Hurricane 
Katrina was different, as has been mentioned and talked about 
over the years. It was a terrible tragedy, but I think there 
are some very key issues that evolved from Hurricane Katrina 
that are instructive to us as we look forward to what may lie 
before us.
    It had many characteristics that a large natural and/or 
manmade disaster will have as we go forward. Major damage to 
critical infrastructure. Contamination--in the case of 
Hurricane Katrina, it was water. In the future, it could be 
other things, such as nuclear, biological, or chemicals. 
Overwhelmed law enforcement and the breakdown of civil order 
was present and Federal help was required; but there was no 
real plan for integrating all of the concerned entities for a 
response. The Federal Government has a plan. Certainly the 
State has a plan. Local has a plan. Business has a plan. But 
there is no plan for all of these entities in terms of how they 
are going to operate and function together at the time of 
crisis.
    I think all of the above conditions would be present in a 
disaster that impacted a significant portion of any major metro 
area, whether it is a natural disaster or manmade.
    Our Subcommittee looked at known problems from Hurricane 
Katrina. We looked at recommendations that came from over 100 
interviews that were made with the private sector. We drew on 
the knowledge of both the public and private sector in order to 
pull our study together. We conducted face-to-face meetings in 
Washington, DC. Various meetings were held and we brought all 
that back together in order to produce the report, ``Getting 
Down to Business.''
    The overall conclusion was the private sector must be 
included in the planning, practice drills, and execution of a 
disaster response scenario. I would certainly like to emphasize 
practice in this regard, because I think it is one thing to 
have a plan, but until you have had the Federal Government, 
State government, and local authorities and the private sector 
at the table, certainly, I don't believe we have accomplished 
the task, and there are a lot of reasons for this.
    First of all, the private sector owns much of the 
infrastructure. The private sector has experience, skills, 
information, and capabilities that are critical to a successful 
response to a major disaster. And we believe that once local 
and State capability is overwhelmed, the Federal Government 
always will be called on and will be expected to help, and when 
they come to help, that interface with the other entities and 
how they will make decisions and how they will partner becomes 
very important.
    We use this term public-private relationship frequently, 
but when you think about what it means in this case, it 
absolutely means that most of the States have an Emergency 
Operations Center and what we are suggesting with the BENS 
report is that there be a companion Business Operations Center 
either at the State or the regional level at the same time, and 
that needs to be able to expand to incorporate the Joint Field 
Office when it comes with the Federal agencies so that all 
parties can collaborate along with the private sector on the 
immediate challenges, threats, and the solutions that must be 
implemented.
    So we believe that the National Response Plan needs to 
include the private sector. It needs to support joint planning, 
joint practice drills, and when an event occurs, joint 
execution. Joint in this case means local, State, Federal, and 
the private sector.
    Practice, again, is extremely important, because by 
conducting joint drills, we constantly turn up new issues, new 
problems that must be overcome and must be overcome together.
    It is my hope and the sincere recommendation of the BENS 
Task Force that you will acknowledge, encourage, and support 
the building and exercising of enduring public-private 
collaborative partnerships that integrate the private sector 
into the National Response Plan and the National Response 
Infrastructure. In turn, the private sector must have a 
reliable government partner, and the emphasis there is on the 
word ``partner'' because viable regional and Federal actors in 
all phases of the operations must relate to each other in 
balanced proportions in order to come out with a successful 
ending.
    If this structural reform is indeed adopted, it will 
greatly facilitate all of the other recommendations in the 
report of the BENS Business Response Task Force. Thank you.
    Senator Pryor. Thank you. Senator Breaux.

TESTIMONY OF HON. JOHN BREAUX,\1\ FORMER U.S. SENATOR FROM THE 
  STATE OF LOUISIANA, CO-CHAIR, BUSINESS RESPONSE TASK FORCE, 
        BUSINESS EXECUTIVES FOR NATIONAL SECURITY (BENS)

    Mr. Breaux. Thank you very much, Chairman Pryor and Senator 
Akaka. Thank you for making time in your very busy schedules 
today for us to make this presentation, and also Senator 
Sununu, thank you for coming back. The place looks a lot better 
since the last time I was here. The chairs are much more 
comfortable, I want to tell everybody, but we will not overstay 
our welcome and make it as brief as we can.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Breaux appears in the Appendix on 
page 91.
---------------------------------------------------------------------------
    I would like to ask unanimous consent that my full 
statement be made part of the record. I will just try and 
summarize, if that is all right.
    Senator Pryor. Sure.
    Mr. Breaux. I accepted and volunteered after Duane 
Ackerman, our chairman, called me and asked me to volunteer, 
and you can't tell Duane Ackerman no, to serve as co-chair with 
Newt Gingrich of this effort, which I think has been very 
productive and hopefully very helpful to the Members of 
Congress who are looking for ways to try and find out what we 
can learn from natural disasters that occur.
    A natural disaster, as bad as it is, is terrible, but if we 
don't learn anything from it, it is a double disaster, and I 
think that now that we have had time to reflect on Hurricane 
Katrina as one of the largest natural disasters in the history 
of the United States, there are things that we can recommend 
that we know that can be done to make sure that the next time 
these things happen, that we can be in a better position to 
respond effectively and quickly and be helpful to the citizens 
of this country.
    We can work in Congress to prevent disasters like what 
happened on September 11 by having stronger national security, 
and by having a strong military. We can help prevent September 
11s. But we can't, no matter what we do, ever prevent another 
hurricane. We can't prevent another flood. We can't prevent 
another earthquake. But we can, through Congress, try to make 
sure that we are better prepared to respond to these type of 
natural disasters when they occur, and I know your 
Subcommittee, Mr. Chairman and Senator Sununu, are working hard 
to come up with recommendations, and hopefully what we are 
presenting to you can be helpful in that regard.
    One of the things that I think that we would like to 
recommend is that this involvement of the private sector needs 
to be better institutionalized. Director Marko Bourne and 
Secretary Al Martinez-Fonts, I am delighted to hear what you 
all have done to integrate the private sector. That is real 
progress that they have talked about here this morning.
    But I think that, in addition to that, the process has to 
be more formalized. It has to be institutionalized. It has to 
be in writing. It has to be out there so that the private 
sector can know exactly what the rules and what the regulations 
are when a natural disaster occurs, and I think that this 
Subcommittee could be particularly helpful in focusing on 
institutionalizing an effective and sustainable role for the 
private sector, and that is incredibly important.
    We made recommendations in three principal, substantive 
areas. Mr. Ackerman talked about the public-private 
collaboration, incredibly important. Government can't do this 
by ourselves. The private sector must be involved. After 
Hurricane Katrina, people talked about, well, what we ought to 
do is have government facilities, distribution centers by the 
government set up around the country. We don't need government 
distribution centers. We have got private sector distribution 
centers. Senator Pryor, Wal-Marts are in every State in the 
Union. Whether it is a Wal-Mart or a Home Depot or a Lowe's or 
any of the large distribution centers, they are already there. 
The challenge for government is to incorporate the government's 
work with the private sector to make full utilization of the 
supplies that are already around the country located in key 
areas that are very accessible and already there.
    We also are making recommendations on surge capacity for 
the private sector goods and services.
    How do you gear up quickly for a natural disaster? I think 
the two government witnesses have made good comments in that.
    I would like to focus quickly on the legal and regulatory 
environment. I think that is important. Businesses require some 
type of a predictable legal regime before they get involved in 
helping. We had people that came down from Arkansas and people 
that came down from all over the country. They didn't know what 
the rules were in Louisiana. They didn't know what the laws 
were in Mississippi or along the coast. They didn't know what 
they could do and how they could do it. There has to be some 
type of a system in place for these private sector groups, and 
when they want to come down and help, they know what the rules 
are going to be.
    We also have to, I think, reform to a large extent the 
legal allocation of risk to private companies when they are 
willing to help. We heard from a lot of companies, Mr. 
Ackerman, that said, look, we wanted to be involved, but we 
didn't know what our liability was. So if we come down there 
and we do something not quite right, what is our legal 
responsibility? As a result, some private sector companies 
said, well, we are not going to do it because we don't know 
what the risks are. It is not a reasonable risk for us to 
accept on behalf of our stockholders.
    I will give you a real example of that. When New Orleans 
was under water with about seven, eight, to ten feet of water 
throughout the city, contracts were issued by the government to 
do what we call de-watering of the city, and what they were 
ordered to do was to take the water in the city and pump it out 
into Lake Pontchartrain. Nobody got a permit. There wasn't an 
EPA permit or a Corps of Engineers permit to do that. And the 
companies were saying, well, what if we do it, we don't have a 
permit, and somebody is going to sue us after for polluting the 
lake? Well, there is a question of priorities. The city was 
under ten feet of water and people were drowning and you are 
going to say, well, we can't do it until we get a permit from 
the government and go through the permitting process? That 
can't be done.
    But companies, when they approach these emergency 
situations, have to have a very clear understanding of what the 
legal requirements are when they become involved, as a 
volunteer in many cases or as a private contractor in others, 
but they have to know what their legal exposure is and so they 
will have a clear ability to make the right decision. I think 
that is something that we could do very well with amendments to 
some of the laws that are in place.
    We would like to, in other words, enact a national disaster 
law. We have the Stafford Act, a great program, and all of you 
folks and the staff are very familiar with it. But we would 
like to suggest that the Stafford Act also has to include the 
private sector. It can't just be local governments and State 
governments. The private sector ought to be incorporated and 
brought into the Stafford Act so they will know under that Act 
of Congress exactly what their roles can be, what their 
exposure can be, and how they can be greater involved.
    I think it would be just absolutely terrific if this 
Subcommittee could focus on some hearings on the Stafford Act. 
You can't do it really quickly. You have to do it carefully. 
This is a law that has been around for a long time. I served 
with Senator Stafford when he was here and wrote this and I 
think that it served us greatly, but it ought to be changed in 
order to bring in the private sector and make it a part of the 
Stafford Act, as well. It covers State and local. It needs to 
cover private sector, as well.
    Finally, let me just suggest that a lot of the things that 
we are talking about to get the locals and the States involved, 
I mean, you could require that when you get a Federal grant 
under FEMA that a State have in place, without any cost to 
Congress right now, a mechanism to incorporate the private 
sector. Every State ought to have a clearly defined plan that 
when a natural disaster occurs, and we know it will, that they 
have a plan in place to bring in the private sector to help 
them solve the problem. That can be a requirement for getting 
any kind of a Federal grant. If they don't have the plan in 
place, they are not eligible for Federal grants, and you 
wouldn't be surprised how fast States would move in that 
direction if they knew their Federal assistance was dependent 
on having a well-established, clearly thought out local plan on 
the State and local level to involve the private sector.
    One thing that we found, Mr. Chairman and Members, in all 
of our meetings that we had is that you have in place a private 
sector community that is ready, willing, and very able to help 
our Federal Government address these natural disasters. We need 
to clean up some of the laws and some of the provisions in 
order to make it possible, but I think that this Subcommittee 
certainly has the great leadership and great capacity to make 
that happen.
    Senator Pryor. Thank you. Dr. Andrews.

  TESTIMONY OF RICHARD ANDREWS, PH.D.,\1\ SENIOR ADVISOR FOR 
 HOMELAND SECURITY, NATIONAL CENTER FOR CRISIS AND CONTINUITY 
                          COORDINATION

    Mr. Andrews. Thank you, Mr. Chairman, Members of the 
Subcommittee, and thank you for the opportunity to testify 
today. I served as a member of the BENS Task Force that 
developed the report that has been referenced in the previous 
testimony. I am also Chair of the Private Sector Committee of 
the National Emergency Management Association (NEMA), which is 
the association of all the State Emergency Services Directors, 
and served as former Director of the California Governor's 
Office of Emergency Services and Homeland Security Advisor to 
Governor Schwarzenegger.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Andrews appears in the Appendix 
on page 97.
---------------------------------------------------------------------------
    My testimony today focuses on my work as Chair of a public-
private sector task force that was formed following the release 
of the BENS report to start working on implementing what I 
think is one of the key recommendations from the BENS report 
which has been referenced by both Mr. Ackerman and Senator 
Breaux, and that is to try to develop a systematic process for 
incorporating private sector resources into the response to a 
major disaster.
    Hurricanes Katrina and Rita created the largest demand for 
emergency resources in our history, and each of the major 
after-action reports cited the Emergency Management Assistance 
Compact (EMAC), which is the compact formally adopted by all 
the State legislatures for which NEMA serves as the executive 
agent, they all cited EMAC for its success in mobilizing tens 
of thousands of National Guard, search and rescue, medical and 
emergency management personnel.
    The BENS report identified also an obvious shortfall of the 
2005 hurricane response, and again, it has been referenced in 
previous testimony, namely the absence of a systematic process 
to utilize private sector resources. A number of different 
efforts, especially the creation, as Mr. Martinez-Fonts 
mentioned, especially the creation of the National Resource 
Registry by DHS's Office of the Private Sector Coordinator 
laudably attempted to fill this gap, and while there were some 
successes, there was a great deal of frustration both within 
the public and the private sectors. Each recognized the need 
for greater collaboration, but the absence of a commonly 
understood process to match needs with available resources, 
whether those were donated resources or contracted resources, 
proved to be a major obstacle.
    Among the recommendations in the BENS report was the idea 
of building a Business Emergency Management Assistance Compact 
(BEMAC), modeled essentially on the EMAC system that proved so 
successful during the 2005 hurricane season. By expanding EMAC, 
it might be possible to weave together a fabric of State-based 
Business Operations Centers where private sector 
representatives trained in the State's operations system would 
work alongside emergency management leaders to coordinate 
government and private sector resources.
    Earlier this year, the NEMA Private Sector Committee began 
to explore whether this concept could be implemented. BENS 
supported this effort by assigning staff resources, and my own 
company, NC4, endorsed my chairing this effort. Representatives 
from eight national corporations, many of which have been 
mentioned in earlier testimony, along with the EMAC 
leadership--this is the Directors of State Emergency Management 
who oversee the EMAC process--served as members of the task 
force.
    One of the task force's basic premises was to build on 
existing State and local initiatives and to focus, like EMAC, 
on the interstate deployment of resources. In order to 
establish an understanding of existing State and local 
initiatives, NEMA conducted a survey of all the States. The 
survey identified a number of very promising initiatives at the 
State level to work with the public and private sectors, and a 
few examples stand out and are worthy of mention.
    The Florida Office of Emergency Management has formally 
established Emergency Support Function 18, Business, Industry, 
and Economic Stabilization. ESF 18 works with the Florida 
Retail Association to address strategic supply chain issues, 
projected impacts on businesses, and the timely restoration of 
commercial services.
    Texas, in the aftermath of Hurricane Rita, has developed an 
extensive Private Sector Operations group consisting of 28 
companies to support immediate mass care, special needs, power, 
aviation, and fuel challenges. This group will work alongside 
State emergency management to identify shortfalls in public 
sector capacity that could be most effectively met by private 
sector resources.
    Utah is organizing sector-specific coordinating councils 
and is working with local Chambers of Commerce and trade 
associations to enhance communications, resource management, 
and emergency operations assignments.
    The New York City Office of Emergency Management has fully 
integrated the private sector into their processes at their new 
Emergency Operations Centers. There are also important 
initiatives underway in the State of New Jersey, the State of 
Georgia to create a Business Operations Center that Mr. 
Ackerman referenced, in the State of Massachusetts, and also a 
beginning initiative in the State of California.
    Nevertheless, a number of significant challenges remain, 
especially related to using private sector resources in 
interstate responses. Only four States have statutory 
provisions that enable private sector resources to be used as 
agents of the State in out-of-State deployments. Those are 
Delaware, Michigan, Maine, and North Carolina. Other States 
have specific statutory or procurement regulations that appear 
to preclude such arrangements.
    A fundamental premise of EMAC is that personnel and 
equipment deployed out-of-State must act as agents of the 
providing State. Other States have stringent restrictions on 
what pre-event contracts and arrangements can be negotiated 
with the private sector, and in many cases, apparent 
prohibitions against applying those contracts to a response 
into another State.
    The BEMAC Task Force has identified several next steps that 
we believe will help create a more clearly understood process 
by which the private sector can be mobilized across State 
boundaries, and I would emphasize that these are really the 
initial steps, and much like the starting of EMAC in the 
aftermath of Hurricane Andrew in 1992, we believe it is 
important to take small but real steps as we move towards a 
more robust and systematic national process.
    BENS has agreed that in cooperation with the U.S. Chamber 
of Commerce and the Business Roundtable, they will work with 
the Department of Homeland Security to identify the point of 
contact for each of the critical sectors. NEMA, in turn, will 
brief the critical sector points of contacts on the EMAC 
process and will promote the use in each State of the points of 
contact to coordinate requests for private sector resources.
    NEMA will also develop a document detailing best practice 
procedures by State and local governments for working with the 
private sector and will distribute this report to State 
Emergency Services Directors as well as to the various sector 
coordinators.
    NEMA will work with our task force to define in detail 
mission critical packages of resources projected to be needed 
during an emergency response, and again, this is to try to 
create the anticipated need in advance so that we are not 
trying to put these packages together on the fly.
    And NEMA and the BEMAC Task Force will work with FEMA to 
address issues related to reimbursements for private sector 
resources and compensation for services used through an EMAC-
like process.
    These steps, we believe, will advance the use of private 
sector resources by State and local entities and help clarify 
for the private sector a process to be used in requesting 
resources. States will remain the primary coordinating point 
for inclusion of the private sector under this paradigm.
    Clearly, FEMA needs to be an active partner in this 
process. The scale and variety of risks facing this Nation from 
natural and manmade emergencies necessitate that we make full 
use of our public and private sector resources. Only through 
such cooperation partnerships can we accelerate individual and 
community economic restoration and recovery.
    Again, thank you very much for having me here today. I look 
forward to your questions.
    Senator Pryor. Thank you.
    We are going to go out of order today and we are going to 
let Senator Akaka go first. Senator Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Mr. Ackerman, I believe strongly that we need an all-
hazards approach to preventing, responding to, and recovering 
from disasters. I am pleased with your written testimony and 
pleased with the BENS report emphasizing planning for both 
natural and manmade disasters. In your experience, has the 
Federal Government been as aware as the private sector of the 
need for all-hazards disaster planning, and if not, what should 
the government be doing?
    Mr. Ackerman. Thank you. When I think about the many years 
I have spent in disaster recovery because of the telecom 
industry, many of these disasters have been local or have been 
able to be handled at the State level, so there has been a 
great deal more practice at a State, private sector, local 
response. In the area which I am very accustomed to, which is 
the Southeast Coast, we have had a lot of practice. We have 
had, probably in my 40 years, over 50 hurricanes that have come 
on that coast and it seems to work very well because of the 
relationships that have been built over time.
    When a disaster overwhelms local capability, which we could 
expect in either natural or manmade at Hurricane Katrina-scale 
or larger, that is the point in which the Federal Government 
then comes to the location. And so it is as important to drill 
and practice with the private sector and plan as it is with the 
Federal Government because often, it is new relationships, it 
is different operating procedures, and it is day-to-day 
decisions that have to be worked out . . . how the Federal 
Government works as a full partner with the State, with the 
local, and with the private sector.
    FEMA is a big part of this, but it is not just FEMA. North 
Command is a part of this. DHS obviously is a part of this. So 
as you create the Business Operating Center and integrate that 
with the State and local, there also needs to be the ability to 
bring in and interface the Federal Government, both at North 
Command, FEMA, as well as DHS, whatever agencies are there. And 
that collaborative whole hand needs to be able to drill 
scenarios and practice scenarios to determine how one would 
work out issues as opposed to trying to work that out when the 
actual disaster occurs.
    Mr. Bourne talked about credentialing. Well, that was born 
out in the case of Hurricane Katrina when North Command came to 
town and set up a perimeter. We needed to cross that perimeter 
in order to work on facilities, but a new perimeter was there 
and then the question was, what credentials proved that you 
were a valid communications worker and what credentials would 
the Federal Government accept as opposed to what credentials 
the State and what credentials you would find at the local 
level?
    So there are numerous issues that will need to be worked 
out with all parties at the table before the next event. So I 
think that it is a disaster of scale, one where local 
capability is overwhelmed, where everyone has to come to the 
table and to try to work through how we accomplish our task, 
deliver our missions, and assist each other to enable the 
recovery of that local area as opposed to just having the 
Federal Government come in with a plan.
    As I stated in my testimony, I think everybody has a plan. 
The lacking plan is how we all work together when the Federal 
Government comes to town, short of martial law, which no one 
really wants to declare. So I think this issue is one of full 
integration, planning, practice, as well as execution, 
including the private sector, local, State, and the Federal 
agencies that will be involved in disaster response.
    Senator Akaka. We really appreciate the BENS report, 
``Getting Down to Business: An Action Plan for the Public-
Private Sector Disaster Response Coordination,'' and your 
experience really makes a difference in how we move that.
    Senator Breaux, you testified that DHS grant programs 
currently are geared to funding one-off exercises rather than 
long-term collaborations. Project Impact, which was established 
in 1997 but eliminated in 2001, focused on long-term continuity 
projects to identify risks and vulnerabilities and develop 
programs to lessen those risks. These projects involved both 
the public and private sectors in disaster planning. Although 
FEMA now provides pre-disaster mitigation grants, as you 
stated, these are focused competitive grants not directed 
toward ongoing collaboration.
    Senator, do you believe that Congress should restore 
funding for programs such as Project Impact that focus more on 
long-term collaborative planning?
    Mr. Breaux. I think that anything that gets the Federal 
Government four-square behind additional cooperation between 
local governments, State governments, with the private sector 
would be very helpful. I have thought of suggesting that grants 
to States under FEMA be conditioned on the States having in 
place a plan for involvement of the local business community so 
that the business community will know what to do, and that 
wouldn't cost anybody any additional money. The grants are 
already going to the States. I think the Federal Government 
could insist that the State have in place a workable private 
sector continuity program that would immediately kick in in the 
event of a natural disaster. I think that would be one way to 
accomplish this.
    I mean, this is something this Subcommittee and Congress 
could insist on, that Federal grants would be conditioned on 
the State and local government having a plan to involve the 
local private sector. It wouldn't cost you any additional 
Federal money, but I guarantee you the State and local 
government would follow that recommendation from Congress very 
quickly.
    Senator Akaka. Thank you. My time is expired, Mr. Chairman.
    Senator Pryor. Senator Sununu, thank you for being here 
today and being a great Co-Chair. I look forward to working 
with you on this.

               OPENIN STATEMENT OF SENATOR SUNUNU

    Senator Sununu. Thank you.
    Mr. Ackerman and Senator Breaux, a question for both of you 
relating to the BENS report. One of the things that was 
recommended were changes to the Stafford Act. I am curious to 
know, one, what specific changes need to be made and is 
changing the Stafford Act intended to address a specific 
recommendation or just a few recommendations or are all of the 
recommendations that you call for sort of encompassed by the 
Stafford Act? And are there potential unintended consequences 
to changing the Act, because you also emphasized the need to be 
deliberative about this. Is there any particular unintended 
consequence about which you are most concerned? Mr. Ackerman.
    Mr. Ackerman. Yes, Senator. I can give you an example of 
the kind of thing that sort of generated an early focus on the 
Stafford Act and it had to do with security. Security is 
offered to certain government entities, to the Red Cross, and 
to others. It is a little bit more questionable as to how that 
relates to the private sector.
    Again, if you have a disaster that takes out some piece of 
a large metropolitan area, there is a likelihood that you will 
have some civil disorder go along with that if it overwhelms 
local capability.
    In the case of Hurricane Katrina, we needed to move into 
the city to work in some areas that had a problem and there was 
a question about does the Stafford Act include or cover 
providing the private sector, especially emergency responders, 
not first responders, but power company, telephone company, 
computer company, does it provide us security going into an 
area where citizens are hostile or armed or just bands of 
people who are horribly upset? And so that caused some delay, 
caused some consternation, and indeed, there was a very real 
and a very significant issue. So that is the example of the 
kind of thing that needs to be addressed in the Stafford Act.
    I cannot assure you that there would not be unintended 
consequences, but it definitely needs to be examined because I 
think from a response point of view, it is clear that there are 
some issues that hamper response and that appear not to totally 
cover the issues that could crop up in a serious large 
disaster.
    Senator Sununu. Senator Breaux.
    Mr. Breaux. Yes. I can only add a little bit. Mr. Ackerman 
hit it right on the head. But, there were some classic examples 
of trucks being denied access to disaster sites because they 
weren't a government truck. You are bringing ice down there. 
Well, you can't cross the line because you are a private sector 
delivery system. You are not approved to go into that area. And 
a lot of the local officials and State officials don't 
understand what is to be allowed and what is not to be allowed.
    You all last year amended the Stafford Act to at least 
prevent under the SAFE Port Act, prevent any Federal agency 
from denying essential services from the private sector. That 
is a big improvement, that they can't deny essential services 
coming from the private sector.
    But I think the main thing we are advocating is just bring 
the private sector into the process. Make sure the States and 
local governments have a mechanism that the private community 
is involved in helping to solve the problem. And then that 
clears up--if they are at the table from the very beginning, 
helping to devise the plan as part of the team, then these type 
of problems can go away.
    Senator Sununu. Mr. Bourne, I think, as of April 1, there 
was a reorganization at DHS that created the National 
Preparedness Directorate within FEMA. How specifically is that 
directorate being used or going to be used to enhance outreach 
and coordination with the private sector?
    Mr. Bourne. The National Preparedness Directorate is 
specifically designed as both not only internal preparedness 
efforts at FEMA and our Federal partners, but really heavily 
focused on assisting preparedness at State and local levels and 
private sector. Doing that through--certainly they manage the 
grant programs that are available, but at the same time--the 
Citizen Corps Program and the Community Preparedness Division 
within National Preparedness, their job is to reach out to 
State and local governments, find ways to build collaborative 
partnerships between the private sector, State, and local 
governments.
    Our other role is to provide a planning framework. Part of 
the problem is that we all do planning. We do planning in our 
own circles. We do planning within our own expertise. What we 
don't have across the Nation is truly a planning community that 
involves all the folks that need to be involved. That is an 
evolving and growing thing.
    Part of what we are doing as we rewrite the National 
Response Plan is taking a look at preparedness and planning as 
an integral part of understanding how a planning community 
needs to be developed. There needs to be some basic framework 
so that we are planning to similar objectives, similar 
principles. We can't all plan exactly alike. We have different 
capabilities and different needs. But we need to be planning 
jointly and collaboratively at all levels.
    It is very critical, and the National Preparedness 
Directorate is focused on this, that the planning effort and 
the relationships that are first and primary are the ones 
between local business, the private sector, NGOs, and the State 
and local governments. That is where 90 percent of all 
disasters happen. It is also, however, critical that FEMA have 
a good understanding, working through the business associations 
and other private sector experts, in how we can involve them in 
our planning, training, and exercise activity. National 
Preparedness is directly responsible for that effort.
    Senator Sununu. Mr. Andrews, in your work for the National 
Emergency Management Association, you obviously come in pretty 
close contact with people at the State level and some of the 
State Directors. What do you see the States being most 
concerned about, and is it your opinion that the States are 
looking for more Federal mandates for integrating the private 
sector into their preparedness plans, or are they hopeful that 
we can do this with a little bit more flexibility and with an 
approach that recognizes that there are going to be some unique 
individual needs among the States?
    Mr. Andrews. In the survey that we did of all the States, 
and asked them a number of questions about their working 
relationships, where they were in the process of working with 
the private sector, 44 of the States indicated that they had 
some degree of working relationship with the private sector, 
and again, it ranged from very formal processes, like in the 
State of Florida, to those States that are essentially just 
beginning the effort. And I think this really represents a real 
sea change. I think 5 years ago, the numbers would have been 
dramatically different.
    I don't think that the States are looking for mandates in 
this area at all. I think that they recognize, for the most 
part, that there is an advantage to them, and Hurricane Katrina 
clearly brought home the fact that we can have a disaster that 
initially appears to be a regional disaster that, in fact, 
involves all of the States.
    And so there has been a lot of work to enhance the EMAC 
system, and again, EMAC is kind of a cornerstone of the 
Nation's emergency management capability. All of the National 
Guard troops that were mobilized to the Gulf Coast, over 60,000 
of them, were done under the authority of EMAC and the 
enactments of all 50 State legislatures of the EMAC proposal.
    I think the States would welcome some additional 
encouragement from DHS and FEMA to move ahead with this, but I 
don't think that specific mandates to the States to try to 
accomplish this are really necessary.
    Senator Sununu. I appreciate that very much. Thank you, Mr. 
Chairman.
    Senator Pryor. Thank you.
    Let me ask you, Mr. Ackerman, if I can, about some of the 
things that your company did during the Hurricane Katrina 
disaster. As I understand it, you opened your Operations Center 
to many of the major wire line, wireless, and cable providers 
in the impacted area. I don't know if that was exactly 
unprecedented, but it sounds like it may have been. I am 
curious about why you did that and how that worked out and why 
you felt like that was important.
    Mr. Ackerman. Thank you.
    The primary cause for taking that action was the 
seriousness of the outage. We knew that with the flood, we were 
going to have serious outages, landline outages inside the 
Bowl, or inside the city itself because of the flood. We knew 
that the wireless carriers were going to have serious problems 
because many of their links from one location to another were 
in facilities that were also in the Bowl. And we knew the 
interexchange carriers were going to have problems.
    So we knew that getting signal or communications capability 
back into the city was of the most--was just of the highest 
importance, and therefore, we decided the best thing to do, 
since we were managing and responding to the need to fix local 
facilities, was to get the carriers into the Operations Center 
to help us prioritize what was indeed the most important. So we 
worked hand-in-hand with the wireless carriers. We had 
representatives from each one of the wireless carriers. We did 
the same thing by phone with the interexchange carriers. They 
were a little bit more concerned about being together. But it 
enabled us to prioritize and get back those facilities that 
were most important to restoring the most communications back 
to the local community.
    And so seriousness drove it, and we felt the best way was 
to put everything on the table, get everybody in the room. 
Again, it is this collaborative effort at the point in time 
when you do have a disaster of this magnitude that enables 
success. The more knowledge you have together, the more ability 
you have to prioritize and make on-the-spot decisions about 
what goes next. I think that is just incredibly important to 
restoring service.
    Senator Pryor. And how did that work out? Were you pleased 
with the way it went?
    Mr. Ackerman. I think it optimized the process. The damage 
was significant enough that I think it took us a long time to 
get facilities back where we would like to have had them. But 
it did enable us to optimize the process and I think it did 
enable us to get those most important things back first.
    Senator Pryor. Before Hurricane Katrina occurred, was that 
part of your plan or did you make that decision on the spot, 
recognizing the seriousness of the situation?
    Mr. Ackerman. It was not part of our plan. We made that 
decision on the spot.
    Senator Pryor. And did the government help you at all on 
that, or was that private sector initiative?
    Mr. Ackerman. That was private sector.
    Senator Pryor. Let me ask about private sector logistics 
and planning. You mentioned the word ``practice,'' and you 
emphasized that and how important it is to practice, but let me 
also ask about logistics, delivering goods and services, 
planning. Your group recommends that the private sector be much 
more involved with the government in planning. I think that is 
a great concept and it is very logical to me and it seems like 
it is something that should be done, but how do we do that and 
not create a conflict of interest or an advantage for companies 
who are participating in that planning and that logistical 
effort?
    Mr. Ackerman. I don't have a pat answer for that question. 
It is a good question. What I do know is that we have got to 
find some way to deal with it because there is such a 
significant need to be able to run these drills or practice 
ahead of time. Invariably when we run a practice run on a 
disaster response scenario, we find something that we had not 
thought of before and we are able to clear that problem out 
before we get into the actual event.
    So I put an extremely high importance on finding a way to 
do that. I believe that there are always issues about whether 
or not that advantages one company versus the other, but at the 
same time, when the ox does get in the ditch and our citizens 
are in the situation that they are in, finding a way to be as 
expeditious as possible is a big help.
    It was mentioned earlier today that there is a great deal 
of work going on on pre-approving vendors and putting contracts 
into place. I think it was mentioned by Mr. Andrews, also. I 
think that is an important issue. I think that everyone cringes 
when the word ``price'' comes up, but at the end of the day, we 
need to deal with that ahead of time, not during the middle of 
the disaster. Again, it is something that begins to slow the 
progress down.
    So it is difficult and it is tough slugging, but I think it 
needs to be done, and again done in practice drills before we 
get into the disaster and not after.
    Mr. Breaux. Can I add just a real quick thought to what Mr. 
Ackerman said?
    Senator Pryor. Sure.
    Mr. Breaux. The ox in the ditch is a good analogy because 
when a city is underwater, you have to respond immediately, 
when people are drowning or a fire is going on or right after a 
hurricane. And there is a difference between getting people in 
immediately to help in an immediate situation as opposed to the 
long-term construction and rebuilding. Those things need to be 
bidded out in competitive bidding. But you have to have a 
system in place before the disaster to get people in in the 
immediate aftermath of a disaster and for the first week or so, 
get the work done that has to be done. Then you can look at the 
long-term work that needs to be done that has to be 
competitively bid out and have everybody at the table. But you 
can't do that when you are waiting to dewater a city that is 
underwater. Those people have to be ready to go as soon as the 
hurricane passes through.
    Senator Pryor. Mr. Bourne, you also were kind of nodding 
your head during the question and answer there. Did you have a 
comment on the process? I think I mentioned conflict of 
interest or advantage--
    Mr. Bourne. It is problematic, and it is problematic for 
all levels of government. The General Counsel's Office loves to 
accuse me of playing lawyer without a license. They are rightly 
concerned that there are regulations and laws that limit how 
much we can do.
    FEMA has taken a very proactive approach to some of this. 
We have looked at the preplanned contracts that we have done, 
that we have competed ahead of time to deal with those issues 
that we anticipate in the first 72 hours and the immediate days 
following rather than that longer term. There are longer-term 
recovery contracts that we already do. Readiness costs money, 
and a lot of times folks blanch at the idea of spending money 
in the event of something that may not happen. But it is like 
that insurance policy we all end up buying anyway for our home, 
which we hope we never have to use.
    So FEMA has put in place a lot of these readiness contracts 
so that we have access to the resources we need to support 
State and local. But it is also more important, and many State 
and local governments have begun to do this, that they begin to 
look at advance contracting and planning, as well, whether it 
be for debris removal, whether it be for evacuation purposes, 
for transportation and other items that they may need.
    They may never use them. We hope they don't. But the simple 
fact of the matter is that that work in advance saves a 
tremendous amount of time and headache in the end. Also, under 
the current level and regulatory restrictions that all levels 
of government are under, it is the most efficient way to move 
resources quickly without getting into an area that we don't 
want to go back to, and that is no-bid contracts or contracting 
over a barrel during a disaster.
    Senator Pryor. One last question before I turn it back over 
to Senator Akaka. My question is for you, Mr. Bourne, and that 
is what about small business's role? I mean, it is one thing to 
have these large Fortune 500 companies. They are all great and 
they can do a lot of things logistically, etc., but what about 
small business? How do you include small business in the 
planning phase?
    Mr. Bourne. We have done this in several ways. Certainly, 
we encourage State and local governments when they look at 
their planning to bring small businesses in. Most communities, 
the vast majority of the workforce works for small business. 
And those kind of critical jobs and critical businesses need to 
be brought back up to speed in part of the planning process. 
That has to be done through planning. Also, they are 
contracting at the State and local level, whether it is pre-
contracting or post-contracting. It is a small business. They 
need to look at small businesses as well as the larger ones.
    What we have done for FEMA, and specifically with the 
contracts we are putting in place ahead of disasters and the 
ones that we have for long-term recovery, we have actually put 
in significant small business requirements, localized small 
business requirements that will come into play should something 
happen and they are activated, where if it is a larger company 
that has the contract, they have to give a large percentage of 
the work, anywhere from 50 to 75 percent of the work, to local 
businesses in the affected area.
    Our goal is to get people working back in the area that are 
affected as opposed to a company coming in from halfway across 
the country to do the work. Simply put, for FEMA's needs, there 
are some things that FEMA needs to do that only large business 
has the capacity to achieve on a short notice. But what we have 
done is encourage them to utilize small businesses in that 
process.
    Senator Pryor. Right.
    Mr. Martinez-Fonts. Sir, if I can just add one comment on 
that. On the small business side, I agree with everything Mr. 
Bourne has said, but also the preparedness side of it is what 
really needs to be the key. I mean, there are so many 
businesses that are just so small that what they need to do is 
just have the right preparation, and through the Ready.gov, 
Ready Business type of outreach, we have been trying to get 
businesses to make sure that they have backed up their records, 
got a place to have follow-up plans. So really, the focus 
there, while I appreciate the question was really more on what 
happens in the aftermath--and by the way, our office held the 
first small business event in New Orleans after Hurricane 
Katrina--but really, it is an issue of preparedness that needs 
to be--more emphasis needs to be put on.
    Senator Pryor. Senator Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Mr. Martinez-Fonts, the Nation faces a very real 
possibility of a pandemic influenza outbreak which would affect 
the operations of everyone, large and small businesses, as well 
as communities, schools, and government and people, especially. 
In the event of a pandemic flu, private sector partners could 
serve as a powerful tool for tracking and locating employees, 
disseminating incident information, and coordinating response 
efforts.
    Your written testimony discusses the Department's efforts 
to increase business owners' awareness of the importance of 
pandemic flu preparedness, business community planning and 
emergency response coordination. How is DHS incorporating 
private sector input and feedback into the Department's 
pandemic flu planning?
    Mr. Martinez-Fonts. Sir, if I could answer that question, I 
had the honor to go around the country last year with Secretary 
Leavitt and the Department of Health and Human Services 
representing Secretary Chertoff at their outreach on pandemic 
influenza. What that led to, the tour took in all 50 States as 
well as territories. I attended about 15 of them. There was a 
request for what I like to refer to as the two lanes in the 
pandemic issue. One is the medical side or the epidemiology of 
the disease. The other one is the critical infrastructure side 
of it.
    HHS is clearly in charge of the epidemiology of it, making 
sure eventually that there will be a vaccine, that there are 
antivirals, that the hospitals are operating, etc. But those 
hospitals and the community isn't going to be able to operate 
without critical infrastructure.
    So through a pilot program that we have done with the U.S. 
Chamber of Commerce and with a not-for-profit called Safe 
America, we have been going around the country, in addition to 
speaking to specific groups, and I happen to have a list, if 
you are interested, of all the outreach literally done. I 
didn't actually count them, but I would say it gets up to close 
to 100 between what we did with HHS and what we have done 
reaching out to both critical infrastructure and businesses of 
all sizes and making sure that they have made their plans, 
because unlike Hurricane Katrina, where as awful as that was, 
resources were able to be brought in from all around the 
country. In a pandemic influenza, if it looks something like 
the 1918 pandemic, it will hit the country equally all around 
and so there will not be very much shifting of resources 
around.
    So we have an awful lot of lessons learned that have been 
shared in that. There is an excellent website that was started 
by HHS, but now 17 agencies are putting information on it, 
called PandemicFlu.gov. There is an infrastructure protection 
out of DHS, a program called Critical Infrastructure and Key 
Resources, Continuity of Operation Essential, which is 
available on the web. It is available on PandemicFlu.gov, and 
it really helps businesses, whether they are actually part of 
critical infrastructure or even if they are not, the types of 
preparations they need to do, because although much of the 
preparation that could be done for a hurricane or a flood is 
useful, in a pandemic, we are looking at a very extended period 
of time and we are really looking at not the destruction of the 
actual infrastructure, but having people just not be available.
    Mr. Andrews. If I might add, one of the other initiatives 
that BENS has undertaken that relates to your question, 
Senator, is through their Business Force efforts, particularly 
in the State of New Jersey and in Georgia, they have run 
exercises utilizing the private sector for assistance in the 
distribution of the Nation's Strategic Pharmaceutical 
Stockpile. So using private sector resources both as facilities 
to help distribute it, using personnel within the private 
sector to help distribute the resources, which will probably 
overwhelm the capabilities of local government to do so.
    So I think it speaks to the point that Mr. Ackerman made 
about the importance of practicing these. We need to do this 
more extensively across the country, but I think the lessons 
that have been learned in those exercises could prove valuable 
in a number of different regions.
    Senator Akaka. Thank you.
    Senator Breaux, your written testimony states that the BENS 
Task Force recommended that Congress amend the Stafford Act and 
enact a nationwide body of disaster law to preempt the 
patchwork of State law in the narrow context of disaster 
response. The BENS Task Force report describes your 
recommendations in some detail. Has your task force developed a 
specific legislative proposal for a natural disaster law?
    Mr. Breaux. We don't have legislative language or a 
legislative proposal, Senator Akaka, but I think that what we 
have concluded is that the Stafford Act, which has served this 
country very well since Bob Stafford authored it a number of 
decades ago, was meant to help the Federal Government assist 
local and State governments, but the private sector really 
wasn't part of that mix at that time. I think what we are 
suggesting is that this Subcommittee and the appropriate 
committees take the time, don't run through it and do it 
overnight, but take the time to look at what you all could do 
to improve the operational dictates of the Stafford Act and get 
local and State governments to have a plan that incorporates 
the private sector from the very beginning.
    We have outlined some of the difficulties that private 
entities have had in responding to disasters, some of the legal 
and regulatory problems that they have had, some of the 
transportation problems that they have had, and if the Stafford 
Act could be amended to bring them into the planning process 
from the very beginning, require that FEMA grants go to States 
that have adopted a private sector plan into their emergency 
preparedness operations, I think those type of suggestions, I 
think that this Subcommittee could look at as potential 
amendments to the Stafford Act. Don't throw it out the window 
because it has worked very well. Just fix it up around the 
edges and it would be a real service.
    Senator Akaka. Thank you for that. I was interested in how 
far you have gone in that, because any kind of help we can get 
from you will certainly--
    Mr. Breaux. I do think that we have got a very talented 
staff over there and I think that they would be more than 
willing and able and very anxious to participate with your 
staff in the process of making those suggestions for you all to 
consider.
    Senator Akaka. Thank you very much. My time has expired.
    Senator Pryor. Thank you, Senator Akaka.
    Let me follow up there, if I may, with Senator Breaux. You 
mentioned the national disaster law, which is a good concept 
for us to think about and put on the table and see if we can 
come up with something that makes sense. But do you think that 
part of that should include a good samaritan provision?
    For example, when I was in the State legislature in 
Arkansas, we had a bill before us which I voted for that 
basically said doctors couldn't be sued--I can't remember 
exactly how it was structured--it was basically if they 
happened upon an accident scene or they were providing some 
free service. They couldn't be sued for malpractice for trying 
to help somebody.
    I know Arkansas has other good samaritan-type laws and 
there are many other States that have some variation of those 
laws. But do you think that the national disaster law that you 
talk about should include some sort of good samaritan 
provision?
    Mr. Breaux. Yes. I think the short answer would be yes, 
with the caveat that obviously you just can't waive all the 
laws that protect citizens from being damaged by the negligence 
of someone trying to provide assistance or doing it in an 
incompetent manner.
    But I think when you are dealing with a time of emergency, 
if providers of services know that they would be protected in 
those unique situations if they exercise their best judgment, 
that would be something that I think would be extremely 
helpful. It would encourage people to participate.
    I mean, how many times have we heard people who have 
hesitated to participate in an emergency, even a small one, 
somebody collapsing on an airplane, ``Well, I don't want to get 
involved.'' ``I am a doctor. If I treat him, I may do the wrong 
thing. I will probably get sued.''
    I think that type of emergency protection would be very 
worthwhile. People could respond in those difficult situations. 
I mean, people may die if they don't, and yet they may not 
because they fear being sued. So in those narrow situations, 
exercising your best judgment, I think, should be encouraged 
and that would certainly do that.
    Senator Pryor. Mr. Ackerman, in your experience with 
Hurricane Katrina and other disasters in corporate America, 
have you had those same liability concerns in various contexts?
    Mr. Ackerman. I think we do. Obviously, we worry about 
those exposures. What we have found, in general, is oftentimes 
business will go ahead and assume that risk, but it is never 
easy because one knows the exposure that is out there. So these 
situations do come up. Individuals, companies, managers, people 
have to make those decisions. I don't think that there is any 
given pattern to how it comes out, but I do think that people 
who are not risk averse generally follow that pattern, but then 
we have to worry about the litigation outcomes afterwards, so 
it is a constant issue.
    Senator Pryor. Yes.
    Mr. Martinez-Fonts. Mr. Chairman, if I could add, I was a 
banker for 30 years prior to joining the Administration, and 
since my last 5 years in government, I have been watching and I 
believe that liability issue will literally stop a private 
sector company in its tracks as they are concerned now. As Mr. 
Ackerman just said, many people will go out there and be very 
forward-leaning with it and will take the chance, but I have 
also seen a lot of cases where people have just sort of stopped 
and said, ``I am not sure what it is going to do to me and so I 
am not going to go forward with it.''
    Senator Pryor. It is a real concern.
    Mr. Martinez-Fonts, if I can stay with you just for a 
moment. Last February, Secretary Chertoff told the Senate 
Homeland Security Committee that DHS needed an integrated 
Incident Command Center. I think you maybe mentioned this in 
your opening statement, but could you again give us a status 
report on this Incident Command Center?
    Mr. Martinez-Fonts. Sir, I am not sure I mentioned it in my 
statement, but we have a National Operations Center (NOC), 
where we have a common plan, a common operating picture that 
comes together and has the ability to now, for the Department 
of Homeland Security, bring together all of those incidents and 
is able to bring up to the Secretary's level all the 
information and then have it filter down to the right 
operational people within the Department.
    Senator Pryor. So do you feel like that Incident Command 
Center he referred to is in place?
    Mr. Martinez-Fonts. I think it is, if I am thinking of the 
right thing, sir. I would say, yes, that it is, and it has 
really become a much more robust program than anything we have 
had before.
    Senator Pryor. Has it been tested?
    Mr. Martinez-Fonts. It is tested very regularly, and not 
only have--I would say have they tested their own performance, 
but they have now performed on behalf of the Department in 
other external exercises and, therefore, in effect, tested 
themselves in the ability to interact with the rest of the 
first responder community and the rest of the country.
    Senator Pryor. So it sounds like what Mr. Ackerman was 
talking about, you have done some practice with it, but have 
you also used it in disasters, yet, do you know?
    Mr. Bourne. I can answer that.
    Senator Pryor. Go ahead.
    Mr. Bourne. National Response Coordination Center, which 
FEMA manages, is actually a module, a node, a part of the 
National Operations Center. We routinely, with the National 
Operations Center, keep track of ongoing disasters and 
emergencies that happen across the country. There have been a 
number of incidents that have taken place, especially since 
Hurricane Katrina, on average, 50, 60 disasters a year of which 
we are in both FEMA's operations facility and the NOC are 
providing the Secretary with situational awareness on what is 
happening, helping to make resource allocation decisions, 
assisting us in obtaining additional information to help our 
operations on the ground. So there have been a number of 
declared events, Stafford Act events, in which the National 
Operations Center has been an integral part of our activities.
    Senator Pryor. Okay. And one last question for you, Mr. 
Martinez-Fonts, and that is, as I understand it, DHS has done 
some public-private initiatives and partnerships with the 
airlines, shipping, chemical industry. Are there lessons 
learned there that you can apply to other sectors and maybe 
expand on?
    Mr. Martinez-Fonts. Yes, sir. A very good example of what I 
had brought up earlier was the critical infrastructure. The 
industries that you just talked about are all critical 
infrastructures, and as you know, those are all under the 
direction of Assistant Secretary Bob Stephan. There are Sector 
Coordinating Councils, in effect, one Sector Coordinating 
Council for each one of the critical infrastructures, and that 
group is just constantly--it has two sides. It has a private 
sector side and a government side, Sector Coordinating Council, 
Government Coordinating Council. They are constantly testing 
and proving and providing information. Those lessons learned 
are then spread out between the Sector Coordinating Councils, 
between the Government Coordinating Councils, and among all of 
those.
    An example was the Critical Infrastructure Key Resources 
Guide that I mentioned earlier for pandemic. That has been 
distributed widely because it just really is something that is 
very useful. In other words, if the largest of companies could 
do this kind of thing, what lessons can be learned or could be 
utilized and applied for a smaller company? And so that 
distribution has been very widespread, and yes, in fact, those 
lessons learned are being shared all across.
    Senator Pryor. Great. That is what we want to hear.
    Dr. Andrews, let me ask you about--I believe Senator Sununu 
asked about EMAC and there has been some discussion about a 
Business Emergency Management Assistance Compact. Some people 
call it BEMAC. Is there such an entity now? Is there a BEMAC?
    Mr. Andrews. There is not a formal BEMAC system across the 
country.
    Senator Pryor. Should there be, and if so, how do we 
structure that? Does it make sense to do it State-by-State, 
region-by-region, industry-by-industry? Tell us your thoughts 
on what a BEMAC might look like and how it should function.
    Mr. Andrews. Well, the task force that I chair, we have 
looked very carefully at this, and again, trying to be as 
practical as we possibly can in terms of the recommendations 
that we make. Many of the ideas and, I think, elements of this 
have been outlined in the BENS report and it really starts with 
having in each of the States a Business Operations Center, that 
is, someone within the various critical--people within the 
various critical sectors who have been identified in advance, 
who understand the processes that are used by that State when 
an emergency occurs, and who will report either physically or 
will be in communications with the State's Emergency Operations 
Center when it is activated representing their sector.
    If this exists across the country in the various sectors 
and requests are made through the EMAC system for resources 
that cannot be filled within the impacted State, then they 
would have reach-back into the other States that might be able 
to provide that source where in turn you would also have 
representatives from the business community.
    It is an interesting situation, where there are some 
States, for example, North Carolina, where they do use private 
sector resources as agents of the State in out-of-state 
responses. And, in fact, legal opinion from, for example, the 
private medical community is that it is only under this 
structure that they can really respond out-of-state.
    I think as part of a review of the Stafford Act, this might 
be something that we need to take a look at, because some 
States do have specific provisions that prohibit the use of 
private sector resources as agents of the State, whereas other 
States allow it. If there was some national ability where 
States could, in fact, use private sector resources as agents 
of the State, understanding the liability and reimbursement 
issues, I think it would be possible to formally align the 
business community with the EMAC system.
    And again, given the fact that the EMAC legislation has 
been approved by all 50 State legislatures, I think this is 
something that continues to be a kind of linchpin that we need 
to build on. Right now, I see the system operating essentially 
in parallel with the EMAC structure, but NEMA and the State 
Emergency Directors are committed over the course of the next 
year to continuing to work with our task force to try to 
resolve any issues that remain.
    Senator Pryor. Thank you.
    Mr. Bourne, as you well know, in February 2006, the White 
House released its report called ``The Federal Response to 
Hurricane Katrina: Lessons Learned.'' One of those 
recommendations was to establish the system that allows for 
direct delivery of goods from private sector vendors to 
customers and, therefore, bypassing the need for storage sites, 
and other reports, think tanks, groups, etc., have made similar 
recommendations.
    However, and maybe I misunderstand this, but my 
understanding is that FEMA has decided to rely more on forward-
basing of products in government-run storage sites. Do I 
misunderstand that?
    Mr. Bourne. No. Actually, while we do have a number of 
logistics centers across the country for certain commodities 
that we move very quickly into areas, we are actually looking 
at long-term, over the next year or so, developing a third-
party logistics system where we are not the ones owning, 
storing commodities that would be used in various responses. We 
would have, essentially, a system where we would have access to 
those through contracts, pre-arranged third-party logistics 
management where the folks out there who do this all the time, 
whether it be the trucking companies, the Wal-Marts of the 
world, the Home Depots, etc., are the ones managing that for us 
with us having full visibility into where those commodities are 
and where they are going.
    Our Logistics Management Directorate is taking an active 
look at this right now. There has been an assessment done on 
it. We are moving away from purely maintaining our own stocks 
of things. We always run into the issues of, is it available 
when we need it? How far do we have to move it? We want to 
shorten supply lines and the best way to do that is to tap the 
industries that have them in the areas that are affected, and 
that is the direction we are headed in.
    Senator Pryor. And let me ask about the TOPOFF 4 exercise. 
Can you tell me a little bit about that?
    Mr. Martinez-Fonts. TOPOFF 4 is the fourth of a series of 
Top Officials exercises that take place every 2 years. I 
believe it has now been rescheduled--I forget the exact date 
for this year, but I think it is October or so in the fall, and 
it is an exercise wherein something will happen, whether it is 
a--it could have been--during TOPOFF 3, we had some chemical 
agents being dispersed. It took place on the East Coast. It was 
in New Jersey. It was up in Connecticut, Rhode Island, and the 
like, and we actually exercise in place the events and 
coordinate with both the private and the public sector, State 
and local and everyone that is involved. So the coming-up event 
will take place in Seattle, Arizona, and Guam.
    Senator Pryor. So the private sector is involved in that?
    Mr. Martinez-Fonts. Yes, sir, they will be.
    Senator Pryor. And when Administrator Paulison testified 
before the House Homeland Security Committee on May 14, I think 
he had 13 pages of testimony, but he did not mention one time 
the private sector, as I understand his testimony. You guys 
probably weren't there. That just raises a concern in my mind 
that here you have the FEMA Director explaining to the House, 
explaining to the Congress different things that they are 
doing. I think he talked about the playbook, pre-scripted 
mission assignments, etc. But apparently during that testimony, 
at least in his prepared remarks, he didn't mention the private 
sector.
    From your standpoint--I will just ask you, if I may, Mr. 
Bourne, do you think the private sector is sufficiently 
involved in, as they say, pre-scripted scenarios?
    Mr. Bourne. We are just beginning this relationship, quite 
frankly. We have done a lot of work. We have got a lot more to 
do. FEMA has been engaged in doing a reform top to bottom which 
involves a lot of moving parts. Never mind the fact that we 
have also brought in programs that had not been in FEMA prior. 
So we are beginning this relationship. That is why we are 
bringing BENS and BRT and the Chamber together next week to 
further this relationship and figure out what other avenues 
that we can take.
    We have spent a tremendous amount of time over the last 
several months in the rewrite process of the National Response 
Plan to take in private sector concepts and ideas as part of 
that writing process, and I think that the Subcommittee will 
see as we begin to roll that out in the next several weeks for 
comment that a lot of the--that there has been private sector 
involvement in that planning, in the document, but that much 
more needs to be done and we are embarked on that.
    Senator Pryor. Great.
    Mr. Bourne. One of the things I will just add to your prior 
question, if I could, our staff tells me that we are planning a 
logistics briefing next week and certainly will make that 
available to your staff.
    Senator Pryor. Great. Thank you.
    In the Post-Katrina Reform Act, we mandated Regional Strike 
Teams. Are you familiar with those? Is the private sector 
involved in the establishment of those Strike Teams?
    Mr. Bourne. Not directly, and I will tell you why. The way 
the legislation was crafted and the way that we have had to 
build the teams, they are Federal responders. FEMA 
traditionally in its response puts out folks that are, quite 
frankly, it is a pick-up team in many respects in the past. 
They are folks in our regional offices and from headquarters 
that have other responsibilities day-to-day. They are formed 
into what they call Emergency Response Teams and then they are 
sent to disasters.
    We are changing that model. We don't call them strike teams 
now. We are calling them Incident Management Assistance Teams. 
We are building them now, and they are going to be full-time 
Federal disaster experts working for FEMA. They are not going 
to be there to supplant local or State emergency responders or 
incident command. They are going to be that initial response. 
Their job is going to be to respond to disasters, and when they 
are not responding to disasters, to train, equip themselves, 
train and exercise with State and local governments.
    Now, is there a role for a relationship for them with the 
private sector? Quite possibly. We are going to have to look at 
what that means, and I think the most effective way to achieve 
that is after we have developed a relationship between these 
teams and the State and local government emergency management 
folks and see how they want to see that interaction take place.
    Senator Pryor. I want to thank my colleagues and thank the 
panel for coming here today and answering a long list of 
questions that we have and thank you for your actions to 
prepare America to meet the next set of challenges in the world 
of disasters and response.
    We are going to leave the record open for 2 weeks if 
colleagues want to submit written questions. If Senators do 
that, I would love for all of you to respond to those as 
quickly as possible. Additionally, several of you mentioned 
inserting your statements as part of the record. Those will be 
included in the record, or if any of you on the panel have any 
documents or other items to add to the record, we will be glad 
to include those, as well.
    So again, I want to thank you all for being here at our 
inaugural meeting of our Subcommittee and we look forward to 
working with you. Thank you.
    [Whereupon, at 3:55 p.m., the Subcommittee was adjourned.]


            PART II: PROTECTING OUR CRITICAL INFRASTRUCTURE

                              ----------                              


                        THURSDAY, JULY 12, 2007

                                 U.S. Senate,      
             Ad Hoc Subcommittee on State, Local, and      
           Private Sector Preparedness and Integration,    
                    of the Committee on Homeland Security  
                                        and Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:03 p.m., in 
room 342, Dirksen Senate Office Building, Hon. David Pryor, 
Chairman of the Subcommittee, presiding.
    Present: Senator Pryor.

               OPENING STATEMENT OF SENATOR PRYOR

    Senator Pryor. Let me go ahead and call us to order. Thank 
you all for being here. I thank the members of the public who 
are in the back there, as well. We appreciate your interest.
    Welcome to the Ad Hoc Subcommittee on State, Local, and 
Private Sector Preparedness and Integration. I want to welcome 
everyone here today and thank you for taking time out of your 
busy schedules to be here.
    This hearing is a continuation of an ongoing dialogue we 
are having on the Subcommittee and here in the Senate with the 
private sector focusing on the importance of making sure that 
the government and the private sector are working together to 
protect our critical infrastructure.
    Simply put, critical infrastructure is defined as 
capabilities and services that secure our country and make it 
livable. We all know this, but it includes everything from 
highways to communications to financial services to electricity 
and we use it to accomplish everything we do throughout the 
day. For example, we wouldn't be here today if we didn't all 
rely on critical infrastructure to get here and to utilize what 
we have here in this hearing room even.
    Critical infrastructure assets are so interconnected that 
one accident or natural disaster could potentially cause a 
massive upheaval. The nuclear reactor accident in Chernobyl, 
Ukraine, for instance, exposed 6.6 million people to 
radioactive fallout and forced the evacuation of almost 400,000 
people. In this country, Hurricane Katrina damaged oil 
refineries and spiked gas prices across the country. The 
disaster also disrupted Internet access, clean water supplies, 
telecommunications, and on and on and on.
    Because disruption of our critical infrastructure would 
cause mass chaos and fear, these systems are prime targets for 
terrorists. In early May of this year, the FBI and an attentive 
store clerk stymied an attempt by six men to ``kill as many 
soldiers as possible,'' at Fort Dix Army Base in New Jersey. 
The men were in the process of making bombs and accumulating 
weapons. Once their plan was fully developed, they intended to 
storm the base, firing on and bombing our men and women in 
uniform.
    Just last month, authorities foiled a terrorist plot to 
blow up JFK International Airport, its fuel tanks, and a jet 
fuel artery. Terrorists are focused on critical infrastructure 
and they understand how critical it is in the United States 
that we keep those things operational, even under adverse 
circumstances.
    In this Ad Hoc Subcommittee, we are moving into a new era 
in terms of homeland security and national security. These 
terrorist plots that I have been talking about are living proof 
that extremist groups want to try to inflict pain on our 
citizens and on our economy and they are trying to do as much 
damage as they can to our country and they think they know how 
to do it.
    For all these reasons, it is crucial to have an effective, 
well thought-out plan for protecting our infrastructure. Now, 
last year, the Department of Homeland Security released a plan 
called the National Infrastructure Protection Plan (NIPP). The 
NIPP was to set out a standard for industries to identify and 
prioritize critical infrastructure assets. It required each of 
the 17 critical infrastructure sectors to submit a plan dealing 
with the unique protection challenges that industry faces, and 
we have a chart here with those sectors listed.\1\
---------------------------------------------------------------------------
    \1\ The chart referred to appears in the Appendix on page 227.
---------------------------------------------------------------------------
    So for our efforts to be effective, we must make sure that 
both government agencies and the private sector are involved in 
creating the protection plans. In our hearing today, we will 
review the process of creating the plans, discuss the 
challenges and successes in public-private partnerships, and 
look at how the overall effort contributes to preparedness.
    With that in mind, understand that today is a very busy day 
in the Senate. We have DOD authorization on the floor and there 
are lots of amendments and lots of Senators have committee 
hearings, so we don't know how many Members will be able to 
attend, but certainly when colleagues show up, we will try to 
accommodate them and get them in and let them ask questions and 
move on to their next stop.
    What I would like to do is go ahead and introduce our 
panel. We have your backgrounds already and we will submit 
those for the record. Each of you will have 8 minutes to give 
an opening statement. If you want to just submit that for the 
record and summarize, that is up to you.
    Let me just run through the panel very quickly and just say 
a few words about each person and then I will open it up and 
let you all give your opening statements.
    Our first witness will be Bob Stephan. He is the Assistant 
Secretary for the Office of Critical Infrastructure Protection 
at the U.S. Department of Homeland Security. He is responsible 
for DHS's efforts to catalog our critical infrastructure and 
resources and coordinate risk-based strategies to secure them 
from terrorist attack or natural disasters.
    Eileen Larence will be the second witness. She is the 
Director of the Homeland Security and Justice Issues Division 
at the U.S. Government Accountability Office. She manages 
investigations, issues reports, and makes recommendations, and 
handles Congressional requests for work on homeland security 
issues.
    And then Ken Watson will be third. He is Vice Chairman of 
the Partnership for Critical Infrastructure Security. He 
established the Critical Infrastructure Insurance Group with 
the goal of driving Cisco's contribution to the security of 
worldwide critical infrastructure.
    So Mr. Stephan, if you would lead off for us.

TESTIMONY OF COLONEL ROBERT B. STEPHAN,\1\ ASSISTANT SECRETARY 
  FOR INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Colonel Stephan. Mr. Chairman, thank you very much for the 
kind invitation to appear before you today. I sincerely 
appreciate the opportunity to address you on the role of the 
Department's Office of Infrastructure Protection and ensuring 
robust coordination with the private sector as we work actually 
together as a team to protect our Nation's critical 
infrastructures from terrorist attack and also enable their 
quick recovery in the wake of a terrorist attack or a natural 
disaster because we have another terrorist to deal with in our 
mission space and she is called Mother Nature.
---------------------------------------------------------------------------
    \1\ The prepared statement of Colonel Stephan appears in the 
Appendix on page 104.
---------------------------------------------------------------------------
    My staff and I are keenly aware of the importance of fully 
integrating and working with our private sector partners across 
our mission space as well as with our State and local 
government partners. As a point of departure for your team, it 
is important that we note that the vast majority of our 
Nation's critical infrastructures, about 85 percent or so, 
those are owned and operated by the private sector in some way, 
shape, or form. Hence, our comprehensive work with the private 
sector represents a very key component of our national 
protection network as well as our national information sharing 
network.
    Both the Congress and the President of the United States 
have recognized that full support, cooperation, and engagement 
of government and private sector partners at all levels is 
required to prevent terrorist attacks, mitigate natural 
disasters, restore essential services after an incident, and to 
generally maintain the American way of life.
    Our partnership with the private sector spans the diverse 
spectrum of the 17 sectors that are identified in Homeland 
Security Presidential Directive No. 7. You have those 
catalogued there in your chart. This partnership also extends 
very importantly in a boots-on-the-ground-type construct to 
high-risk communities across the country, where my staff and I 
have put a great deal of focus and effort to bring together 
Federal, State, and local government partners and the private 
sector to engage in vulnerability assessments, security 
planning, information sharing, best practices exchanges, risk 
reduction and incident management activities.
    Since the creation of my office in March 2003, our mission 
has been very clear. Our overall approach focuses on 
establishing and sustaining a risk-based unified program to 
protect and enhance the resiliency of our Nation's 
infrastructures. The key to this approach is a layered defense 
constructed of physical protection, cyber security, and 
resiliency within the sectors as tailored to the requirements 
of each of those sectors. This again, sir, is a long-term 
effort that involves a comprehensive government and private 
sector engagement inside and outside of regulatory space at 
various levels across our national risk landscape.
    The private sector has made significant investments to 
strengthen both physical and cyber security to boost 
resiliency, increase redundancy, and develop contingency plans 
since the September 11 attacks. Of equal importance, State and 
local agencies have stepped up to this mission plate and have 
strengthened infrastructure preparedness within their 
jurisdictions. Supporting these efforts, in one example, DHS 
has provided nearly $2 billion in infrastructure-targeted risk-
based grant funding over the past several years, to include 
$445 million this year.
    Our partnerships across various levels of government and 
with the private sector form the operational core of our 
National Infrastructure Protection Plan--sir, we do 
affectionately refer to that as the NIPP, and thank you for 
highlighting that--and, as well, the supporting 17 Sector-
Specific Plans (SSPs), in each of the sectors. Through the NIPP 
and these supporting plans, we now have a unified national game 
plan and an ever-expanding arsenal of tools to implement our 
mission.
    The NIPP base plan establishes the overall risk-based 
approach that defines the unified way we are going to protect 
the enhanced resiliency of our critical infrastructure sectors 
across the board. Organizationally, the heart of the NIPP is 
bringing people together in some kind of construct? It is akin 
to bringing good Super Bowl teams to the playing field at the 
end of football season. Establishing Sector Coordinating 
Councils on both the government side of the house and on the 
private sector side of the house, bringing the right people to 
the table in a legally protected framework to get the job done, 
whether it is policy recommendations, planning, looking at risk 
assessment methodologies, planning for incidents and actually 
conducting incident management operations.
    Within the NIPP, the NIPP partnership models encourages 
private sector owners and operators to establish Sector 
Coordinating Councils as a principal entity for coordinating 
with the government across a wide variety of issues. These 
entities are self-run and self-governed and their specific 
membership varies from sector to sector, including owners and 
operators, associations, and other entities, corporations, or 
individual companies, both large and small. The finalization 
and release of the NIPP Sector-Specific Plans used this 
framework in terms of its development and will be an essential 
piece of implementing and integrating those plans across the 17 
sectors.
    Developed under the umbrella of the NIPP partnership model, 
the Sector-Specific Plans represent adaptations of the NIPP 
baseline risk analysis and risk management framework, its 
governance structure and information sharing protocols, as 
tailored, once again, to the specific needs and requirements of 
each of the 17 sectors, which are very different in and amongst 
themselves.
    This undertaking represents the very first time that 
government and private sector entities have come together on 
such a large scale across every sector of the economy to 
develop joint plans to better protect and ensure the resiliency 
of our critical infrastructures against both terrorist 
incidents and natural disasters. Each plan contains concrete 
deliverable milestones and timelines that define the road ahead 
for each of these sectors.
    In a series of parallel undertakings, we are leveraging the 
NIPP sector partnership model and coordinating council 
structure to finalize a comprehensive annex to the National 
Response Plan that deals with infrastructure protection and 
restoration; to develop sector-specific guidelines for pandemic 
influenza preparedness; establish infrastructure protection 
research, development, modeling, simulation, and analysis 
requirements; and building a National Infrastructure Protection 
Awareness and Training Program, to include exercises such as 
the upcoming TOPOFF Officials 4 exercise, which will be 
conducted in October of this year.
    Our partnership framework enables more progress in another 
important area, information sharing, where we use the NIPP 
partnership framework to share information of a risk-based 
nature on a day-to-day basis that includes operational 
information, situational awareness of incidents that are 
occurring across our infrastructure sets around the country 
every day, and we use that same incident management information 
sharing network to collaborate and integrate with one another 
during crisis, incidents, or emerging threat scenarios.
    Another important advancement in our relationship with the 
private sector is the establishment of our Homeland 
Infrastructure Threat and Risk Analysis Center, or HITRAC. This 
is an infrastructure and intelligence fusion center that we 
operate in a joint partnership with Charlie Allen, the 
Assistant Secretary for Intelligence and Analysis at DHS. 
Through this center, we provide access to classified 
information. We enable members of the private sector leadership 
to obtain security clearances to the tune of about 900 so far 
across the sectors and using the tear-line concept are able to 
share very broadly important emerging threat products with the 
private sector at a tactical and strategic level.
    Through the HITRAC and our National Infrastructure 
Coordinating Center, which maintains an operational status or 
pulse of the Nation's infrastructure on a day-to-day basis, or 
private sector partners receive real-time threat situation and 
status information and analyses, which is in turn used to 
inform security and operational planning, resource investments, 
and key risk mitigation activities.
    Coordinating with other key stakeholders through our 
partnership model is fundamental to the success and it has also 
been a key enabler to allow us to push out the door very 
important boots-on-the-ground activities that are having a very 
noticeable impact in terms of improving our security posture 
across the private sector infrastructure landscape. Through our 
comprehensive review program, we provide a structured joint 
analysis, Federal, State, and local capabilities, private 
sector capabilities needed to enhance the security of our 
highest-risk national infrastructures. Today, we are virtually 
through, and we will be through in September, walking across 
the chemical sector and the nuclear energy sector in terms of a 
comprehensive review process, bringing lots of inside and 
outside defense equities to the table.
    Through our Buffer Zone Program, we have a DHS-administered 
grant approach that is designed to assist local law enforcement 
and private sector critical infrastructure owners and operators 
increase security within the buffer zone, or the area outside a 
facility that can be used by an adversary to conduct 
surveillance or launch an attack. Through this process, we have 
completed more than 2,200 individual site visits in locations 
across the United States, pushing approximately $190 million 
out the door to State and local law enforcement to provide 
connectivity to specifically identified critical infrastructure 
facilities and boost their reinforcing capability for 
prevention through protection to response and recovery.
    Our Protective Security Advisors represent a cadre of 78 
folks right now in place across the country in key urban areas, 
rural areas of the country, places where we have a nexus of 
population and critical infrastructures. These Protective 
Security Advisors (PSAs), foster partnerships, facilitate 
collaboration, conduct vulnerability assessments, facilitate 
training and exercise programs, provide general situational 
awareness back to me on a day-to-day basis. They have conducted 
about 15,000 liaison visits with private sector owners and 
operators over the past 2 years and they are my first boots on 
the ground in terms of the infrastructure protection Federal 
mission subset during any incident, and they have a very 
comprehensive and solid list of Rolodex contacts across the 
Federal, State, and local community and the private sector 
community in their geographic areas of responsibility.
    Through them and others, we have conducted soft target 
awareness courses and surveillance detection training programs 
across the country. The soft target piece is a week-long course 
that provides private sector owners and operators and security 
personnel with a venue to receive and share baseline terrorism 
awareness, prevention, and protection information and is 
intended to enhance individual and organizational security 
awareness. Our surveillance detection course provides a 
guideline for mitigating risk to infrastructures by developing, 
applying, and deploying protective measures in the creation of 
a surveillance detection plan within facilities such as 
shopping malls, arenas, stadiums, public access, and gathering 
sites. We have conducted 284 surveillance training awareness 
courses across the country as well as an additional increment 
of the same number of our soft target awareness training 
packages.
    Our TRIPwire program, bombing prevention, is highlighted by 
the recent events in London and Glasgow, a very important part 
of our day-to-day business. This is an online web-based tool 
that provides the latest and greatest information to bomb 
squad, private sector security folks, law enforcement officials 
across the country in terms of terrorist tactics, techniques, 
and procedures relative to IEDs, VBIEDs, and maritime-based 
improvised explosive devices. To this date, we have got about 
40 Federal departments and agencies, 28 military units, 365 
State and local law enforcement agencies, and 35 private sector 
companies hooked into this website, and in the last year since 
it has been operational, we have had nearly four million site 
hits.
    Finally, with respect to the demands of incidents caused by 
Mother Nature, we have put into place through our Protective 
Security Advisor Network out in the field and through 
infrastructure specialists here at the Department headquarters 
and in cooperation with our national ops center and FEMA 
headquarters a very robust set of experts that are manning 
watch 24/7 and are prepared to respond and organize a team of 
specialists around any type of incident that involves the 
downing of our infrastructures, that would involve follow-on 
security assessments, restoration and recovery operations, or 
any type of assistance or information sharing requirements that 
we need to bring to the table.
    In terms of my remaining time with you today, looking 
toward the future, we are finalizing our office's long-term 
strategy for continued program growth and evolution. We are 
finalizing our 2008 to 2013 strategic plan--I hope to have that 
done within the next couple of weeks--that identifies a very 
significant number of primary goals essential to implementing 
our national mission and continuing to build out this very 
important public-private sector partnership framework. This 
effort is being conducted in tandem with our sector annual 
reporting process under the National Infrastructure Protection 
Plan. Our goal is to continue our risk-based approach to 
infrastructure protection, tailored again to the needs and 
requirements of the individual 17 sectors. As we move into the 
future, the NIPP partnership framework and the tens of 
thousands of security partners across the public and private 
sector that it brings to the table will continue to drive our 
national approach.
    Certainly, no one can predict the future with 100 percent 
accuracy, but certain things are a given. Technology, the way 
in which owners and operators do business, and their supply 
chain dependencies and interdependencies will certainly evolve, 
and vulnerabilities and consequences will change accordingly. 
We can also count on our risk calculation changing over time.
    Another fact is very clear. We face a very clever, 
flexible, patient, determined terrorist adversary. The path 
forward provided by the NIPP, the Sector-Specific Plans, and 
the partnership framework allows us to act collaborative as 
together we adapt to a very dynamic risk environment, a very 
dedicated and very ingenious enemy through a national unity of 
effort that we have begun to build and will continue to build 
out over time.
    Success over time means making commitments and following 
through on them. We will approach our collaborative 
implementation of the NIPP and the SSPs with this in mind and 
continue to refine and enhance our solid partnership with the 
private sector, State and local governments.
    I will leave you with one more important observation. The 
more we utilize the sector partnership model, the stronger and 
more effective it gets. We will continue to incorporate lessons 
learned, strive to constantly improve and adapt our 
partnership, communications, and coordination with the changing 
times and risk landscapes at the national level. Continued 
support of our focused activities in concert with all of our 
partners will help ensure our Nation's preparedness in my 
mission area.
    Sir, thank you for this important opportunity to discuss 
the infrastructure protection mission area, and the public-
private sector partnership framework that truly lies at its 
core. I would also like to thank you for your continued support 
and the support of this Subcommittee and the larger Committee 
of which you are a part for your dedication to the success of 
this vital component of our overarching homeland security 
mission, and I would be happy to answer questions following my 
colleagues. And sir, thank you for your time today.
    Senator Pryor. Thank you.
    Our second witness, whom I introduced a few moments ago, is 
Eileen Larence. I suspect that I have mispronounced your name.
    Ms. Larence. That is right.
    Senator Pryor. Is that right?
    Ms. Larence. No ``W''.
    Senator Pryor. OK, thank you. Go ahead.

   TESTIMONY OF EILEEN REGAN LARENCE,\1\ DIRECTOR, HOMELAND 
  SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Ms. Larence. Mr. Chairman, I appreciate the opportunity to 
discuss the results of GAO reviews of the Department of 
Homeland Security's efforts to ensure the Nation's most 
critical infrastructure, from power plants and health care 
workers to the Internet, is protected from terrorist attacks 
and disasters, a daunting and complex challenge as Hurricane 
Katrina demonstrated and you pointed out in your opening 
statement. It is also an important mission, as DHS estimates 
infrastructure influences about 50 percent of our GDP, and as 
my colleague mentioned, about 85 percent is owned by the 
private sector, meaning DHS must depend on partnerships with 
this sector to voluntarily pay for added protection. DHS also 
recognizes the Nation cannot afford to protect everything, so 
it has devised a risk management model for infrastructure 
investments, an approach GAO generally endorses.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Larence appears in the Appendix 
on page 115.
---------------------------------------------------------------------------
    As you pointed out, sectors were to create Sector-Specific 
Protection Plans. These plans were due to DHS by the end of 
December and released on May 21 of this year, and sectors 
recently submitted status reports on where they are against 
these plans to DHS. In terms of these plans, it is important to 
realize that they are separate from emergency response plans. 
We also found that they tend to be what we would call plans to 
plan, meaning that they describe how or what processes the 
sectors are going to use to identify their critical assets and 
resources, assess their vulnerabilities and risks, prioritize 
their resources, and select protective measures for them. And 
while owners and operators may to date have implemented 
protective measures for some of their individual assets to 
maintain business continuity or to comply with existing 
regulations, sector plans are to go beyond individual assets 
and take a more comprehensive national look at vulnerabilities 
and gaps across the sectors.
    GAO has reviewed the stand-up of the Coordinating Councils, 
the NIPP, and nine of the sector plans, as well as interviewed 
the chairs of each council, and has drawn several findings from 
this work.
    First, while sector plans are very useful to DHS in 
providing a consistent baseline, sectors had mixed opinions 
about the value of the plans and some were not as detailed and 
complete as others, which could limit their usefulness.
    Second, sectors have faced several challenges moving 
forward as plans and implementation evolves.
    Third, it appears that relatively few sectors are close to 
completing all of the systemic steps called for in the NIPP and 
will continue to evolve, as well.
    To further elaborate on each of these points, the sector 
plans are useful to DHS by providing it a baseline and 
consistent approach to protection, and a number of private 
sector representatives said that developing the plans was 
helpful for providing collaboration, information sharing, and 
common strategies. But for several other sectors, ones that 
were more mature, more homogeneous, or regulated, the plans are 
not as useful because these sectors had prior plans they were 
already implementing, such as in response to the Y2K scare, or 
because they did not think the private sector had been 
sufficiently involved in the process.
    While all the plans met DHS guidance and NIPP requirements, 
the comprehensiveness and potential usefulness of the plans 
that we reviewed were also mixed. They all included protection 
goals and objectives and sector intentions for assessing, 
prioritizing, and protecting assets. But the plans varied in 
the extent to which they: First, discussed protective measures 
in detail, since some sectors were not ready to do so or chose 
not to; second, recognized how sectors depended on each other, 
such as for electricity, telecommunications, or water to 
continue operations, and laid out these dependencies in their 
plans and in implementation; third, comprehensively assessed 
not only their physical assets, such as buildings, but also 
their cyber and human assets, a gap that could deter sectors' 
readiness; and fourth, discussed possible incentives they could 
use to encourage private sector protection efforts, even though 
sectors depended on such efforts.
    And while plans acknowledged the need for metrics to 
determine how much protection we are achieving, some are going 
to rely on qualitative measures of progress, such as tests 
accomplished, instead of outcome measures of protection 
achieved. We recognize that assessing outcomes will be very 
difficult, but as you know, measures drive performance, so 
addressing this and other gaps in the plans will be important 
moving forward.
    As to our second finding, most private sector 
representatives spoke positively of their lead Federal 
agencies, including DHS, and the support provided, especially 
contractor support, but to varying degrees identified some 
challenges that they face: First, dealing with DHS 
reorganizations, staff turnover, and lack of expertise about 
some sectors; second, getting full council representation for 
some sectors that have a widely diverse membership, such as the 
health and agricultural sectors; third, having infrastructure 
that was primarily systems, networks, or people rather than 
buildings, and this complicated their planning, and according 
to the IT sector representatives, also complicated qualifying 
for some of the grant programs, as well.
    Another challenge was getting State and local players 
involved, in part because of the costs and time commitments, 
even though they are critical to protection efforts, and also, 
getting buy-in to the plans from all individual owners, 
operators, and private sector members. So marketing these plans 
will be important. This will also help to ensure that the plans 
don't simply sit on the shelf. And a final challenge was 
private sector reluctance to provide DHS with information on 
assets and vulnerabilities for fear that their proprietary 
information would not be protected, including from possible 
terrorists, or they would lose competitive advantage or face 
litigation.
    As a result, most sectors still rely on their own voluntary 
information sharing advisory councils to share information and 
we are optimistic about the Critical Infrastructure Protection 
Advisory Council DHS initiated because it provides for closed 
meetings with the private sector. But others were still 
cautious about using DHS's program to protect critical 
infrastructure information and we had identified such 
reluctance in a report last year and proposed recommendations 
for improvements, and also using DHS's Homeland Security 
Information System because it lacks certain security features 
that were important to the private sector.
    As for our last finding, according to the sector plans we 
reviewed and representatives we contacted, it appears that only 
a few sectors, especially more mature ones, are relatively far 
along in completing all steps in the sector-wide NIPP process, 
and several newer sectors, such as health care, were still in 
the early stages. The recent status reports that the sectors 
submitted to DHS may give us a more accurate picture of this 
progress.
    DHS has made a lot of progress and has opportunities to 
promote this progress going forward. For example, it could 
target its support to the sectors that have made less progress. 
It can ensure that the critical gaps in the plans and the 
challenges we discussed are addressed. It can help sectors 
market these plans to get by in an implementation. It can 
streamline its review process in the future and provide the 
private sector more time for input, a problem a number of the 
private sector representatives identified in speaking with us.
    Maintaining momentum and timelines for implementation will 
also be important. Continued Congressional oversight, such as 
assessing sector status reports to determine progress, 
assessing the threat information and risk assessments that 
sectors use, since they drive the investment decisions, and 
what sectors have achieved with grant funding can also provide 
momentum and GAO stands ready to support this oversight.
    Finally, longer-term policy questions can include, does DHS 
have enough leverage to ensure the private sector will meet 
protection goals? Can we rely on market incentives or do we 
need other incentives, such as more targeted funding, tax 
incentives, or innovative R&D investments? Who will pay for any 
gaps between protection the private sector is willing to fund 
and any added protection needed to meet national security 
goals? And are we focused on the right goal, protection versus 
resiliency? Some in the private sector argue the end game 
should be resiliency, which means how quickly can operations be 
restored after an incident, rather than protection, which they 
characterize as adding more guns, guards, and gates, because 
resiliency is measurable and perhaps more affordable. What is 
the right balance between these two goals?
    This concludes my statement and I would be happy to answer 
any questions. Thank you.
    Senator Pryor. Thank you. Ken Watson.

      TESTIMONY OF LIEUTENANT COLONEL KENNETH C. WATSON, 
     (RETIRED),\1\ VICE CHAIRMAN, PARTNERSHIP FOR CRITICAL 
     INFRASTRUCTURE SECURITY, AND SENIOR MANAGER, CRITICAL 
       INFRASTRUCTURE ASSURANCE GROUP, CISCO SYSTEMS, INC

    Mr. Watson. Mr. Chairman, thank you for inviting the 
Partnership for Critical Infrastructure Security (PCIS) to 
participate in today's hearing on America's private sector 
preparedness to protect our critical infrastructure.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Watson appears in the Appendix on 
page 140.
---------------------------------------------------------------------------
    The NIPP designated PCIS as the private sector cross sector 
coordinating council for protecting critical infrastructure, 
but in fact, we have been fulfilling that role for the last 8 
years, since we formed in 1999. Our council consists of the 
Sector Coordinating Councils (SCCs), the private sector 
components of the designated critical infrastructure sectors. 
Most of the sectors have also established Information Sharing 
and Analysis Centers (ISACs), to manage the daily information 
sharing needs of the sectors.
    In October 1997, the President's Commission on Critical 
Infrastructure Protection published its seminal Critical 
Foundations report, which identified two irreversible trends: 
Increasing privatization of critical services; and increasing 
migration of core business and government operations to 
networks, including the Internet. The Federal Government called 
for a public-private partnership and we responded by founding 
the PCIS in 1999 in response to that call.
    We have made tremendous progress. I believe we are on a 
very solid path and the Nation's critical infrastructure is far 
more resilient to potential attacks or natural disasters than 
we were 8 years ago.
    The PCIS Business Plan identifies four broad goals, each 
with its own objectives and metrics: First, partnership 
leadership on critical infrastructure issues and policy that 
reflect the consolidated all-sector perspective; second, cross-
sector leadership in cross-sector interdependency issues; 
third, sector assistance to increase the value to the sectors 
and the SCCs; and fourth, PCIS effectiveness, improving the 
organizational effectiveness and value of the PCIS itself.
    Our members see value in understanding issues common to 
multiple sectors, unique challenges or solutions from a single 
sector, and the ability to jointly approach DHS and other 
government organizations. In addition, because of our sector-
specific subject matter expertise, the National Infrastructure 
Advisory Council, or NIAC, calls on us from time to time to 
help develop policy advice for the President. Two notable 
recent efforts studied pandemic vaccine prioritization for 
critical infrastructure protection workers and issues 
surrounding public-private sector intelligence coordination.
    Chief among our recent successes is the development of the 
NIPP and its 17 Sector-Specific Plans. This level of 
collaboration would have been impossible without the Critical 
Infrastructure Partnership Advisory Council framework provided 
by the Congress in the Homeland Security Act of 2002 and 
implemented by Secretary Chertoff more than a year ago. This 
CIPAC framework allowed us to work side-by-side with our 
government counterparts to write these plans. This 
collaboration improved the NIPP's approach to risk management. 
The initial DHS draft proposed a bottom-up approach for all the 
sectors which focused on physical assets. After considerable 
engagement between DHS and functionally-based sectors, such as 
electricity, IT, and communications, the NIPP Risk Management 
Section evolved to accommodate top-down risk management models, 
permitting multiple approaches.
    Developing the Sector-Specific Plans (SSPs), was not a 
perfect process. Most sectors were pleased with the 
collaboration of their sector-specific agencies, but for 
others, a learning curve still remains. I see these as growing 
pains as all partners embrace the new framework.
    The list of sector successes is long and growing. My 
written testimony highlights six sample success stories and I 
encourage you to review them at your earliest opportunity. For 
example, in the financial services sector, several Regional 
Partnership Councils have formed, allowing members to 
collaborate on disaster management matters with Federal, State, 
and local partners. Meanwhile, the rail and water sectors have 
begun meeting quarterly with key intelligence personnel to 
build trust, increase knowledge, and raise awareness. Using a 
competitive DHS grant, the commercial facilities sector created 
a training course to help managers of stadiums, arenas, 
performing arts centers, and convention centers to implement a 
DHS web-based security awareness and vulnerability assessment 
tool.
    Removing barriers to private sector participation is a key 
initiative of DHS and the PCIS. The Subcommittee asked me to 
comment today on three specific areas of concern: First, issues 
of competitive advantage; second, fear of sharing sensitive 
information; and third, worries the partnership might exclude 
smaller operators.
    I understand competition is cited frequently as a barrier 
to partnership, but I believe Greg Jones, the Chief 
Administrative Officer for Greenberg Traurig, LLP, summed it up 
best when he wrote recently, ``We are competitors, not 
enemies.'' The same holds true for the collaborative approach 
embraced by the SCCs and the ISACs.
    Regarding sharing sensitive information, we work closely 
with the Protected Critical Infrastructure Information Program 
Office (PCII), and the Information Sharing Environment (ISE), 
under the CIPAC framework to develop a simplified, rational 
approach to protecting information. As long as statutory 
protections for this information remain, the PCII Program 
should function within the newly-proposed Controlled 
Unclassified Information (CUI), environment.
    Despite these efforts, some sectors still have serious and 
legitimate concerns. First, sectors are unclear about what 
sensitive information DHS needs. Second, sectors worry this 
information might be disclosed publicly, making it available to 
competitors or used in litigation.
    SCCs include all relevant trade associations, a provision 
we insisted upon and DHS incorporated into the CIPAC framework 
to ensure inclusion of smaller operators. The food and 
agriculture SCCs, for example, has 119 separate entities 
representing the entire sector, from farm to table. The 
financial services SCCs has 34 associations and companies 
representing banks, brokerages, and insurers. In addition, 
Homeland Security Assistant Secretary Bob Stephan and others 
regularly travel around the country encouraging companies and 
associations to join their SCCs and ISACs, and we appreciate 
that.
    Finally, please allow the PCIS to make a few suggestions 
that we, its members, feel would enhance the partnership and 
improve the ability of the United States to manage exceptional 
events. First, let the partnership mature. We have accomplished 
a great deal with DHS since its inception and even more since 
Secretary Chertoff exercised the Section 871 exemption to 
create CIPAC a year ago. While we welcome Congressional 
involvement, we must continue building a trusted environment 
that allows us to work freely with our government partners on 
sensitive safety and security issues. Moving forward, we would 
be happy to work with you as you consider standards and risk 
assessments.
    Second, the PCIS asks you to help us educate all Federal 
partners about the nature and value of this partnership because 
it has not been executed uniformly across all sectors. Some in 
the Federal Government still fail to understand the model's 
merits. Many we work with in the DHS IT and Communications 
Operations Group and the Partnership and Outreach Division 
embrace the structure, but the farther you travel from those 
offices, the less understanding and appreciation of the sector 
partnership framework you will find.
    Third, it is time to review the National Response Plan to 
include more proactive private sector participation in response 
actions. This is crucial in the cyber dimension, as PCIS 
considers all cyber incidents international by default. The 
private sector has multiple collaborative mechanisms to deal 
with significant cyber incidents. Many Internet service 
providers, for example, collaborate through the informal ``nsp-
sec'' community. Multiple public and private sector incident 
response teams also belong to the more formal Forum of Incident 
Response and Security Teams (FIRST). These two organizations 
are really the global cyber first responders. In turn, the NRP 
should direct proper authorities to these and other like-minded 
organizations during a cyber incident of national significance.
    Finally, the government must do a better job of sharing 
timely and useful information with the private sector. It is 
often difficult to determine exactly who needs to know 
sensitive information, but this partnership framework includes 
enough trust to err on the need-to-share side of the equation. 
Complex interdependencies, a lack of sector familiarity, and 
complex collocation of assets argue for a proactive sharing of 
alerts and warnings with the PCIS and the relevant ISACs. Many 
ISACs can transmit and store classified material and many 
sectors have cleared individuals who can be trusted with 
sensitive information.
    That concludes my remarks. Thank you again for the 
opportunity to be with you today on behalf of PCIS. I would be 
happy to answer any questions you have.
    Senator Pryor. Thank you. Mr. Watson, let me start with 
you, if I may. Just by way of background, tell me a little bit 
about your organization, the Partnership for Critical 
Infrastructure Security. I think you said it started in 1999. 
Why did it start? How does it work?
    Mr. Watson. The way it started, as you remember, the 
President's Commission on Critical Infrastructure Protection 
(PCCIP), or the Marsh Commission, reported its Critical 
Foundations report on the vulnerability of critical 
infrastructures and a plan forward in October 1997. The 
government responded with PDD-63, Presidential Decision 
Directive 63, in May 1998, which created a lot of government 
organizations including the CIAO, the NIPC, and a few others 
that were scattered around the Federal departments.
    At the time, the Critical Infrastructure Assurance Office 
(CIAO), was in the Department of Commerce. The Department of 
Commerce put out a call for public-private partnership because 
that was the view of the Marsh Commission, that the only path 
forward because of these irreversible trends that I mentioned 
was public-private partnership. We responded by calling, I 
think over 200 companies to come to the table to form the PCIS, 
and our first meeting was actually in the Windows on the World 
restaurant at the top of the World Trade Center in December 
1999. Since then, we created committees to look at research and 
development, information sharing, public policy, and any other 
areas that might be important to all the sectors or multiple 
sectors and began to coordinate with the Federal Government.
    When DHS was formed, all of the offices that were dealing 
with critical infrastructure assurance moved into the 
Department, so we had a single face now to work with--to 
coordinate most efforts across the sectors. Now, we understand 
that many of the sector-specific agencies are not in DHS. DHS 
has the overall coordination role and we are comfortable with 
that. For example, the financial services sector had a long 
relationship with the Treasury Department and they want that to 
continue and we support that, and similar relationships exist 
for the other sectors.
    Senator Pryor. OK. And you have been asked to help 
coordinate the various sectors. What is your role there?
    Mr. Watson. Currently, I am the Vice Chairman of the PCIS. 
I am also on the Executive Committee for the IT Sector 
Coordinating Council.
    Senator Pryor. You obviously work very closely with DHS. Is 
there an arms-length relationship with DHS? Are you independent 
of them?
    Mr. Watson. We are very independent. At first, the funding 
model was donations from founding member companies. We got away 
from that because we believed that the business model that 
included payment of dues was exclusive and eliminated some of 
the smaller players, and so we eliminated the dues requirement. 
DHS stepped up to the plate after they were formed to help 
provide administrative support as long as--and we made sure 
that they couldn't have access to private sector-only 
information, but if they wanted to provide information, that is 
what we are still doing admirably now. They support us in terms 
of coordinating conference calls, printing, organization 
support, meeting support, those kinds of things, and that 
relieves us of the burden of a lot of expenses.
    We do have a Board of Directors and we pay for our own 
Directors and Officers insurance and our own budgeting, but it 
is so minimal that it is not a burden to anybody that would 
like to participate.
    Senator Pryor. Great. Now, let me ask, you mentioned in 
your testimony about the trust level with the private sector 
and the government, and I understand that sometimes the 
government is very reluctant to share classified information. 
Sometimes the private sector is very reluctant to share some of 
their proprietary information. I understand that. But what is 
the best way to balance national security and the need for the 
interested parties to be fully informed and have all the 
information they need? Do we have that balance yet? What do we 
need to do to improve that?
    Mr. Watson. We are making a lot of progress. We are not 
completely there yet. I think that the effort of the 
information sharing environment is a good one. It is not mature 
yet. We haven't really defined whether PCII will work within 
the framework. We think it will, but it hasn't been tested yet. 
Now, this is the ability to share sensitive information with 
the government. The private sector would like to share 
information with the government because the government has a 
role in helping us protect ourselves and the country from 
attacks and natural disasters.
    On the sharing of sensitive government information, 
including classified information, HITRAC is a step in the right 
direction. It is the Homeland Infrastructure Threat and Risk 
Analysis Center--the DHS fusion center that brings in all of 
the threat and law enforcement information, and they have 
opened up HITRAC to private sector participants, which we think 
is a very positive step.
    Now there is an opportunity to get private sector expertise 
in the door to help train government analysts on what is 
important and what is not important, so we are making progress, 
but there is more to do.
    Senator Pryor. Let me ask, I want to get to you in just a 
moment, but let me ask while I have you, Mr. Watson, there are 
15 national planning scenarios that cover a wide range of 
disasters--earthquakes, floods, cyber attack----
    Mr. Watson. Right.
    Senator Pryor [continuing]. Pandemic flu, etc. To the 
layperson, it seems that we are covering the waterfront there, 
but is there anything that you think we are missing? Are there 
any scenarios that we really haven't thought of or something 
that might fall in the gaps that we are really not preparing 
ourselves for?
    Mr. Watson. That list of scenarios is pretty thorough. They 
are also plugged into the National Exercise Program, either one 
at a time or in combination, and I think that is the right 
thing to do. It is going to take an awful long time to get 
through all 15 if you do them one at a time. I think the 
nightmare scenario would be a large physical attack in 
combination with a cyber attack that disables the emergency 
response. That is the one that keeps us up at night. So if we 
could exercise that and make sure that the first responders--
firefighters, police, emergency medical, and local government 
decision makers--work through the degraded communication that 
would happen in those kinds of things and had alternate means 
of communications planned in advance, we would be much more 
resilient to that kind of a combined attack.
    Senator Pryor. Let me ask about the cyber attack, because 
that is a relatively new phenomenon that a lot of people don't 
know a lot about. They may get a virus on their computer or 
something like that, but they really don't understand. In your 
estimation, how bad could a cyber attack be? I have heard some 
people talk about a digital Pearl Harbor. What is kind of the 
worst case scenario for a cyber attack, in your estimation?
    Mr. Watson. Well, first of all, it is not as good or as bad 
as you see in a lot of the press. You can see comments all over 
the spectrum. The Internet is probably the most resilient and 
redundant communications means that we have ever developed. It 
would be very unlikely that it would be disabled because--for 
many reasons. It is resilient. It is redundant, as I have said. 
But the bad guys use the Internet like we do, to share 
information or to spread information or to gather information. 
So they don't want to take down the infrastructure on which 
they depend any more than we would want it to come down.
    That said, if terrorists had the wherewithal to delay or 
confuse a 911 response system while they were conducting a 
physical attack, they could theoretically increase the number 
of casualties and delay the response to protect those citizens, 
and that is the one that would worry me.
    Senator Pryor. OK. Do you feel like we are taking steps to 
avoid that scenario?
    Mr. Watson. We are taking a lot of steps. The sectors are 
very engaged and we are improving the security responses in 
everything from control systems, all the way through 
communications and interdependencies.
    One area I think we could work better on is regional 
interdependency exercises so that every region and every city 
knew who the stakeholders were in all the sectors and they had 
exercised through all these options and knew the backup plans 
they need to put in place.
    Senator Pryor. In your view, is that something that could 
be coordinated by the Department of Homeland Security?
    Mr. Watson. I believe it is and I think it is in their plan 
to do that.
    Senator Pryor. OK. Thank you.
    Mr. Stephan, let me turn to you. I know it looked like a 
couple of times you wanted to chime in there and maybe add a 
little something. Did you want to add anything before I ask you 
questions?
    Colonel Stephan. No, sir. I am pretty much in agreement 
with Mr. Watson's response. He has been a great partner and his 
leadership has been personally very effective in building a lot 
of bridges and certainly they are not shy in bringing problems 
and issues to us through the PCIS and at the individual sector 
level. That is what the partnership is all about and we 
continue to solicit that feedback. Every suggestion that these 
folks pass up or issue they pass up, I take action on or 
explain to them why I am not able to do it so at least we have 
that very positive and direct feedback loop going back and 
forth.
    Senator Pryor. Good. Let me ask about these sectors that we 
have talked about here, these 17 sectors. One of the first 
questions I have is when you try to get information from them, 
who do you get information from? For example, the food sector 
is such a broad, wide-ranging sector. Who do you get 
information from and how do you manage that information?
    Colonel Stephan. Sir, there are two different levels of 
information and collection, if you will. One is sector-level 
information in terms of strategic risk concerns for the sector, 
general concerns, how each sector does incident management. We 
work through the Sector Coordinating Council framework, 
sometimes through the PCIS if it is an issue that crosses 
multiple sectors. Using that approach, again, that is more for 
strategic-type information needs.
    Then we have another level that is a little bit more 
challenging because we need individual vulnerability and 
consequence information that we need to draw in many cases from 
individual companies or corporations across the 17 sector 
landscapes. I get information from them, sometimes again using 
the Sector Coordinating Council framework, but more importantly 
and probably most importantly, my direct information venue now 
is my Protective Security Advisor cadre, those 17 folks 
representing my boots on the ground, my eyes and ears forward 
in very critical locations across the country that have 
developed trusted relationships with State and local partners 
as well as private sector partners down to the individual 
facility level.
    Cracking this nut is tough in terms of risk. We are using a 
tiered approach and we have identified through our partnership 
model approximately 2,500 things out of the tens and tens of 
thousands of things that represent infrastructure nodes across 
the country, things that we would classify as a tier one or 
tier two by sector, meaning certain consequence and threat and 
vulnerability criteria. We work through the Sector Partnership 
model, through the Coordinating Councils, and with individual 
facilities to gather information relative to their 
vulnerabilities and consequences and how a threat vector of a 
particular nature might affect them. That process was kick-
started a couple of years ago to drill down so we could focus 
on those things that we all considered to be mutually 
important.
    Senator Pryor. OK. Let me ask a similar question to what I 
asked Mr. Watson a few moments ago about information going back 
and forth between the government and the private sector. Again, 
I know sometimes the government is very reluctant to share 
classified information. That is understandable and I understand 
why the private sector is reluctant to share proprietary 
information or just very sensitive information, whatever it may 
be. But do you feel like that the government is doing an 
adequate job in sharing classified information under the right 
circumstances and do you feel like you are getting enough 
information from the private sector?
    Colonel Stephan. Sir, on the classified piece first, we 
have enabled about 900 private sector leaders across the 17 
sectors to get a secret-level security clearance, so they come 
into our classified world and actually give us advice and 
recommendations as we are building the intel products that 
affect their world and help us translate from intel speak into 
private sector speak, if you will. That is one important piece.
    But I think the most important piece is working with the 
intelligence and law enforcement community, the CIA, the FBI, 
and others, kind of ingraining within those organizations the 
need to declassify using the tear-line construct, tearing off 
sources and methods, normally the facts and figures associated 
with threat information or maybe at the ``for official use 
only'' or at the completely unclassified level.
    I have been with the Department since day one. It was a 
very difficult process 4 years ago to declassify information in 
real time to get it to the private sector. We can do that now, 
for example, in this emerging threat scenario with respect to 
the London and Glasgow events, the JFK events, the events 
associated with the group that was going to be focused on Fort 
Dix in New Jersey, very quickly, I mean, within a matter of 
hours, declassifying information, forming tear-line pieces of 
it, using our information network to blast it out through the 
PCIS and the individual Sector Coordinating Councils across the 
United States to our various private sector partners. That is 
dealing with government to private sector information exchange.
    On the flip side, information that we require of the 
private sector, the key is trust, trust that we will be able to 
protect the information that the private sector provides to us 
that is of a proprietary nature or that is of a very specific 
vulnerability or consequence nature so that they, in fact, 
don't actually focus terrorists on them through this process.
    Before we published the final Protective Critical 
Infrastructure Information Rule, I think we had a whopping 
total of 48 vulnerability submissions from the private sector, 
about a year and a half ago. Since the publication of the final 
rule, since now everybody knows what the real deal is and they 
can study it, they can have their lawyers focus on it, we now 
are over 5,400 individual vulnerability assessment submissions 
in the span of the last 18 months. So we continue to climb the 
chart now in a geometric fashion instead of trickling them in a 
few dozen or so maybe in a year's time frame. That is very 
important.
    Getting education and awareness through the Sector 
Coordinating Councils, through the PCIS, down to the companies 
that this is how your information will be protected is very 
important, but the true test of time of all of this will be 
when PCII hits the judicial process for the first time and we 
have a successful court case that will show the private sector 
that this will withstand judicial scrutiny and we will get a 
favorable ruling. Until that happens, there will be a shadow of 
doubt in the private sector's mind that the court system will 
allow this information regime that we have put in place to 
stand.
    So again, doing everything we can to work with the folks, 
help them understand why we need the information, how it will 
be protected, final rule out the door, building up that trust 
through my PSAs and others at the individual jurisdiction or 
company level, and finally, this will have to go through the 
court process to make a 100 percent determination.
    Senator Pryor. In the last few days, Secretary Chertoff has 
been in the news about perhaps increased threat level in the 
summer months, and the Department of Homeland Security, a 
couple years ago established this color-coded threat level. Do 
you incorporate that in what you are doing? In other words, do 
you look at various infrastructure and say, well, this may be a 
red, this may be a yellow, this may be a green? Do you make 
that independent assessment?
    Colonel Stephan. Sir, we make that assessment, but not 
independently, in concert with State and local government 
officials, principally the State Homeland Security Advisory 
Network, and again, through the Sector Coordinating Councils 
for each of the sectors. I have a general level of protective 
measures in place that people will go to depending on where we 
are in the color scale. That has been coordinated over time 
over the past 3 years.
    We used that set of protocols specifically with the 
transportation sector, the aviation subsector last August when 
we went from yellow to orange in the aviation subsector, 
putting in place mutually agreed-to protocols. Some of those 
responsibilities lie with the Federal Government through TSA. 
Lots of them, and most of them, in fact, lie with the airports 
and the airlines through that network.
    Senator Pryor. So in other words, you feel like you have 
the flexibility--just say, for example, Secretary Chertoff says 
we generally are in an orange----
    Colonel Stephan. Yes, sir.
    Senator Pryor [continuing]. But you look at your sectors 
and you say, well, these couple of sectors are probably more to 
red and these others may be more to yellow, but nonetheless, 
you have the flexibility to----
    Colonel Stephan. We have the flexibility to go up by color 
by individual sector or subsector, or if we want to not do 
that, we can, by virtue of our Executive Notification System, 
our Information Sharing Network, our Sector Partnership Council 
framework, bringing the folks together and say, based on Intel, 
we feel it is prudent that this sector, without raising 
necessarily to orange or red, take additional steps such as the 
following, and we push those recommendations out the door. But 
again, we do that in a collaborative fashion via phone 
conference or face-to-face meetings sector by sector.
    Senator Pryor. All right. Let me ask one last question for 
you, Mr. Stephan, if I can, and that is, I think it was both 
you and Ms. Larence testified that the private sector controls 
about 85 percent of the critical infrastructure in this 
country. Who controls the other 15 percent, and are we doing 
something similar with that 15 percent?
    Colonel Stephan. I would say probably the lion's share of 
the remaining 15 percent is under State and local government 
control. For example, a lot of the water sector, municipal 
governments own water systems throughout the United States. And 
then probably less than 1 percent is an asset that is owned and 
operated and protected by the Federal Government. So our 
Federal departments and agencies have the least amount of 
responsibility by ownership across the board, State and local 
governments next in line, and finally the big lion's share of 
all this is through the private sector.
    We have a similar arrangement. We have a State, Local, 
Tribal, Territorial Government Coordinating Council, about 30 
individuals that represent Homeland Security advisors, 
emergency managers, law enforcement, public health officials, 
food and agriculture officials, regulatory officials at the 
State and local government level. We use them as a sounding 
board and as an information sharing network much as we do the 
Private Sector Coordinating Councils.
    And, of course, all the grant programs directed at 
infrastructure essentially provide money that go to State and 
local communities in concert with infrastructures that happen 
to reside within their jurisdictions. For example, my buffer 
zone program that IP owns, $191 million over the past 4 years, 
2,200 to 2,400 individual plans that tie inside defense and 
outside defense considerations together that unite State and 
local government, law enforcement with private sector security 
people to have a web of security that extends beyond the fence 
line or perimeter of a facility. That is how we need to 
collaborate together.
    Senator Pryor. OK. Let me ask one other follow-up. When the 
Department of Homeland Security was founded, the Critical 
Infrastructure Assurance Office (CIAO), is that what you call 
it?
    Colonel Stephan. Yes, sir.
    Senator Pryor. It migrated from Commerce to DHS.
    Colonel Stephan. Yes, sir.
    Senator Pryor. CIAO has started to try to get an assurance 
program for each U.S. department, is that right?
    Colonel Stephan. Sir, the CIAO in its form 4 years ago no 
longer exists. Those individual entities, five or six of them 
that came forward into the Department of Homeland Security no 
longer exist as individual entities. They are now interspersed 
among the divisions of the Infrastructure Protection Office or 
the Cyber Security and Communications Office. That early work 
by the CIAO has been superceded by the 17 Sector-Specific 
Plans, and a principal component for the Federal departments 
and agencies is the Government Facilities Sector-Specific Plan, 
where a lot of that pioneer work by the CIAO has been embedded 
or integrated.
    Senator Pryor. OK, great. That sort of ties up a loose end 
for me, because I didn't know how that worked. Thank you.
    Ms. Larence, let me ask you a few questions here. I believe 
in either your testimony or report, you talk about the turnover 
rate at Homeland Security and its effect on trust, just human 
nature being what it is, when you have a lot of new people and 
you haven't had a chance to build those relationships. What do 
you think we can do or should do, or how can we help alleviate 
that problem and build that trust? What do we need to do there?
    Ms. Larence. I don't know if I can address the turnover 
rate, but in terms of trust, this is an issue that we continue 
to identify in our reports over probably about the last 4 
years. Some of the sectors did report to us that it has been 
improving, that they have been building effective relationships 
with their counterparts within DHS and that has helped the 
sectors progress. I think not only the turnover, but the lack 
of expertise about the sectors and how their businesses operate 
is also another gap that might be something that DHS could 
address, perhaps through additional arrangements with 
contractors or intergovernmental personnel arrangements where 
you could bring folks in to learn about the industries' 
business.
    Senator Pryor. Let me ask, in your testimony a little bit 
earlier, you talked about plans to plan, and as I understand, 
what you were saying is that sometimes these efforts really 
result in plans to make a plan, but they never really get to 
the plan. Is that what you mean by that?
    Ms. Larence. The NIPP process is really about describing 
the process that sectors will use to get to the end point of 
identifying their critical assets and making sure they are 
protected, and so the NIPP was really just requiring the 
sectors to identify how they would go through that process.
    Senator Pryor. And, by the way, do you think that has been 
successful so far?
    Ms. Larence. All of the sectors have met those baseline 
criteria.
    Senator Pryor. OK.
    Ms. Larence. But if you look at the plans, some of the 
sectors that are more mature, for example, banking and finance, 
if you read their plans, they will indicate that they have 
identified a lot of their critical assets. They have risk and 
vulnerability assessments in place. They have been regulated. 
Their examiners have been doing risk assessments on a wide part 
of the industry.
    And so you can tell some sectors have gone through more of 
those steps, whereas if you look at, for example, public health 
or food and agriculture, they are really just getting their 
sectors organized and they are still at the very front end of 
that process where they are trying to make sure they have the 
right people at the table, quite frankly, and then begin to 
determine what criteria they would use to figure out what their 
most critical assets are across a widely diverse base. I think 
food and agriculture points out that they have millions of 
farmers, two million farmers, and 150 meat packing processing 
plants that they have to bring to the table. Health care has 13 
million health care professionals, 6,000 hospitals and a number 
of other facilities and labs. So just trying to get their arms 
around what their sector looks like and how to manage that 
diversity is a real challenge for them.
    Senator Pryor. You apparently testified before the House 
Homeland Security Committee, 3 weeks ago, something like that?
    Ms. Larence. We did a member briefing yesterday, sir, and 
before Appropriations several months ago.
    Senator Pryor. OK. Let me ask about the plan-to-plan idea 
and how some sectors are further ahead than others. Overall, 
what is your overall assessment of how we are doing in this 
effort? I mean, are we halfway there? Are we a quarter of the 
way there? Are we almost there? What is your general assessment 
of how we are doing?
    Ms. Larence. Well, in terms of actually designing and 
implementing the plans, we asked the chairs of each of the 
Private Sector Councils for their opinions, their own opinions 
of where they were, and I would say that most of them 
characterize themselves pretty much at, on a scale of one to 
five, at about a three. I think they feel that their large, 
most critical facilities or assets, were at least doing risk 
assessments or had them under control. They still have a lot of 
work to do to really get that sector-wide perspective.
    A couple of sectors felt that they were at a one or a two, 
that they had pretty much moved through the process and really 
had identified their assets and had conducted risk assessments 
and had protection measures in place, and a couple of the other 
sectors, as I mentioned, the public health and food and 
agriculture, some of those that are newer, recognized that they 
were probably more at stages three, four, or five, where they 
had a ways to go.
    That doesn't mean that those sectors' assets, however, are 
not protected, because as we mentioned, individual owners and 
operators, because of simply business operations or continuity 
of operations, or maybe the regulatory requirements for 
security, have taken some steps to make sure their assets are 
protected. So we don't want to mislead that the assets in those 
sectors are, in fact, unprotected. It is just trying to figure 
out as a whole, across the sector, where are we.
    Senator Pryor. Given your analysis and your review of the 
situation as it currently stands, if most of the sectors right 
now would give themselves maybe a three on a scale of five, if 
we were to have this same hearing a year from now, would they 
come in at fours and fives or would they still be at about a 
three?
    Ms. Larence. I think we are trying to get them to ones or 
twos, but I think a lot of them, if you look at their sector 
plans and the milestones that they had set out for them, have a 
pretty ambitious plan, I think, over the next year or two to 
move through that model. So I think we would see a lot more 
progress.
    Senator Pryor. OK. Good. Did anybody want to follow up on 
anything the other witnesses have said?
    Colonel Stephan. Sir, just one. I hardly ever am in 
disagreement with my colleagues from GAO, because they do a 
wonderful job. They have a significant amount of challenges. I 
would just question the phrase, ``plan to plan.'' I think that 
where we are is that every sector now has a baseline plan, and 
as you see from that list, these sectors--the only thing they 
share in common is that they are all different, all very 
unique. Most of them are huge, with the exception probably of 
the nuclear energy sector. There is a fairly tight, very tight, 
closely knit circle of friends there with a very small number 
of facilities that is under a security-regulated environment.
    I would say that all of these plans represent plans that 
have deliverables, milestones, and timelines that are concrete 
that set a baseline. These plans will be reviewed and updated 
on an annual basis, as required. But all of them have tangible 
things that they have signed up to with metrics to measure 
their performance embedded inside the plans that they have 
agreed to as a public-private sector partnership, and I would 
characterize them in that context as opposed to plans to plan, 
because I feel pretty strongly, I am not in this business to 
plan anymore. I am in this business to implement. We have a 
year and a half left in this Administration, and for my mission 
responsibility, no more planning except for, for example, in 
the case of avian flu, where we do have a few more steps to 
make at the sector level to put the final loops into that and 
close them.
    These things are a baseline. Some sectors are higher than 
others in terms of where they are in progress. That is by 
virtue of the fact of who they are, what their risk landscape 
looks like, how many actors are in there, how dispersed are 
they, so on and so forth. So I would just add that to my 
testimony.
    Senator Pryor. Ms. Larence, did you have any comment on 
that?
    Ms. Larence. Two, if I may, sir. Just one following up on 
cyber. I promised my colleague in our IT team to plug, as a 
separate effort, that they went through all the sector plans 
specifically looking to what extent they identified cyber 
issues, as Mr. Watson was referring to, and they will be 
releasing that report probably later next week.
    Similarly to our findings, they determined that to some 
extent it varied, the extent to which sectors considered their 
cyber assets in their sector plans. For example, as he 
mentioned, control systems. It is important that sectors think 
about where their critical cyber assets are and integrate those 
into their plans. So I think we still have some work to do with 
some of the sectors on that.
    The other thing I would just mention under information 
sharing, something to watch that is developing at the State 
level are State information or intelligence fusion centers, and 
each State has been creating those now to fulfill, I think, a 
gap that they found within their State jurisdictions to have 
information that their governors and that their State and local 
folks could use. We have been doing some work looking at those 
fusion centers and they are now beginning to look, some of 
them, at how they can bring the private sector into those 
fusion centers, as well, which would give them some more direct 
access to intelligence and information.
    Senator Pryor. Right. We have been talking about that on 
the Subcommittee, as well, so that is good.
    Does anybody else want to comment?
    Mr. Watson. I might have one more point, just to 
reemphasize the need to look at the regional interdependency 
issue. Terrorists and Mother Nature don't attack sectors, they 
attack individual areas, and this has been a very valuable 
exercise to develop sector-wide principles and guidelines for 
security measures. It has been valuable for us. In the IT 
sector, the first thing we had to do was define the sector. Who 
are the members and what are the key functions? How do we look 
at the dependencies of those functions, and what are the cross-
sector interdependencies? So that has been very valuable for 
us.
    But we need to always keep in the forefront of our minds 
that it is a regional emphasis. We need to build from there and 
look at the multiple sectors that are uniquely connected in 
each region of the country.
    Senator Pryor. Good. Well, listen, I want to thank the 
witnesses again. We will keep the record open for 15 days. All 
of our colleagues on the Ad Hoc Subcommittee may submit 
questions in writing. If they do submit any questions, I would 
like you all to respond to those as quickly as you could.
    I want to thank you all and let you know that your written 
statement will be made part of the record, and if you have 
other documents or studies that you want to be part of the 
record, we will be glad to include those, as well.
    So thank you again for being here and thank you for your 
testimony.
    [Whereupon, at 3:17 p.m., the Subcommittee was adjourned.]








































                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
