When protecting critical infrastructure the risks are limitless but resources are not. There is not always enough funding available to guard against all possible threats. One huge component of protecting critical infrastructure is managing the identities of those going in and out of secured zones.
The Secure Worker Access Consortium (SWAC) program provides the tools necessary to build a trusted community of workers with the proper skill sets who can enter and re-enter a critical infrastructure zone during a crisis. The program is in place at some of our highest value targets, including the Port Authority of New York and New Jersey, its bridges, airports and tunnels, as well as in other sensitive facilities throughout the region. The lessons learned are important, as is the mission of building trusted communities.
Securing Personal Information
To build trusted communities, emergency management, law enforcement and other public safety organizations throughout the country need to enable the secure collection of participating individuals’ personal information. Standards need to be established that not only support the integrity of that community by assuring compliance, but also protect emergency management and public safety officials in developing and implementing this type of program.
This can be done by securely and privately enrolling people, protecting their personal information and recognizing the broad range of identities that need to be considered. This population extends well beyond the law enforcement, fire and EMS communities. The much bigger community, the expanded first responder community, involves contractors, support workers, social workers, food service people, truck drivers, fuel tank drivers, water delivery trucks, the Red Cross — all people who respond in support of emergency operations to help minimize the impact of an incident and expedite the response and cleanup.
In today's world, we can no longer trust that an ID is authentic. Even a trained professional with the ID Checking Guidebook in hand may not be able to distinguish between a valid government-issued ID and a fake one. It's too easy for people to illegally order any kind of government-issued ID they'd like, with whatever information they wish to put on it. This poses a very serious risk to personnel assurance programs. Here are some keys to the program:
1. Validating Information
It's critical to validate personal information as it’s collected. We have a responsibility in running these types of programs to collect information securely and maintain the integrity of that data so that it can be trusted for authentication. Step one is simple: Stop the faxes. Faxing documents that include sensitive information like a Social Security number, date of birth, address and employment history, can easily compromise highly personal information.
To establish trusted and reliable communities, we have a duty to collect personal information securely, protect it and most importantly, validate claims to identity and background as being truly authentic. For example, simple document authentication equipment analyzes the security features embedded within any government-issued ID to ensure that an identity document is legitimate. It enables you to then positively identify that person for entry to your schools, hospitals, critical infrastructure, oil refineries, utility plants, bridges, tunnels, airports and more.
2. Organizing by Skill Set
The second critical success factor in implementing this type of program is to organize resources by whom they’re affiliated with, and what skill sets they possess to perform a particular job or specialized task. Simply because someone is who they say they are doesn't mean that he/she belongs at an incident scene. Responders often listen to the scanners and go to sites they aren't necessarily supposed to go to; unauthorized responses can extend the duration and cost of the incident. In addition, there are various affiliations with organizations and private companies that support our daily operations.
Everyone has specialized skill sets that keep us safe and enable us to do the tasks that we do, minimizing risk and liability. Those are important things to track. Sometimes this involves integrating third parties, such as the training academies, to assure the proper assignment of certifications to individuals. This comprehensive view of an individual creates a profile that is much more than just a name on a list, but rather an intelligent selection of individuals to expedite a response and minimize the event’s impact.
3. Standards and Controls
Don't be intimidated by the fact that you're going to collect personal information, know who’s affiliated with whom, who does what, and when someone's CPR certification expires. Yes, you're collecting and managing a lot of personal data. So protect yourself with standards that are already established and audit controls that prove compliance with those standards. There are many standards that are already established. There are Homeland Security Presidential Directives and data standards to national infrastructure protection that define clearly at the federal level what an individual should be, and what that individual's profile should look like in order to comply with federal recommendations and mandates.
4. Empower Officers
To establish a trusted community, we need to empower our officers and emergency responders with accurate, real-time information that’s above question, not on a card anyone could forge. Many of the government-issued IDs responders carry can be easily replicated. They may not have the security features that are invisible to the eye that a bona-fide Real ID has, but in a flash and pass program, someone would likely get through.
SWAC’s trusted community empowers security personnel with real-time information that does not disclose personal information, but rather, privately says that an individual accessing critical infrastructure meets the criteria to access the location at a specific moment in time. When we consider identities, affiliations and skill sets as part of the access decision equation, it drastically cuts the chaos at entry points, enabling our public safety officers to more efficiently and effectively control entry to critical incident scenes.
Implementing this type of program will absolutely improve operational efficiency. As responders, we act and don't want to stand in line waiting. So there must be throughput. This has to be an operational tool that, with a click of a scanner, gives you relevant information. It reduces the risk involved for responders at those scenes, as well as for the community. We reduce the risk by implementing technology that ensures that people have a need to be there. Another key consideration is that, in this economy, many police, fire, EMS and other municipal organizations and government agencies are under tremendous pressure to make cuts, resulting in smaller budgets and fewer staff members.
We now have trained police officers managing these records in Excel, trying to enter them and keep track of when people need to recertify their trainings. It’s not manageable without a lot of administrative effort. Formal personnel assurance programs like SWAC relieve trained officers of desk duties, putting them back out in the community where they can do their jobs.
Use of trusted responder communities also clearly reduces the cost of incident response, improves cooperation with the expanded community, and allows solution providers to maintain and manage audit records for compliance, for reimbursement from emergency funds and more. All of this record keeping is essential for following the administrative procedures required in the bureaucratic world in which we live.
Daniel W. Krantz is managing director and CEO of Real-Time Technology Group.