– Executive Summary –
This thesis explores the topic of access management and its relationship to U.S. incident management policies and practices. Specifically, it examines how the implementation of statewide access programs might better integrate private sector response capabilities into state and local disaster management efforts. The United States has a well-defined incident management doctrine that mentions access management, but such references appear infrequently and are not adequately addressed. Before, during, and after an emergency, private sector assets may need to enter or transit through designated restricted areas or emergency zones in support of disaster preparation, emergency response, or restoration efforts. A state or local jurisdiction’s ability to control and manage access of key response and recovery resources can be a critical success factor in enabling community recovery—particularly during emergencies that affect multiple jurisdictions or involve significant population evacuations. However, managing access to more fully integrate private sector response and recovery capabilities into both national and local incident management operations continues to challenge federal, state, and local government agencies.
Neither the idea nor the need for effective access management is new. For many within the emergency management community and the private sector, the idea can be traced back to a lack of public-private coordination following Hurricane Katrina. The lessons learned from subsequent events and other large-scale emergencies have accentuated the need for government at all levels to partner more closely with the private sector—particularly concerning the restoration of critical infrastructure and stabilization of community lifelines following disasters. In terms of U.S. incident management, the application of public-private partnerships has historically defined the role of the private sector during national emergency response efforts. As a result, the role of the private sector has continued to evolve in recognition of the critical role its resources and capabilities can play in support of incident management operations. Consequently, U.S. incident management guidance—like the National Response Framework—has been updated to facilitate “closer partnerships with the private sector” to support communities affected by disasters. However, a lack of access management policy and preparedness planning has often hampered disaster management efforts.
This discussion primarily focuses on private sector critical infrastructure owners and operators’ access needs because of their essential role in disaster response and recovery efforts. This study outlines the problems associated with the concept of access management by examining the historical context of its importance during past emergencies and includes a literature review of the academic debates concerning the value of public-private partnerships in assisting U.S. disaster management efforts. This concept seeks to facilitate increased public-private coordination before, during, and after emergencies through the implementation of an access program. However, the literature review found that the majority of states do not incorporate access management as part of their overarching emergency preparedness planning. The topic of access management is further defined by exploring the purpose of an access program, the importance of access management during large-scale emergencies, and who requires and grants access. This examination highlighted the importance of public-private partnerships as an integral component of U.S. incident management. It also revealed the potential for access programs to function as an essential component to enhance government’s ability to successfully integrate private sector response capabilities into national and local disaster response and recovery operations.
Although some government officials and segments of the emergency management community understand the concept of access management, many may not fully understand the vital role private sector organizations, as critical infrastructure owners and operators, can fulfill during disaster management operations or what historical post-disaster access challenges they face. This study examines some common post-disaster access challenges experienced by the private sector—for example, a lack of interoperable access plans and use of a common approach for access management. Private sector access needs are critical when supporting the restoration of critical infrastructure, reestablishment of essential services, and other community recovery activities. This study analyzes methods used by states to facilitate access management. Additionally, comparative analysis is used to examine the federal policies and structural frameworks that encompass the fundamental tenets of U.S. incident management doctrine to analyze how they directly or indirectly support the concept of access management. The analysis first examines principal documents, such as the National Infrastructure Protection Plan, National Response Framework (NRF), and the National Disaster Recovery Framework to uncover specific reference or guidance related to access management. Next, the access management-related guidance contained in the National Incident Management System Guideline for Credentialing Personnel is compared to the guidance in the Crisis Event Response and Recovery Access (CERRA) Framework. Then, it reviews recent changes to the NRF that directly align with the concept of access management. Lastly, it examines the development of the Guidance on the Essential Critical Infrastructure Workforce, which was reviewed for its potential impacts on access management. The overall analysis finds a recognized need to implement a common access management approach and a gap in U.S. incident management doctrine.
Some government officials and critical infrastructure coordinating councils support the implementation of statewide access programs as a key component for enabling the effective integration of private sector response capabilities into state and local disaster response and recovery operations. This study explores this idea by examining the use and benefits associated with access programs as well as some of the challenges with implementing statewide programs. For example, access programs can improve coordination with a broad set of private sector stakeholders by enabling coordination of response and recovery assets through a phased re-entry process. However, implementing statewide access programs can be challenging due to the level of autonomy granted to local governments—where the use of Home Rule is applied—or where no formal public-private partnership program exists. Additionally, it analyzes the evolving role of the private sector during emergencies and assesses how access programs can assist in reducing current gaps in U.S. incident management doctrine by adding to the value proposition specified in the National Infrastructure Protection Plan, namely, the preservation of public safety and national security through the protection and strengthening of critical infrastructure. This study concludes with a discussion of its key findings and a list of recommendations that can build off one another to enhance each state’s ability to integrate private sector capabilities into disaster management efforts, improve community resilience, and effectively execute the concept of community lifeline stabilization.
Effective use of access management can assist communities in responding to and recovering from emergencies. The research suggests access programs are a practical and efficient method of integrating private sector capabilities into state and local disaster management operations. However, the research also suggests that access programs in and of themselves are not a complete answer to the overall challenge of access management. This study finds that greater implementation of statewide access programs coupled with effective use of the NRF, the CERRA Framework, and the Essential Critical Infrastructure Workforce guidance may provide the necessary components to mitigate the majority of existing access management challenges. Another key finding reveals that access management is both a response and recovery issue, yet no standard or interoperable access management process is being used consistently throughout the United States. This lack of a common process approach has often created barriers to effective integration of private sector capabilities into disaster response and recovery operations. To address the access management challenge, this thesis recommends states enact statutes to empower their emergency management agencies, increase the number of state-level Business Emergency Operations Centers, and develop interoperable access programs. An additional recommendation proposes incentivizing states to develop their access management and public-private partnership capabilities through federal grant programs. In this way, states could be encouraged to incorporate access management as part of their all-hazards preparedness planning, improve their public-private partnership capabilities, and develop innovative methods to support communities before, during, and after disasters.
 Department of Homeland Security (DHS), Crisis Event Response and Recovery Access (CERRA) Framework, (Washington, DC: Government Printing Office, 2018), ii, https://www.dhs.gov/publication/crisis-event-response-and-recovery-access.
 Jim Byrne, personal communication, December 6, 2016.
 Federal Emergency Management Agency (FEMA), 2017 Hurricane Season FEMA After-Action Report (Washington, DC: Government Printing Office, 2018), iii, https://www.fema.gov/media-library-data/1531743865541-d16794d43d3082544435e1471da07880/2017FEMAHurricaneAAR.pdf.
 FEMA, 2017 Hurricane Season, iii.
 Healthcare Ready, Access Denied—Delivery of Critical Healthcare Products and Personnel to Disaster Sites (Washington, DC: Healthcare Ready, 2016), 10–19, https://www.healthcareready.org/system/cms/files/1466/files/original/HCR_Access_Denied_Report.pdf.
 DHS, Crisis Event Response and Recovery Access, Executive Summary.
 DHS, Crisis Event Response and Recovery Access, 5–7.
 Healthcare Ready, Access Denied, 12.
 Department of Homeland Security (DHS), National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience, (Washington, DC: Government Printing Office, 2013), 1, https://www.cisa.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience; Department of Homeland Security (DHS), National Infrastructure Protection Plan: Partnering to Enhance Protection and Resiliency, (Washington, DC: Government Printing Office, 2009), 10, https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf#:~:text=The%202009%20NIPP%20captures%20the%20evolution%20and%20maturation,the%20government%20and%20the%20private%20sector%20with%20the.
 Healthcare Ready, Access Denied, 10–12.