Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

113   Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) Emergency response staff in your agency are often the first to face the challenges of dealing with system disruptions. Whether this response is to a serious traffic crash that has closed a major highway or a larger disruption stemming from a widespread, extreme weather event, your emergency response units are on the front line. Not only are your agency’s emergency response capabilities important for returning the system or facility to normal operations as soon as possible, but the effectiveness of this response is often one of the critical dimensions of how key stakeholders and the general public perceive the performance of your agency. Some of the most challenging public relations efforts have involved responding to critiques and criticisms from the media and public on perceived incompetence in agency response to major system disruptions. On the other hand, when a major disruption occurs and the agency is perceived as having responded quickly and efficiently and has expeditiously disseminated information to the travel- ing public, the agency’s reputation can be enhanced. For example, the Georgia DOT’s response to a 2017 bridge deck fire that closed a major interstate in Atlanta for just more than 2 months was widely applauded by the media, government officials, and transportation professionals. One of the other important characteristics of emergency response (from the perspective of agency maturity) is the collaborative, multi-agency nature of such response. The number of agencies involved in an incident will depend on the nature of the incident. For example, a major crash that closes an interstate will likely involve many units within your agency (e.g., emergency response, maintenance, traffic operations, communications/public information, and, possibly, environmental and design units, depending on the scale of the impact and damage). Such an incident will also likely involve law enforcement, the fire department, emergency medical services, towing companies, coroners and medical examiners, and hazardous materials and environ- mental inspectors (depending on the crash), along with news media (Myer and Elrahman 2019). Participation in incident response becomes even more complex if there is suspicion of terrorist involvement. DHS, a range of enforcement agencies, and other federal regulatory agencies can be added to the agencies listed above. In addition to collaboration, several factors in this step examine your agency’s preparedness for responding to cyberattacks. Some mission-critical factors in other steps are similar to those presented below. For example, Step 8B includes a factor relating to backing up key systems’ operations data, whereas a factor in this step includes backing up all agency-critical data. These are related (the first could be subsumed in the second); however, backing up system operations’ data was considered so important for the systems operations function of a transportation agency that it was still included in Step 8B. It is recognized that many agencies do not have direct responsibility for cybersecurity strategies and efforts; such responsibilities rest in other agen- cies having this mandate. In such a case, the cybersecurity-related factors might be amended to address how well these departments are providing your agency protection against cyberattacks. C H A P T E R   1 1

114 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide Capability Factors and Levels of Maturity Factor 8A.1: Does your agency have effective internal and external processes for communicating and sharing emergency response information? Major events, especially those causing severe and prolonged disruption and those that are repetitive and routine require pre-established internal and external means of communication to ensure an effective exchange of information. Such interfaces should occur at all levels within your agency as well as with other relevant agencies, with the public, and with community officials. The levels of maturity for this factor reflect the degree to which your agency has such communication capabilities and the level to which they are tested for reliable operation during an emergency. • Level 1: We have established a communication process and protocol for internal DOT functions and with other relevant agencies in the event of a major system disruption. These include primarily email and telephone communications. • Level 2: We have established multiple communication processes and protocols for internal DOT functions and with other relevant agencies in the event of a major system disruption. These include back-up processes in the event our primary communication system does not function. The process includes email and telephone communications as well as separate emergency communications systems used internally and between agencies. Detailed conti- nuity of operations and security notification contact lists have been developed to account for loss of command and control capabilities. • Level 3: We have achieved Maturity Level 2. In addition, we field test and conduct tabletop exercises of all communications systems and processes at a minimum of every other year. This includes verification and testing of back-up communication tools such as satellite phones. Factor 8A.2: Does your agency have an “All-Hazards Plan” for responding to emergencies? Your agency can anticipate the types of hazards that it will likely have to respond to, based on the systems-level vulnerability analysis from Step 7. Responding to a wildfire along a roadside is very different than responding to motorists stranded from major flooding. Your agency’s emergency response capability should therefore be designed to handle a range of major types of incidents and disruptive events. This is called an “all-hazards” approach to emergency response. In essence, an all-hazards capability means that an agency is prepared for the full spectrum of incidents, disasters, or other major disruptions it could face. This factor focuses on the extent to which you have planned for, periodically reviewed, and examined collaboratively with partner agencies the need to respond to a variety of different hazards. The major distinction among the maturity levels reflects the levels of effort for doing so. • Level 1: We have a written All-Hazards Plan that includes a detailed checklist(s) that allows a self-assessment of the effectiveness of our agency’s plan. The plan contains information about the agency’s policies, procedures, and countermeasures for all the hazards and threats likely to face the agency. • Level 2: We have achieved a Level 1 maturity. In addition, the All Hazards Plan and checklist(s) are reviewed periodically by agency staff at a minimum of every 3 years. Revisions to the plan are communicated throughout the agency. • Level 3: We have achieved Maturity Level 2. However, reviews of the agency’s All Hazards Plan and checklists occur in coordination with partner agencies. This review also occurs with operating and capital budget cycles to allow identified needs to be considered in budget decisions.

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 115   Factor 8A.3: Does your agency factor the information obtained from prior emergency incidents or events into its all-hazards response plans? This factor reflects the good business practice of monitoring events and incidents your agency has faced so as to learn from that experience. With respect to emergency response for all possible hazards, this feedback is critical because no single incident will be exactly the same as prior events. In addition, given the number of different agencies involved in response to major disruptions, it is often true that new personnel are involved in the efforts and thus can create new challenges or provide new perspectives on how to improve collaboration. The distinctions in the maturity levels for this factor represent the level to which your agency captures the experience of emergency response efforts and how this information is used. • Level 1: We have mechanisms in place to capture and analyze important information about the effectiveness of joint emergency response efforts. We only examine those disruptions that relate to what we consider to be the most disruptive hazards and threats and those that have occurred very frequently in the past. • Level 2: We have mechanisms in place to capture and analyze important information about the effectiveness of joint emergency response efforts. We have a formal template that is used by our agency emergency response staff to examine those aspects of the response that were effective and those where improvements could occur. We undertake this after-event assess- ment for all incidents and system disruptions. We use the information in updates of our All-Hazards Plan to inform estimates of the likelihood of different hazards occurring in the future and to modify plan strategies to minimize impacts. • Level 3: We have achieved Maturity Level 2 maturity. In addition, the after-event information is tabulated and organized in such a way that it can inform the planning and design of new or reconstructed projects, including the consideration of the information in the project’s life cycle analysis. We meet periodically with partner agencies to review our after-event summaries and solicit their input on efforts that can be made to improve the effectiveness of joint efforts. Factor 8A.4: Does your agency periodically field-test critical emergency management technologies, equipment, and systems to ensure performance? Making sure mission-critical equipment and coordination systems (such as communi- cations equipment) are working efficiently and effectively in multiple types of hazard and threat scenarios is an important action for ensuring rapid response to disruptions. For example, one of the lessons learned from past disruptions (e.g., the 9/11 terrorist attacks and the 2017 multi-agency response to a major ice storm in Atlanta) was that incompatible communication systems amongst responders were one of the major constraints hindering a coordinated response. Such an issue could have been discovered beforehand by using simulated emergencies to deter- mine where improvements could be made. This factor examines both the use of field tests as well as in-house testing of the performance of mission-critical equipment. The major distinction among the levels of maturity for this factor reflects the degree to which mission-critical equipment and technologies are tested periodically. Note that Factor 8A.1 has testing communication systems as part of Level 3 maturity, which could also be part of this factor. The difference between the two is that Factor 8A.1 focuses solely on communications systems, while this factor examines whether all mission-critical equipment and systems are tested as a matter of agency standard operating procedure. • Level 1: We maintain a list of mission-critical emergency management technologies, equip- ment, and systems. We monitor and test in place to detect proactively faults or performance deviations.

116 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide • Level 2: We have achieved Maturity Level 1. In addition, we conduct periodic readiness and deployment drills and assessments of mission-critical systems. Drill participants are those units in our agency that will participate in a response to an incident or major disruption. • Level 3: We have achieved Maturity Level 2. However, drill participants also include other partner agencies that will participate in a response to an incident or major disruption. The performance of the equipment and systems should be a particular focus of the after-drill evaluation. Internally, the results and information obtained through the monitoring and testing of mission-critical equipment and systems are considered in advance of procuring similar goods and services. Test results are used in support of establishing equipment or technology standards and specifications. Factor 8A.5: Do your agency’s emergency response/management and security staff interact with other units in your agency (e.g., planning, design, construction, and operations) to provide input on resilience-related aspects of their efforts? Transportation agency staff often approach a particular problem from the lens of their discipline or their business unit’s mandate. Thus, construction staff will look at a project from the perspective of the schedule, phasing, equipment and materials needs, and the level of oversight that might be necessary. Traffic operations staff might look at the same project from the perspective of traffic flow and safety. This factor relates to the participation of your agency’s emergency response/management and security staff in agency discussions on preferred char- acteristics of resilience-oriented projects and strategies. For example, emergency response staff could suggest ways of providing emergency vehicle access to incident sites, how information is provided to the public, the traffic operations strategy for diverting traffic, the types and amount of materials to be stockpiled at remote sites, and the like. Security staff could advise on how to best protect structures against explosives, how visitor screening should occur in publicly accessible buildings, or how to include enforcement and investigation staff in incidents where pre-meditated intent is suspected. • Level 1: We include our emergency response/management and security staff in resilience discussions for only the most important projects that clearly relate to their responsibilities. This interaction usually occurs on an ad hoc basis at the discretion of the unit manager leading the development of a project or strategy. • Level 2: We include our emergency response/management and security staff in resilience discussions for all projects that clearly relate to their responsibilities. This interaction has been formalized in our standard operating procedures. Recommendations from this staff have been included in project designs and strategy formulations. For example, we have mitigated security threats to our most critical and vulnerable infrastructure by hardening, providing setbacks, or adopting other mitigation techniques. • Level 3: We have achieved Maturity Level 2. In addition, we have developed guidebooks and other guidance on the types of strategies that can be considered in project designs that enhance emergency response/management and security performance. Our staff participates in TRB, AASHTO, TSA, and/or DHS webinars or participate in quarterly calls to be up to date on the latest approaches for providing a secure, resilient infrastructure. Factor 8A.6: Does your agency have a training and exercise program for the emergency response and management program? Developing and maintaining a resilient emergency management capability requires expertise, due diligence, and a high level of staff training. Effective training is available in many forms

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 117   and at varying levels of intensity and duration. It starts at the “awareness or introductory” level and extends to both on-line and classroom presentations of educational materials. However, the “gold star” standard for transportation organization training includes the conduct of both “discussion-based” and “operations-based” exercises. The DHS’s FEMA provides a compre- hensive “Drills and Exercise Program” [Homeland Security Exercise and Evaluation Program (HSEEP)] that is widely used by industry and government agencies, including many trans- portation agencies. This factor examines the extent and level of training your agency staff participates in. The distinction among maturity levels reflects the frequency of such training. • Level 1: We have emergency management plans, procedures, and processes. This includes evacuation plans, a continuity of operation plan, a business continuity plan, and a security plan. We take steps to ensure agency staff are familiar with the contents of these plans. • Level 2: We have achieved Maturity Level 1. In addition, we hold infrequent training drills, tabletop exercises, and full-scale exercises on these plans. • Level 3: We have achieved Maturity Level 2 except that we hold frequent training drills (e.g., yearly), tabletop exercises (every other year), and full-scale exercises (every 5 years) on these plans. We also monitor peer agencies, industry journals, and other sources for the latest emergency response technologies that could enhance our efforts. Factor 8A.7: Do your agency’s budget and management support systems consider the staffing surge, equipment, and communications system needs of your emergency response and management strategy? An important, but often overlooked, aspect of emergency response and management, especially for large-scale disruptions is how your agency manages emergency response efforts relating to the mobilization and utilization of resources. How do you handle surges in resource needs, which typically exceed their existing capabilities? Have you analyzed past experiences to understand such needs? What standardized protocols are in place for ER incident manage- ment covering single minor events, multiple minor events, or single major events cascading upward in intensity or duration? The types of staff, equipment, and maybe even communica- tions equipment could vary depending on the type of emergency. A flood requires construction staff/contractors, engineers, environmental staff, and construction materials and equipment. A cyber emergency may require traditional and computer network security personnel, computer programmers and technicians, and related equipment. Communications (internal and external) during some types of security/hacking events may be quite different than during a natural disaster, impacting parts or all of the communications system. In most cases, the resources needed by the emergency response and management efforts are funded by the agency’s budget. To what extent are such needs considered in budget requests? Another constraint faced by some agencies is the limitations placed on staff participation by job descriptions and other personnel requirements. This factor reflects the degree to which emergency response and management capacity needs are considered and supported by the budget and management support systems that provide information to the resource allocation decision. The distinction among the maturity levels is the degree to which such needs are considered. • Level 1: The upgrade and purchase of updated equipment and communications systems for our emergency response unit occur when the budget is available to do so. There is a good working relationship between the Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy (e.g., stockpiling replace- ment materials likely needed for system recovery). This working relationship primarily occurs on an ad hoc basis.

118 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide • Level 2: We have included periodic funding (e.g., every 3 years) for needed upgrades and purchase of emergency response equipment and communications systems. The Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy meet formally on a set schedule to coordinate budget requests. The focus of budget requests is only on those hazards and threats considered most important based on historical occurrences. • Level 3: Our agency’s budget includes annual funding for needed upgrades and purchase of emergency response equipment and communications systems. The Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy meet formally on a set schedule to coordinate budget requests. We include partner agencies in our deliberations to better understand how our budget investment reinforces their own budget allocations. We have made sure all agency staff are aware of what role, if any, they will have in a major disaster or system disruption. Factor 8A.8: Does your agency have a Continuity of Operations Plan (COOP)/Disaster Recovery Plan (DRP) in the event of major disruptions to the agency and/or in the chain of command? System resiliency not only reflects the physical design and operational/maintenance strate- gies for protecting and minimizing disruption to assets but also for making sure that the agency decision-making processes and employee availability survive major disruptions. A COOP outlines the hierarchy of decision-making if agency key leadership is not available to make decisions. It also establishes protocols for how these decisions are to be made, who should be involved, and the records/paper trail that is necessary to describe the decision rationale post-disruption. Employee safety is also a primary concern during an emergency that affects locations where employees are located. Agencies are required to establish emergency procedures and directions for such events. Maintaining the operational capability of the organization along with ensuring the safety of personnel are primary goals during an emergency. The COOP should include contingency procedures for short-term emergency events, common events occurring periodically, and for more serious disruptions that happen infrequently. In addition, the COOP should examine the scenario of a large number of mission-critical staff being unavailable due to epidemics/pandemics. Many transit agency pandemic plans, for example, discuss the challenge of providing lifeline transit service if drivers are not available due to illness or taking care of family members. Similar challenges could occur for state DOTs, for example, in the staff available to run traffic management centers (TMCs). This factor focuses on the existence of a COOP and DRP. A DRP outlines a structured approach for how an organization can recover from a serious disruption, a term often used to describe recovery from a cyberattack. In this context, a DRP informs agency staff how to recover data loss and system functionality. The major distinctions among the different levels of maturity reflect the degree to which the plans cover all units in the agency and the extent to which they are periodically tested. • Level 1: We have a Continuity of Operations Plan (COOP) that includes the agency’s essen- tial functions, order of succession, delegation of authority, continuity facilities, continuity communications, vital records management, devolution of control and direction, and a reconstitution plan. This includes a Disaster Recovery Plan (DRP) with a documented pro- cess or set of procedures to recover and protect business IT infrastructure in the event of a disaster. There is limited capability in execution of essential operations and functions at alternate operating facilities. The COOP has not been updated in several years. • Level 2: We have achieved Maturity Level 1. However, the COOP is periodically updated. The plan is regularly tested with in-field simulations of different types of emergencies.

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 119   Partial execution of essential operations and functions capability is planned to occur at alternate operating facilities, with expected performance to include all critical business functions and some noncritical business functions being operational. • Level 3: We have achieved Maturity Level 2. However, the plan adopts an agency-wide perspective that includes decision-making and communication protocols for all units in the event of a major system disruption and/or loss of contact with agency senior management. The COOP is expected to be fully executed post-disruption. The execution of essential oper- ations and functions is capable at alternate operating facilities. All critical and noncritical business functions are operational. Any necessary emotional and medical support will be provided to employees. Factor 8A.9: Does your agency conduct training, drills, and exercises on its COOP/DRP (including response procedures and decision-making processes)? Similar to the above factor on testing the effectiveness of emergency response and manage- ment capability, this factor tests the effectiveness of the COOP and DRP. In particular, the focus of such tests examines the ability of your agency to function and provide disaster response in the event of loss of command and control capability. This can occur by not allowing communica- tions with top agency leadership and conducting exercises on how your agency responds to a simulated disaster. To what extent has decision-making authority been granted to lower-level managers to respond to the disaster without the approval of top management? What backup information is needed when such decisions are made? How long does it take for frontline staff to realize they are cut off from top agency management, and how do they respond? How does your agency respond to requests from other agencies for help or support when top leadership is not available to approve such requests? The major distinction among the levels of maturity for this factor reflects the degree to which you test and evaluate your agency’s COOP and DRP. • Level 1: We provide limited training to agency emergency response and management staff on the COOP/DRP, procedures, and processes. These are primarily tabletop exercises using pre-determined hazard and threat scenarios. No field drills or operations-based exercises are conducted. • Level 2: We provide periodic training to all agency staff on the COOP/DRP. This includes discussion-based exercises on continuity of operations/disaster recovery, including work- shops and tabletop exercises. We sometimes include COOP/DRP contingencies in field exercises undertaken for emergency response and management training. • Level 3: We have achieved Maturity Level 2. We conduct training and field drills specifi- cally on the requirements of the COOP/DRP. If the capability exists to take over agency command and control responsibilities from alternate sites, such a scenario is tested by allow- ing alternate sites to “run” the agency for one day. We include a third party who introduces “new” disruptions that were not anticipated during the test of the COOP. Factor 8A.10: Does the agency have a plan to address emergencies associated with industrial control systems (ICS) and information technology (IT) system cyber threats? State transportation agencies, like other complex public and private organizations, increas- ingly rely on information technology (IT) systems and operational technology assets to fulfill their public mission. In addition to the use of IT for administrative functions, the real-time use of technology to operate and manage transportation facilities and services presents particularly

120 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide acute challenges. There have been several well-noted examples of cyberattacks against trans- portation agencies that have caused significant disruption to agency operations. • Level 1: We have written information and an information systems plan in place to assure the confidentiality, integrity, and availability of all critical information. The plan complies with applicable information security and data privacy laws and regulations. • Level 2: We conduct continuous and ongoing assessments of our agency’s information and information systems protection plans. There is a communications strategy in place to main- tain situational awareness of threats and vulnerabilities. • Level 3: We have achieved Maturity Level 2. In addition, we review our agency’s information and information systems protection plan routinely in coordination with the agency’s operat- ing and capital budget cycles. Factor 8A.11: Has your agency identified cybersecurity user categories for employees and contractors and developed and implemented policies and guidelines for these categories (e.g., policies regarding mobile devices) to ensure the protection of the agency against information system external and internal threats? One of the lessons from cyberattacks against all types of agencies is that hackers often gain access through individual computers or other connected devices. A major defense against such attacks is to create firewalls so that entry cannot occur. However, another important strategy is to make sure that employee IT and internet access is clearly delineated and understood. This is also applicable for contractors working on DOT premises. This factor focuses on how your agency has identified the extent to which employees and contractors will have access to your agency’s internet and digital capabilities. This can be done by establishing different levels of access, use of protected passwords, and other means of controlling use to protect against cyber- attacks. The distinctions among the different maturity levels for this factor reflect the degree to which cybersecurity roles and use characteristics have been defined for employees and screening procedures have been established for vendors. • Level 1: We have identified a few cybersecurity roles and user categories for employees and contractors. We have begun to develop employee and contractor policies and guidelines (e.g., policies regarding mobile devices) but have not fully implemented them. • Level 2: We have identified some cybersecurity roles and user categories for employees and contractors. We have developed a full range of employee and contractor cybersecurity policies and guidelines (e.g., policies regarding mobile devices). We screen vendors on an ad hoc basis. • Level 3: We have identified all cybersecurity roles and user categories for employees and contractors. We have developed and implemented a full range of employee and contractor policies and guidelines (e.g., policies regarding mobile devices). We have developed and implemented a screening procedure for vendors. Factor 8A.12: Does your agency use basic cybersecurity techniques and cyber hygiene practices? Best practice in cybersecurity relies on some basic approaches and strategies for protecting IT systems against cyberattacks (e.g., the use of firewalls). This factor focuses on the extent to which such techniques and practices have been integrated into your agency’s day-to-day actions. The distinction among the maturity levels for this factor reflects the degree to which your agency uses such basic techniques and practices.

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 121   • Level 1: We use a few basic cybersecurity techniques and cyber hygiene practices on an ad hoc basis. • Level 2: We have achieved Maturity Level 1. However, we use more advanced techniques and practices for the most important command and control functions in our agency. • Level 3: We use the full range of cybersecurity techniques and cyber hygiene practices across our agency. Factor 8A.13: Has your agency developed and tested a cyber-incident response and recovery plan with the participation of key stakeholders? Transportation agency officials whose agencies have experienced cyberattacks often express surprise that such an attack against their agency was successful. Often these same officials are surprised at how involved and fast the response to such attacks must be. The text box, for example, lists the different organizations that became part of the response to a cyberattack against the CDOT. CDOT was one of the agencies whose responsibility for cybersecurity rested in another agency. This attack seriously affected CDOT’s internal administrative operations, including the ability to issue paychecks to its employees. The attack entered through a CDOT website that had been left on the web even though it was no longer used. This factor focuses on the extent to which your agency (or in partnership with the agency responsible for cybersecurity) has developed and tested a cyber-incident response and recovery plan. The major distinction among the maturity levels for this factor reflects the degree to which a plan has been developed, who has been involved in plan development, and the level to which the plan is tested, especially as new cyber threats occur. • Level 1: We have developed a cyber-incident response and recovery plan in collaboration with a few key stakeholders. The plan is only partially implemented. • Level 2: We have developed and implemented a cyber-incident response and recovery plan in collaboration with all key internal and external stakeholders. • Level 3: We achieved Maturity Level 2. In addition, we test the plan by hiring hackers to attack our systems (so-called white-hat hackers). The results of such attacks are used in updates of our plan. In addition, our IT unit participates in workshops on the latest protection and recovery strategies for cyberattacks. Factor 8A.14: Does your agency regularly back up agency critical data in an accessible, secondary digital location? Transportation agencies produce and use a lot of data on transportation system performance, user data (where their responsibilities include issuing driver licenses or road use permits), historical data on project designs and program results, financial data, and employee infor- mation. Loss or the corruption of such data could create serious problems for day-to-day operations of a transportation agency. One of the ways of protecting against such loss is to back up the data considered most important to your agency. This backup could occur within your own IT network (e.g., in a dedicated cloud zone) or through a remote site not connected to your IT systems. The backup could occur automatically, within some time period, or at the discretion of an agency manager. The distinction among the maturity levels for this factor reflects the frequency of data backups and the degree to which the backed-up data are protected against attacks. • Level 1: We back up some mission-critical data as part of our existing IT standard operating procedures. This backup is located in our existing database storage. The backup occurs at the discretion of agency managers. Organizations Participating in Response to Colorado DOT Cyberattack • Colorado Department of Transportation • Colorado Governor’s Office of Information Technology • Colorado Division of Homeland Security and Emergency Management • Colorado Army National Guard • Colorado Bureau of Investigation • Federal Bureau of Investigation • Department of Homeland Security-Cyber • Department of Homeland Security-Infrastructure Protection • Department of Homeland Security-Hunt and Incident Response Team • Federal Emergency Management Agency • Federal Emergency Management Agency-MERS • Private cybersecurity contractors

122 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide • Level 2: We back up all data considered important to the day-to-day operations of our agency. The backup procedure is automatic, and the data are stored in a temporary storage site in our existing IT system. Archived data are deleted after some period of time once they are no longer useful to the agency. As-built project plans have been digitized and protected for only a subset of our assets. • Level 3: We have achieved Maturity Level 2. In addition, we store backed-up data digitally in the cloud or at remote sites with firewalls and other cyber defenses in place that will not allow attacks on our agency’s primary IT systems to reach the remote sites. As-built project plans have been digitized and protected for all our assets. Factor 8A.15: Has your agency established a cybersecurity awareness training program? Providing information on the basics of cybersecurity to employees and contractors is an important part of an agency’s cyber-protection strategy. This factor reflects the level to which your agency has provided such training. The major distinction among the maturity levels relates to the degree to which this training is provided. • Level 1: We have developed a cybersecurity awareness training program. All new employees must take the training. A contractor cybersecurity awareness program has also been devel- oped, but only a subset of our contractors has completed the training. Materials to reinforce awareness are distributed on an ad hoc basis. • Level 2: We have achieved Maturity Level 1. In addition, training is required for all employees, not just new employees. Refresher training providing updated content is provided on at least an annual basis. • Level 3: We have achieved Maturity Level 3. In addition, all contractors have taken the training. Materials to reinforce awareness are distributed periodically. An emphasis on cybersecurity is incorporated into our internal and external communications strategy. Table 20 shows the factors that are included in the self-assessment tool. The maturity levels for each factor are presented in the descriptions of each factor Recommended Actions to Maintain the Highest Level of Agency Resilience Capability The highest level of capability for enhancing emergency response and agency preparedness capabilities focuses on organizational cognizance and performance across five mission areas of emergency management—prevention, protection, mitigation, response, and recovery—as well as on your agency’s positioning to recover against a disruption to its command and control structure, including an attack against your IT systems. If your agency has reached Maturity Level 3 of agency capability, the steps that can be taken to maintain this level include: • Make sure your All-Hazards Plan is updated regularly with the most up-to-date hazard pro- jections and threat assessments. Engage outside experts on individual hazards and threats to assess the likely effectiveness of your response. • Regularly update redundant emergency contact information for all key personnel and points of contact. • Regularly assess for quality the data and information collected from prior incidents and disruptions that are archived for use in updating the All-Hazards Plan (and used also in other functions in the agency). • Using the established coordination mechanism for your agency’s resilience strategy and efforts, assess the level and quality of interaction between your emergency response/management and security staff and the staff of other units. Make improvements where necessary.

(continued on next page) Maturity Factor Level 1 (1 point) Level 2 (2 points) Level 3 (3 points) 8A.1 Does the agency have effective internal and external processes for communicating and sharing emergency response information? We have established a communication process and protocol for internal DOT functions and with other relevant agencies in the event of a major system disruption. These include primarily email and telephone communications. We have established multiple communication processes and protocols for internal DOT functions and with other relevant agencies in the event of a major system disruption. These include back-up processes in the event our primary communication system does not function. The process includes email and telephone communications as well as separate emergency communications systems used internally and between agencies. Detailed continuity of operations and security notification contact lists have been developed to account for loss of command and control capabilities. We have achieved Maturity Level 2. In addition, we field test and conduct tabletop exercises of all communications systems and processes at a minimum of every other year. This includes verification and testing of back-up communication tools such as satellite phones. 8A.2 Does your agency have an “All-Hazards Plan” for responding to emergencies? We have a written All-Hazards Plan that includes a detailed checklist(s) that allows a self- assessment of the effectiveness of our agency’s plan. The plan contains information about the agency’s policies, procedures, and countermeasures for all the hazards and threats likely to face the agency. We have achieved a Level 1 maturity. In addition, the All Hazards Plan and checklist(s) are reviewed periodically by agency staff at a minimum of every 3 years. Revisions to the plan are communicated throughout the agency. We have achieved Maturity Level 2. However, reviews of the agency’s All Hazards Plan and checklists occur in coordination with partner agencies. This review also occurs with operating and capital budget cycles to allow identified needs to be considered in budget decisions. 8A.3 Does your agency factor the information obtained from prior emergency incidents or events into its all- hazards response plans? We have mechanisms in place to capture and analyze important information about the effectiveness of joint emergency response efforts. We only examine those disruptions that relate to what we consider to be the most disruptive hazards and threats and those that have occurred very frequently in the past. We have mechanisms in place to capture and analyze important information about the effectiveness of joint emergency response efforts. We have a formal template that is used by our agency emergency response staff to examine those aspects of the response that were effective and those where improvements could occur. We undertake this after-event assessment for all incidents and system disruptions. We use the information in updates of our All-Hazards Plan to inform estimates of the likelihood of different hazards occurring in the future and to modify plan strategies to minimize impacts. We have achieved Maturity Level 2. In addition, the after-event information is tabulated and organized in such a way that it can inform the planning and design of new or reconstructed projects, including the consideration of the information in the project’s life cycle analysis. We meet periodically with partner agencies to review our after-event summaries and solicit their input on efforts that can be made to improve the effectiveness of joint efforts. Table 20. Assessment table for Step 8A: Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness.

Maturity Factor Level 1 (1 point) Level 2 (2 points) Level 3 (3 points) 8A.4 Does your agency periodically field-test critical emergency management technologies, equipment, and systems to ensure performance? We maintain a list of mission- critical emergency management technologies, equipment, and systems. We monitor and test in place to detect proactively faults or performance deviations. We have achieved Maturity Level 1. In addition, we conduct periodic readiness and deployment drills and assessments of mission-critical systems. Drill participants are those units in our agency that will participate in a response to an incident or major disruption. We have achieved Maturity Level 2. However, drill participants also include other partner agencies that will participate in a response to an incident or major disruption. The performance of the equipment and systems should be a particular focus of the after-drill evaluation. Internally, the results and information obtained through the monitoring and testing of mission-critical equipment and systems are considered in advance of procuring similar goods and services. Test results are used in support of establishing equipment or technology standards and specifications. 8A.5 Do your agency’s emergency response/management and security staffs interact with other units in your agency (e.g., planning, design, construction, and operations) to provide input on resilience- related aspects of their efforts? lities. We include our emergency response/management and security staff in resilience discussions for only the most important projects that clearly relate to their responsibi This interaction usually occurs on an ad hoc basis at the discretion of the unit manager leading the development of a project or strategy. We include our emergency response/management and security staff in resilience discussions for all projects that clearly relate to their responsibilities. This interaction has been formalized in our standard operating procedures. Recommendations from this staff have been included in project designs and strategy formulations. For example, we have mitigated security threats to our most critical and vulnerable infrastructure by hardening, providing setbacks, or adopting other mitigation techniques. We have achieved a Maturity Level 2. In addition, we have developed guidebooks and other guidance on the types of strategies that can be considered in project designs that enhance emergency response/management and security performance. Our staff participates in TRB, AASHTO, TSA, and/or DHS webinars or participate in quarterly calls to be up to date on the latest approaches for providing a secure, resilient infrastructure. 8A.6 Does your agency have a training and exercise program for the emergency response and management program? We have emergency management plans, procedures, and processes. This includes evacuation plans, a continuity of operation plan, a business continuity plan, and a security plan. We take steps to ensure agency staff are familiar with the contents of these plans. We have achieved Maturity Level 1. In addition, we hold infrequent training drills, tabletop exercises, and full-scale exercises on these plans. We have achieved Maturity Level 2 except that we hold frequent training drills (e.g., yearly), tabletop exercises (every other year), and full-scale exercises (every 5 years) on these plans. We also monitor peer agencies, industry journals, and other sources for the latest emergency response technologies that could enhance our efforts. Table 20. (Continued).

8A.7 Do your agency’s budget and management support systems consider the staffing surge, equipment, and communications system needs of your emergency response and management strategy? The upgrade and purchase of updated equipment and communications systems for our emergency response unit occur when the budget is available to do so. There is a good working relationship between the Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy (e.g., stockpiling replacement materials likely needed for system recovery). This working relationship primarily occurs on an ad hoc basis. We have included periodic funding (e.g., every 3 years) for needed upgrades and purchase of emergency response equipment and communications systems. The Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy meet formally on a set schedule to coordinate budget requests. The focus of budget requests is only on those hazards and threats considered most important based on historical occurrences. Our agency budget includes annual funding for needed upgrades and purchase of emergency response equipment and communications systems. The Emergency Response unit and other units that need to collaborate in order to implement an emergency response strategy meet formally on a set schedule to coordinate budget requests. We include partner agencies in our deliberations to better understand how our budget investment reinforces their own budget allocations. We have made sure all agency staff are aware of what role, if any, they will have in a major disaster or system disruption. 8A.8 Does your agency have a Continuity of Operations Plan (COOP)/ Disaster Recovery Plan (DRP) in the event of major disruptions to the agency and/or in the chain of command? We have a Continuity of Operations Plan (COOP) that includes the agency’s essential functions, order of succession, delegation of authority, continuity facilities, continuity communications, vital records management, devolution of control and direction, and a reconstitution plan. This includes a Disaster Recovery Plan (DRP) with a documented process or set of procedures to recover and protect business IT infrastructure in the event of a disaster. There is limited capability in execution of essential operations and functions at alternate operating facilities. The COOP has not been updated in several years. We have achieved Maturity Level 1. However, the COOP is periodically updated. The plan is regularly tested with in-field simulations of different types of emergencies. Partial execution of essential operations and functions capability is planned to occur at alternate operating facilities, with expected performance to include all critical business functions and some noncritical business functions being operational. We have achieved Maturity Level 2. However, the plan adopts an agency-wide perspective that includes decision-making and communication protocols for all units in the event of a major system disruption and/or loss of contact with agency senior management. The COOP is expected to be fully executed post-disruption. The execution of essential operations and functions is capable at alternate operating facilities. All critical and noncritical business functions are operational. Any necessary emotional and medical support will be provided to employees. (continued on next page)

Maturity Factor Level 1 (1 point) Level 2 (2 points) Level 3 (3 points) 8A.9 Does your agency conduct training, drills, and exercises on its COOP/DRP (including response procedures and decision-making processes)? We provide limited training to agency emergency response and management staff on the COOP/DRP, procedures, and processes. These are primarily tabletop exercises using pre- determined hazard and threat scenarios. No field drills or operations-based exercises are conducted. We provide periodic training to all agency staff on the COOP/DRP. This includes discussion-based exercises on continuity of operations/disaster recovery, including workshops and tabletop exercises. We sometimes include COOP/DRP contingencies in field exercises undertaken for emergency response and management training. We have achieved Maturity Level 2. We conduct training and field drills specifically on the requirements of the COOP/DRP. If the capability exists to take over agency command and control responsibilities from alternate sites, such a scenario is tested by allowing alternate sites to “run” the agency for one day. We include a third party who introduces “new” disruptions that were not anticipated during the test of the COOP. 8A.10 Does the agency have a plan to address emergencies associated with industrial control systems (ICS) and information technology (IT) system cyber threats? We have written information and an information systems plan in place to assure the confidentiality, integrity, and availability of all critical information. The plan complies with applicable information security and data privacy laws and regulations. We conduct continuous and ongoing assessments of our agency’s information and information systems protection plans. There is a communications strategy in place to maintain situational awareness of threats and vulnerabilities. We have achieved Maturity Level 2. In addition, we review our agency’s information and information systems protection plan routinely in coordination with the agency’s operating and capital budget cycles. 8A.11 Has your agency identified cybersecurity user categories for employees and contractors and developed and implemented policies and guidelines for these categories (e.g., policies regarding mobile devices) to ensure the protection of the agency against information system external and internal threats? We have identified a few cybersecurity roles and user categories for employees and contractors. We have begun to develop employee and contractor policies and guidelines (e.g., policies regarding mobile devices) but have not fully implemented them. We have identified some cybersecurity roles and user categories for employees and contractors. We have developed a full range of employee and contractor cybersecurity policies and guidelines (e.g., policies regarding mobile devices). We screen vendors on an ad hoc basis. We have identified all cybersecurity roles and user categories for employees and contractors. We have developed and implemented a full range of employee and contractor policies and guidelines (e.g., policies regarding mobile devices). We have developed and implemented a screening procedure for vendors. 8A.12 Does your agency use basic cybersecurity techniques and cyber hygiene practices? We use a few basic cybersecurity techniques and cyber hygiene practices on an ad hoc basis. We have achieved Maturity Level 1. However, we use more advanced techniques and practices for the most important command and control functions in our agency. We use the full range of cybersecurity techniques and cyber hygiene practices across our agency. Table 20. (Continued).

8A.14 Does your agency regularly back up agency critical data in an accessible, secondary digital location? We back up some mission- critical data as part of our existing IT standard operating procedures. This backup is located in our existing database storage. The backup occurs at the discretion of agency managers. We back up all data considered important to the day-to-day operations of our agency. The backup procedure is automatic, and the data are stored in a temporary storage site in our existing IT system. Archived data are deleted after some period of time once they are no longer useful to the agency. As-built project plans have been digitized and protected for only a subset of our assets. We have achieved Maturity Level 2. In addition, we store backed-up data digitally in the cloud or at remote sites with firewalls and other cyber defenses in place that will not allow attacks on our agency’s primary IT systems to reach the remote sites. As-built project plans have been digitized and protected for all our assets. 8A.15 Has your agency established a cybersecurity awareness training program? We have developed a cybersecurity awareness training program. All new employees must take the training. A contractor cybersecurity awareness program has also been developed, but only a subset of our contractors has completed the training. Materials to reinforce awareness are distributed on an ad hoc basis. We have achieved Maturity Level 1. In addition, training is required for all employees, not just new employees. Refresher training providing updated content is provided on at least an annual basis. We have achieved Maturity Level 3. In addition, all contractors have taken the training. Materials to reinforce awareness are distributed periodically. An emphasis on cybersecurity is incorporated into our internal and external communications strategy. Score Range Description of Agency Maturity for Assessing Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness 0 to 20 Your agency is emerging into this area and has taken initial steps to grow awareness and understanding of enhancing emergency response and agency preparedness capabilities. 21 to 39 Your agency has implemented several emergency response and agency preparedness strategies, not so much as part of an agency-wide strategy but rather at the initiative of agency staff. 40 to 45 Your agency has reached significant maturity in identifying and implementing an emergency response and agency preparedness strategy. The major focus should be on maintaining and enhancing existing efforts when appropriate and taking advantage of new opportunities as they become available. 8A.13 Has your agency developed and tested a cyber-incident response and recovery plan with the participation of key stakeholders? We have developed a cyber- incident response and recovery plan in collaboration with a few key stakeholders. The plan is only partially implemented. We have developed and implemented a cyber- incident response and recovery plan in collaboration with all key internal and external stakeholders. We achieved Maturity Level 2. In addition, we test the plan by hiring hackers to attack our systems (so-called white-hat hackers). The results of such attacks are used in updates of our plan. In addition, our IT unit participates in workshops on the latest protection and recovery strategies for cyberattacks.

128 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide • Continue to assess the effectiveness of the communications systems with partner agencies as they support emergency response efforts. Test these systems against all types of hazards and threats that your agency might face. • Conduct annual assessments of interagency emergency response drills and exercises in collaboration with federal, state, and regional partners. • Conduct and review drills and exercises of your agency’s COOP and DRP. • Establish (if not already) a redundant secondary COOP site that can be activated in the event of a disruption in agency command and control structures. • Update (or develop if not available) real-time monitoring systems, sensors, mobile devices, video, and IoT devices that can be used during emergencies to send automated notifications to response teams. • Conduct white-hat hacker attacks against your agency’s IT systems to identify access points. • Continue to update employee and contractor training on cybersecurity as new threats occur. • Continue to include information on your agency’s emergency response/management and disaster recovery efforts in the resilience communications strategy. If you did not score a 45 in the assessment (a perfect score in Level 3 efforts), identify those factors that were rated lower and identify a strategy or action steps to improve these particular components of Step 8A. Recommended Actions to Achieve Higher Levels of Resilience Capability If you scored at the lowest level, you are just starting your evolution toward a more resilience- oriented agency. In such a case, the top managers of the agency should identify which of the factors in Table 20 were most lacking and determine priorities for enhancing emergency response and agency preparedness capabilities. Table 21 is offered as a template to determine which steps your agency can take to improve its resilience capabilities, who should be responsible, the timeframe for the implementation, and expected outcomes. Let’s do this. (check) Action Re sp on si bi lit y? Ti m ef ra m e? Ex pe ct ed ou tc om es ? Develop a 24/7 threat and hazard warning system. Create or modernize your agency’s emergency notification system. Implement a multi-year exercise program that includes the conduct of emergency management drills and functional and full-scale exercises. Assess the effectiveness of the multi-agency communications systems and protocols used during emergency response/management actions. Include in this assessment the effectiveness of the technologies and equipment used in the response. If not already done, develop an all-hazards response plan and establish an update schedule. Table 21. Actions to achieve higher maturity for Step 8A: Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness.

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 129   Let’s do this. (check) Action Re sp on si bi lit y? Ti m ef ra m e? Ex pe ct ed ou tc om es ? Develop and periodically update a strategy and mechanism for emergency management and security staff to provide input into the decisions of other agency units. Develop and periodically update a strategy and mechanism for data and information obtained from prior disruptions to be incorporated into agency decisions. Monitor the allocation over time of agency budget resources to the emergency response/management and disaster recovery capacity. Determine if such allocations are adequate to prepare your agency for dealing with major disruptions. Publish an agency-wide COOP that identifies types of critical incidents or events, emergency activation criteria, and procedural guidelines to ensure safe internal and external operations. Test the COOP periodically. Include in this test unexpected variations of likely hazards and threats (e.g., two major disruptions occurring at the same time). If not already done, locate a COOP secondary site at a TMC, fusion center, or statewide emergency management operations center. Establish a common set of cross-disciplinary criteria for prevention, preparedness, mitigation, disaster management, emergency management, environmental management, and business continuity of operations. Publish a training calendar and schedule for emergency management introductory level training for all agency personnel. Develop, update, and test physical and cybersecurity plans. The plans should be coordinated with the other agencies who have primary responsibility for the provision of security services. Publish a training calendar and schedule for cybersecurity awareness for agency personnel and contractors. Create and support opportunities for agency staff involved in emergency response/management, disaster recovery, and cybersecurity efforts to interact with peers in other agencies and professional organizations’ meetings. Possible steps for Step 4: Implement Early Wins Table 21. (Continued).

130 Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide Chapter 11 Reference Meyer, M. and O. Elrahman, eds. 2019. Transportation and Public Health: An Integrated Approach to Policy, Planning, and Implementation. Chapter 7: Transportation System Safety and Public Health. Elsevier Publishing. Useful Resources AASHTO. 2015. Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience, and Emergency Management for State Departments of Transportation. Washington, DC. Retrieved June 30, 2020, from https://ctssr.transportation.org/wp-content/uploads/sites/54/2017/10/Fundamental-Capabilities-of- Effective.pdf AASHTO. 2017. Understanding Transportation Resilience: A 2016–2018 Roadmap for Security, Emergency Management, and Infrastructure Protection in Transportation Resilience. Washington, DC. Retrieved June 30, 2020, from https://environment.transportation.org/pdf/infrastructure_resilience/understandingtransresil_ jan2017.pdf Contestable, J. and L. Radow. 2017. Resilience Thinking and Future Research: Beyond Quick Fixes. TR News, No. 311. September–October 2017, pp. 33–39. Countermeasures Assessment and Security Experts, LLC and Western Management Consulting, LLC. 2015. NCHRP Web-Only Document 221 and TCRP Web-Only Document 67: Protection of Transportation Infra- structure for Cyber Attacks: A Primer. Transportation Research Board, Washington, DC. Retrieved June 30, 2020, from http://trbcybersecurity.erau.edu/resources/nchrp_wod_221_tcrp_wod_067.pdf Countermeasures Assessment and Security Experts, LLC and Western Management and Consulting, LLC. 2020. NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Transportation Research Board, Washington, DC. DHS. 2018. Threat and Hazard Identification and Risk Assessment (THIRA) and Stakeholder Preparedness Review (SPR) Guide: Comprehensive Preparedness Guide (CPG) 201, 3rd ed. Retrieved March 28, 2021, from https://www.fema.gov/sites/default/files/2020-04/CPG201Final20180525.pdf FHWA. 2013. Risk-Based Transportation Asset Management: Building Resilience into Transportation Assets: Report 5: Managing External Threats Through Risk-Based Asset Management. U.S. Department of Trans- portation, Washington, DC, March. Retrieved June 30, 2020, from http://www.fhwa.dot.gov/asset/pubs/ hif13018.pdf Flannery, A., M. Pena, and J. Manns. 2018. NCHRP Synthesis 527: Resilience in Transportation Planning, Engineer- ing, Management, Policy, and Administration. Transportation Research Board, Washington, DC. Retrieved June 30, 2020, from https://www.nap.edu/download/25166 Fletcher, D. R. and D. S. Ekern. Forthcoming. NCHRP Research Report 975: Transportation System Resilience: Research Roadmap and White Papers. Transportation Research Board. Washington, DC. Frazier, E., D. S. Ekern, M. C. Smith, J. Western, P. Bye, and M. Krentz. 2015. NCHRP Web-Only Document 206: Managing Catastrophic Transportation Emergencies: A Guide for Transportation Executives. Transpor- tation Research Board, Washington, DC. Retrieved February 23, 2020, from http://www.trb.org/Main/ Blurbs/171299.aspx Frazier, E., J. Western, P. Bye, G. Owen, and M. Smith. 2016. NCHRP Web-Only Document 233: Mainstreaming Transportation Hazards and Security Risk Management: CAPTA Update and Implementation. Transportation Research Board, Washington, DC. Retrieved June 30, 2020, from https://www.nap.edu/download/24812 Frazier, E., Y. Nakanishi, and M. A. Lorimer. 2009. NCHRP Report 525: Surface Transportation Security Volume 14, Security 101: Physical Security Primer for Transportation Agencies. Transportation Research Board of the National Academies, Washington, DC. Retrieved February 23, 2020, from https://www.nap.edu/ download/22998 Frazier, E., Y. Nakanishi, P. Auza, J. Western, P. Bye, and D. Matherly. 2020. NCHRP Research Report 931: A Guide to Emergency Management at State Transportation Agencies. Transportation Research Board, Washington, DC. http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_rpt_931.pdf Frazier, E. R., Sr., D. Ekern, M. Smith, J. Western, and P. Bye. 2014. NCHRP Report 793: Incorporating Transpor- tation Security Awareness into Routine State DOT Operations and Training. Transportation Research Board of the National Academies, Washington, DC. Retrieved February 23, 2020, from https://www.nap.edu/ download/22263 National Infrastructure Advisory Council (NIAC). 2015. National Infrastructure Advisory Council Transporta- tion Sector Resilience: Final Report and Recommendations. July. Washington, DC. Retrieved June 30, 2020, from https://www.cisa.gov/publication/niac-transportation-resilience-final-report

Assess Strategies for Enhancing Emergency Response Capabilities and Agency Preparedness (Step 8A) 131   NIST. 2012. NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. Joint Task Force Transformation Initiative. Information Security. Gaithersburg, MD. Retrieved June 30, 2020, from https:// nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf TSA. n.d. Intermodal Security Training and Exercise Program. Website. Retrieved June 30, 2020, from https:// www.tsa.gov/for-industry/intermodal-security-training-and-exercise-program Yuki, J., Auza, N., and Auza, P. 2015. NCHRP Synthesis 468: Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance and Operations Field Personnel. Transportation Research Board of the National Academies, Washington, DC. Retrieved February 23, 2020, from https:// www.nap.edu/download/22197