Formalizing the Role of Intelligence & Investigation

by Michael Prasad

Emergency managers need actionable intelligence before, during, and after disasters. More than just situational awareness, the collection, analysis, and sharing of intelligence can provide an incident’s response and recovery command and general staff with much needed decision-making information.

Michael Prasad headshotEmergency managers need intelligence throughout the disaster phase cycle – the five mission areas of the National Preparedness Goal (prevention, protection, response, recovery, mitigation) – which is more than just situational awareness during the response phase. The construct for this under both day-to-day planning, organization, equipping, training, and exercising as well as response and recovery operations should be formalized for each organization that utilizes the National Incident Management System (NIMS) and the Incident Command Structure (ICS). Under the unified command concept, all of the branches, sections, task forces, strike teams, etc. benefit from a common, coordinated, and collaborative series of intelligence tools and communications.

Although the investigation role has a primary law enforcement lead, other governmental and nongovernmental organizations need to cooperate/coordinate with and potentially support the investigations activities. For example, fire departments need to assist in preserving evidence of a potential arson-caused fire. When emergency medical services personnel – as part of the triage, transport, and treatment processes – identify and process victims (including the uninjured ones), that information can be a valuable set of data for investigations.

Options for Incorporating Intelligence & Investigations

NIMS combines intelligence and investigations (I/I). Although advocating for a split of these activities within ICS might benefit emergency management, this article focuses on the benefits of aligning intelligence activities across all of the branches and throughout the disaster phase cycle. The Federal Emergency Management Agency, under the U.S. Department of Homeland Security, has a formal structure designed for I/I that includes samples of nontraditional forms of I/I. The broad scope across the entire disaster phase cycle is highlighted in the 2013 NIMS: Intelligence/Investigations Function Guidance and Field Operations Guide:

The activities and information that are at the core of the I/I Function have historically been viewed as the primary responsibilities of “traditional” law enforcement departments and agencies at all levels of government. Although, in many cases, law enforcement departments/agencies fulfill intelligence/investigations duties, the I/I Function has aspects that cross disciplines and levels of government. “Nontraditional” forms of intelligence/investigations activities (i.e., non-law enforcement) might include:

·      Epidemiology

·      Mass fatality management

·      Fire, explosion, or arson cause and origin (regardless of likelihood of criminal activity)

·      Transportation accidents

·      Real-time research and analysis intended to protect against, respond, and/or recover from a specific incident (e.g., critical infrastructure vulnerability and consequence analysis; hurricane forecast regarding strength and estimated point of landfall; post-earthquake technical clearinghouse; or post-alert volcanic monitoring).

This broad definition expands situational awareness to the benefit of the emergency management and unified command. Many organizations have an emergency management group for their own internal continuity of operations/continuity of government. However, the communications of critical infrastructure vulnerability and consequence management intelligence is critical for all disaster phases – not just the specific mission essential functions and core capabilities that organizations have to support for emergency support functions and community lifelines during response and recovery (Fig. 1).

Fig. 1. NIMS Learning Materials slides (Source: FEMA Emergency Management Institute, 2017).

Fig. 1. NIMS Learning Materials slides (Source: FEMA Emergency Management Institute, 2017).

NIMS leaves the exact construct and placement of I/I up to the organization itself – and can be different day-to-day and during incidents (and even then, could be organized differently depending on the specific incident itself). In its lessons for the ICS 300 course, the U.S. Department of Agriculture (USDA) notes that I/I can be part of the command staff, a unit within the planning section, a branch within the operations section, or as its own section.

The analysis and sharing of information and intelligence are important elements of ICS. In this context, intelligence includes not only national security or other types of classified information but also other operational information, such as risk assessments, medical intelligence (i.e., surveillance), weather information, geospatial data, structural designs, toxic contaminant levels, utilities and public works data, etc., that may come from a variety of different sources. Traditionally, information and intelligence functions are located in the Planning Section. However, in exceptional situations, the IC may need to assign the information and intelligence functions to other parts of the ICS organization. In any case, information and intelligence must be appropriately analyzed and shared with personnel, designated by the Incident Commander, who have proper clearance and a “need-to-know” to ensure they support decision-making.

The USDA also states, “Regardless of how it is organized, the information and intelligence function is also responsible for developing, conducting, and managing information-related security plans and operations as directed by the Incident Commander.” This should place I/I more in line with the functionality of the safety officer as well, during response phase activities. This also reinforces the commander’s intent in any incident objectives of the L.I.P. (Life safety of responders and the public; Incident stabilization; and Property/asset protection). Intelligence plays a key role in maintaining the safety and security of all responders on scene.

Regardless of where an organization places I/I, it should be designed and formalized ahead of an incident. The various constructs for intelligence gathering and dissemination (e.g., day-to-day, during an assumed noncriminal incident, during a suspected criminal-incident) should be planned, organized, equipped, trained, and exercised in the same way as all of the other branches and command. Everyone in the ICS should know how I/I will be placed and support their branches, at the start of the Planning P. Although I/I might change or adapt as the incident shifts, I/I should be a checklist item to establish, not an afterthought.

Emergency management should formalize the role of intelligence within their organizations – on an all-hazards basis, not just for potential criminal incidents.

Three Case Studies

Intelligence plays a key role in protecting emergency responders and supporting the day-to-day (and response/recovery phase) operations of various organizations. Potential consequence management incidents impact continuity of operations and any mission essential functions those organizations may be supporting. Intelligence can be the trigger for activating response activities and crisis management plans. It can also assist in providing continuous protection and prevention against additional adverse impacts that may occur during any incident – especially those of a suspected criminal origination.

Case Study 1: White Powder Incidents. The attacks on the United States during 9/11 also included a white powder incident, which was identified as Anthrax. This was initially thought of as connected to the airline hijackings and part of a complex coordinated attack. Today, a major chemical, biological, radioactive, nuclear, and explosive incident threat is from Fentanyl – and it is a threat to all on-scene emergency responders (not just law enforcement) and the public who may come in contact with this extremely deadly and potent chemical compound. Examples of intelligence information sharing on this threat, include first responder guidance from the National Institute for Occupational Safety and Health, a unit of the Centers for Disease Control and Prevention.

Case Study 2: Pandemics. The 2014 Ebola outbreak extended from West Africa into the United States – and the protocols and procedures for mandatory quarantines, first responder notifications, etc. were critical to emergency management, as was intelligence about where this virus had spread. Although determining causality is certainly important to investigations, the adverse impacts (both now and in the future) of the threat/hazard is more impactful to emergency management. As for Ebola and any other pandemic, today’s coronavirus pandemic has the potential for predictive intelligence on where the next wave will impact; and how to target resources to the most vulnerable and underserved populations, while protecting their individual health information privacy.

Case Study 3: Domestic Violent Extremists. Challenges for domestic violent extremists (as compared to foreign terrorist organizations) include the balancing of public safety and security against individual constitutional and legal rights provided to citizens (e.g., free speech, freedom of assembly). Emergency managers are more concerned with the “what” than the “who” of adverse impacts from threats/hazards. Still, there are times when individuals pose a threat to multiple organizations, not just law enforcement. In such cases, coordinating threat intelligence communications and reviewing infrastructure vulnerabilities and consequence management impacts to staff and continuity of operations – before an incident occurs – are critical. When these U.S. citizen individuals commit violence (or become associated with groups that commit violence), they generally do not forfeit their constitutional rights. Regardless of who commits the act, emergency management still needs to protect, prevent, and prepare to respond to all incidents, as well as supporting protected activities (e.g., protests, even if they result in civil unrest). Also, these individuals do not operate within vacuums. They have interactions in their communities that may generate cascading events, which may escalate to the level of triggering violence or illegal acts themselves. Intelligence sharing from local law enforcement up through national intelligence agencies to other organizations, as applicable to the potential for threats and hazards, is critical to continued mission success.

(Source: Barton Dunant, Emergency Management Training and Consulting)
(Source: Barton Dunant, Emergency Management Training and Consulting)

Future Opportunities

Resources and systems at the national level – originated by law enforcement, national security, and other entities – should be utilized by emergency management at the state, territorial, tribal, and local government levels. The Homeland Security Information Network, which is utilized by fusion centers is a system that emergency managers should subscribe to and be provided information access (even to items marked as law enforcement sensitive). There is also an opportunity for academia to research and advocate for further integration of intelligence within emergency management. Historical analysis, cross-referencing against social science modalities, and experiential learning are a few of the benefits of incorporating undergraduate and graduate programs in emergency/disaster management (as well as national security studies) for the purposes of advocating for intelligence integration. Coordinated and collaborative intelligence is needed by emergency managers on an all-hazards basis, and across the entire disaster phase cycle.

Michael Prasad is a Certified Emergency Manager and is the senior research analyst for Barton Dunant Emergency Management Consulting ( He was formerly the assistant director for the Office of Emergency Management at the New Jersey State Department of Children and Families and the director of disaster support functions at the American Red Cross – New Jersey Region. He holds a Bachelor of Business Administration degree from Ohio University and is a Master of Arts candidate in Emergency and Disaster Management from American Public University. Views expressed do not necessarily represent the official position of any of these organizations.