ASTM E2842-14(2021)

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: E2842 − 14 (Reapproved 2021)
Standard Guide for
Credentialing for Access to an Incident or Event Site
This standard is issued under the fixed designation E2842; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
INTRODUCTION
The purpose of the Standard Guide for Credentialing for Access to an Incident or Event Site
(hereafter the guide) is to assist in the credentialing of personnel and the associated activities, which
allows for access to an incident or event site by State, Tribal, local, private sector, and
nongovernmental organizations (NGOs). The credentials allowing scene access should be a verifica-
tion of identity and (by the authority having jurisdiction [AHJ]) that the appropriate training,
experience, and qualifications are in place. This guide does not provide any specifications regarding
qualifications or training required for said credentials. However, it is recognized that credentialing is
a part of resource management and that a credentialed individual is a specified resource.
1. Scope privateinformationaspublicrecordmaydifferfromarespond-
er’s home jurisdiction.
1.1 The focus of this guide is on the development of
1.6 This guide utilizes the principles of the Data Manage-
guidelines for credentialing for access.The guide addresses the
ment Association Guide to the Data Management Body of
fundamentalterms,criteria,references,definitions,andprocess
Knowledge (DAMA-DMBOK) in order to effectively control
model for implementation of credentialing or a credentialing
data and information assets and does not prescribe the use of
program.
technology-based solutions.
1.2 This guide explains and identifies actions and processes
1.7 This standard does not purport to address all of the
that can provide the foundation for consistent use and interop-
safety concerns, if any, associated with its use. It is the
erability of credentialing for all entities.
responsibility of the user of this standard to establish appro-
1.3 This guide describes the activities involved in creating a
priate safety, health, and environmental practices and deter-
credentialing framework, which may include a physical badge;
mine the applicability of regulatory limitations prior to use.
however, it does not define the knowledge, skills, or abilities
1.8 This international standard was developed in accor-
required to gain access to a site or event. This guide does not
dance with internationally recognized principles on standard-
address a requirement for a physical badge as a prerequisite for
ization established in the Decision on Principles for the
a credential. A badge may be an accepted credential across
Development of International Standards, Guides and Recom-
jurisdictional lines and other credentials may be issues by the
mendations issued by the World Trade Organization Technical
AHJ at the scene.
Barriers to Trade (TBT) Committee.
1.4 This guide reinforces the importance of controlling
2. Referenced Documents
access to a site by individuals with the proper identification,
2.1 DAMA International:
qualification, and authorization, which supports effective man-
The DAMA Guide to the Data Management Body of
agement of deployed resources.
Knowledge 2009
1.5 This guide relies on the existing rules, regulations, laws,
2.2 Federal Emergency Management Agency:
and policies of the AHJ. Regulations identifying personal and
Guideline for the Credentialing of Personnel July 2011
National Response Framework January 2008
NIMS Guide 0002 National Credentialing Definition and
This guide is under the jurisdiction of ASTM Committee E54 on Homeland Criteria, March 27, 2007
Security Applications and is the direct responsibility of Subcommittee E54.02 on
Emergency Preparedness, Training, and Procedures.
Current edition approved June 15, 2021. Published July 2021. Originally Available from DAMA international, http://www.dama.org/i4a/pages/
approved in 2014. Last previous edition approved in 2014 as E2842 – 14. DOI: Index.cfm?pageid=3364.
10.1520/E2842-14R21. Available from http://www.fema.gov/pdf/emergency/nrf/nrf-core.pdf.
2 5
As defined in National Incident Management System (NIMS) 2008. Available from http://www.fema.gov/pdf/emergency/nims/ng_0002.pdf.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
E2842 − 14 (2021)
NIMS Guideline for the Credentialing of Personnel July 3.2.9 incident—an occurrence, natural or man-made, that
2011 requires a response to protect life or property. (NIMS 2008)
2.3 Department of Homeland Security:
3.2.10 issuer—theorganizationthatisissuingacredentialto
NIMS December, 2008
an applicant. Typically, this is an organization for which the
Homeland Security Presidential Directive (HSPD)
applicant is working. (FIPS 201)
12 Policy for a Common Identification Standard for
3.2.11 National Incident Management System (NIMS)—a
Federal Employees and Contractors, August 27, 2004
set of principles that provides a systematic, proactive approach
2.4 NIST Standard:
guiding government agencies at all levels, the private sector,
FIPS 201 Personal Identification Verification (PIV) of Fed-
and NGOs to work seamlessly to prepare for, prevent, respond
eral Employees and Contractors and Associated Special
to, recover from, and mitigate the effects of incidents, regard-
Publications (SPs), March 2011
less of cause, size, location, or complexity, in order to reduce
2.5 NFPA Standard:
the loss of life or property and harm to the environment.
NFPA 1600 Standard on Disaster/Emergency Management
(NIMS 2008)
and Business Continuity Programs, NFPA 2007
3.2.12 Non-Governmental Organization (NGO)—an entity
NOTE 1—Further information on these subjects can be found in
with an association that is based on the interests of its
Appendix X1.
members, individuals, or institutions. It is not created by
government, but it may work cooperatively with government.
3. Terminology
Such organizations serve a public purpose, not a private
3.1 The following definitions are intended for use in this
benefit. Examples of NGOs include faith-based charity orga-
guide.
nizations or organizations such as the American Red Cross.
3.2 Definitions: (NIMS 2008, NFR)
3.2.1 affıliation—the association of a non-credentialed indi-
3.2.13 scene—the geographical area(s) of an incident with
vidual or group of individuals under the supervision of an
boundaries and access points. There may be multiple levels of
AHJ-compliant credentialed responder for the purpose of
a scene that may require multiple access points based upon
gaining access to accomplish a specific incident or event
security, risk, or other factors as defined by the AHJ where
mission.
different levels of credentialing may be assigned.
3.2.2 applicant—an individual applying for a credential.
3.2.14 sponsor—individual or entity endorsing the applicant
3.2.3 attribute—a qualification, certification, authorization, to receive the credentials.
or privilege of the credential holder.
4. Significance and Use
3.2.4 Authority Having Jurisdiction (AHJ)—the
organization, office, or individual responsible for enforcing the
4.1 There is currently no way to ensure consistency among
requirements of a code or standard or approving equipment,
all entities across the nation for access to an incident or event
materials, an installation, or a procedure. (NFPA 1600)
scene. This guide is intended to enable consistency in creden-
3.2.5 credential—a credential is an attestation of the tials with respect to verification of identity, qualifications, and
deployment authorization (NIMS 0002).
identity, qualification, and authorization of an individual to
allow access to an incident or event site.
4.2 This guide is intended to be used by any entity that
3.2.6 credentialing—the administrative process for validat-
manages and controls access to an incident scene to facilitate
ing the qualifications of personnel and assessing their
interoperability and ensure consistency.
background, for authorization and permitting/granting access
to an incident (site or event). (NIMS Guide 0002)
5. A Framework for the Credentialing of Personnel
3.2.7 event—a planned occurrence or large-scale gathering
5.1 The framework is built upon credentialing principles
that requires planning, coordination, and support from the
andelementswithanapproachthatshouldbeestablishedasthe
emergency management community, such as a National Spe-
initialstepsofcredentialingactivities.Thefollowingprinciples
cial Security Event (NSSE) or the Superbowl.
are recommended for consideration:
3.2.8 entity—a governmental agency or jurisdiction, private 5.1.1 Standards Based—Consistent with applicable national
or public company, partnership, nonprofit organization, or standards or industry-accepted best practices.
other organization that has disaster/emergency management 5.1.2 Interoperability—Ability of systems, personnel, (stan-
and continuity of operations responsibilities. (NFPA 1600)
dards) and equipment to provide and receive functionality,
data, information, or services, or combinations thereof, to and
from other systems, personnel, and equipment among both
Available from http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf.
public and private agencies, departments, and other organiza-
AvailablefromU.S.GovernmentPrintingOfficeSuperintendentofDocuments,
tions in a manner enabling them to operate effectively together
732 N. Capitol St., NW, Mail Stop: SDE, Washington, DC 20401, http://
www.access.gpo.gov.
(NIMS 2008).
Available from National Institute of Standards and Technology (NIST), 100
5.1.3 Trust—Confidence in the identity and qualifications of
Bureau Dr., Stop 1070, Gaithersburg, MD 20899-1070, http://www.nist.gov.
the individual, and confidence in the manner in which the
Available from National Fire Protection Association (NFPA), 1 Batterymarch
Park, Quincy, MA 02169-7471, http://www.nfpa.org/assets/files/dpf/nfpa1600.pdf. credentials are validated at the scene.
E2842 − 14 (2021)
5.1.4 Physical and Cyber Security—Use of best practices to (14) Qualification Information,
protect the physical credential and associated data. Refer to the (15) Authorization Information (to deploy),
Data Security Management section of Appendix X3 for more (16) Signature,
information. (17) Agency-specific Text Area,
(18) Rank,
5.1.5 Privacy—To protect an individual’s private informa-
(19) PDF Bar Code,
tion in accordance with applicable laws; for example, name,
(20) Color Coding for Employee Affiliation,
social security number, biometric records, medical records, or
tribal enrollment. (21) Photo Border for Employee Affiliation,
(22) Agency-specific Data,
5.1.6 Transparency—Policies are implemented in an open
(23) Magnetic Strip,
and understandable manner.
(24) Return to “If Lost” Language,
5.1.7 Sustainability and Portability—Capacity to maintain
(25) Physical Characteristics of Cardholder,
credentialing activities and to remain effective when the AHJ
(26) Additional Language for Emergency Responder
or the overall authority, or both, changes.
Officials,
5.2 Credentialing Program Elements—The following cre-
(27) Standard Section 499, Title 18 Language,
dentialing program elements are recommended building blocks
(28) Linear 3 of 9 Bar Code, and
for a credentialing framework: planning, funding,
(29) Agency-specific Text.
implementation, agreements, information management, train-
Depending upon the credentialing solution based on the
ing and exercises, and audit process. For more information,
entity’s credentialing plan, there may be specific requirements
refer to Appendix X4 – Sample Credentialing Plan Template.
for data or placement. Refer to Appendix X2 for example
5.2.1 Planning—Planning should consider the jurisdiction’s
credentials.
strategy for credentialing as well as development of plans to
5.2.4 Distribution—This should include ways of maintain-
address goals, objectives, and business rules. Planning should
ing control of credentials while distributing to the appropriate
also establish roles and responsibilities and address the imple-
parties or responders. This process shall also account for lost,
mentation process and supporting procedures.
stolen, or revoked credentials, or combinations thereof.
5.2.2 Business Rules—The AHJ should detail how creden-
5.2.5 Timelines/Schedules—These elements should detail
tials will be granted, including to whom and through what
any phased approach for implementation or maintenance of the
authorization process. Rules must include a provision and plan
credentialing program.
to ensure private information is protected through the adher-
5.2.6 Needs Assessment—The needs assessment identifies
ence to privacy laws and policies, information management,
and validates the target audience and requirements for the
and protection processes. Business rules should include a
credentialingplanandprocess,includingidentificationofthose
process for verification of a person’s identification, verification
with a potential need for access, numbers and types of
of attributes, and deployment authorization. Business rules
individuals in a given skill area, and the status of extant
should also be in place for access permissions (from least
credentials in that area.
secure to most secure) at incident scenes requiring varying
security perimeters. Additionally, rules should include a pro- 5.2.7 Plans and Procedures—The credentialing plan should
cessforappealandreciprocityacrossjurisdictionalboundaries. include:
5.2.3 Credential Elements—Credentials can be anything
5.2.7.1 Purpose—Describe the reasoning for the develop-
used to identify that a person’s identity, qualifications, and ment of a credentialing plan.
authorization have been validated, for example badges, arm
5.2.7.2 Scope—Applicability of the plan, the items for
bands, vest, clothing, index cards, or any combination of
inclusion, and the intended audience.
mechanisms. The following is a list of elements that may be
5.2.7.3 Definitions—Specific definitions for key words used
consideredtodeveloptoverifyidentification,qualification,and
in the plan.
authorization information:
5.2.7.4 Authorities—Applicable legislation, regulations,
(1) Photograph,
directives, or policies, or combinations thereof, to create and
(2) Name (Last, First, Middle Initial),
implement the credentialing plan. For more detailed informa-
(3) Organization Represented,
tion about data protection, see Appendix X3.
(4) Employee Affiliation,
5.2.7.5 Governance—Planning, supervision, and control of
(5) Organizational Affiliation,
the credentialing process.
(6) Expiration Date,
5.2.7.6 Credentialing Principles—State the over-arching
(7) Area for Circuit Chip/Contact Chip/Smart Chip,
guidance for the approach of the AHJ (see above).
(8) Date Issued,
(9) Header (such as State, local, Tribal, private sector, or 5.2.7.7 Approach—A high-level description of how the
NGO), entity structures its plan to credential different types and
(10) Footer (such as Federal Emergency Response Official numbers of individuals, for example, emergency responders,
(FERO) Designation), other government agencies, elected officials, tribal leaders,
(11) Agency Seal Watermark, media, and volunteers. This approach should be scalable to
(12) Agency Card Serial Number, rapidly expand or contract to meet incident or event require-
(13) Issuer Identification, ments.
E2842 − 14 (2021)
5.2.7.8 Implementation Process—The activities included in and logistical and information support requirements for the
the credentialing implementation process. issuance of credentials should be detailed for all issuers. The
5.2.7.9 Documentation—Recordskeptbyanentitytoensure issuance process should delineate the required personnel and
the validity of an individual’s credential. their separate and distinct roles, which may include:
5.4.3.1 Applicant—Individual applying for the credential.
5.2.8 Pilot Program—Prior to the implementation of cre-
dentialing activities, a pilot project should be conducted in 5.4.3.2 Sponsor—Individual or entity endorsing the appli-
order to test and evaluate an entity’s activities. A pilot project cant to receive credential.
has the added complexity of a requirements assessment, 5.4.3.3 Enrollment Offıcial—Individual enrolling the appli-
strategy development, technology evaluation selection, and cant’s information into the issuance system. This position
initial implementation cycle that subsequent incremental proj- should not be held by the same person as the Issuance
ects may not have. Officer/Entity.
5.4.3.4 ID Validator/Adjudicator—Individual or board veri-
5.3 Funding—Funding for initiation and sustaining of a
fying all information and resolving any issues/conflicts related
viable credentialing program should be identified prior to
to the applicant’s information.
initiating a program. A line item in the jurisdiction’s budget
5.4.3.5 Issuance Offıcer/Entity—Individual or body physi-
should be created and approved that supports the strategy,
cally issuing the credential to the sponsored and approved
goals, objectives, and implementation of the program. Funding
applicant. This position should not be held by the same person
for current and future maintenance and sustainment activities
as the Enrollment Officer.
should be included. The budget should address pilot or
5.4.4 Usage—During this activity, the credential is used to
demonstration project costs if these initiatives would promote
authenticate the credential holder for access to an incident
program support and sustainment.
scene or other resource. Access authorization decisions are
5.3.1 Initial Funding—Funding should be identified to in-
made after successful credential holder identification and
clude startup costs associated with implementing a new cre-
authentication.
dentialing program. Costs covering complete assessment of the
5.4.4.1 Different levels of access permissions/perimeters
credentialing activities and specifics pertaining to roll-out
may be assigned or identified within an incident scene as
should be considered. The credentialing solution does not have
determined by the incident command.
to be capital intensive and does not have to be based on
5.4.4.2 In the event of a lost, compromised, or falsified
technology; it can be as simple as providing wristbands to
credential, termination or revocation of the credential may be
those arriving on the scene.
required.
5.3.2 SustainedFundingSource—Ascredentialingactivities
5.4.5 Maintenance—This activity delineates the currency
may be capital intensive, a sustained funding source should be
process to include renewal, reissuance, or update of the
locked in as part of the planning process to ensure that the
credential. Refer to Data Security Management in Appendix
activitiescanbesustained.Thefundingshouldbeidentifiedfor
X3 for more information.
any pilot, phases, or iterations, and through at least two
5.4.6 Termination/Revocation—The termination/revocation
additional cycles following the initial introduction of the
process is used to permanently destroy or invalidate the
credentials. The program should also include a cost accounting
credentialandthedataandkeysneededforauthenticationsoas
and tracking mechanism for all funding.
to prevent any future use of the information for authentication.
5.4 Implementation—Should provide targeted instructions
Ensure terminations/revocations are implemented on a timely
for ensuring that the plan and program are successfully
basis to minimize any negative impacts to the scene and the
integrated into operations. The implementation plan may be
AHJ. Policies and procedures for credentialing activities can
divided into phases, sections, or subsets to allow for an
include detailed steps on how to terminate or revoke a
incremental implementation of parts of the plan. The plan
credential in the event of lost, compromised, or falsified
should include the process for:
credentials. Refer to Data Security Management in Appendix
5.4.1 Request—This activity applies to the initiation of a
X4 for more information.
request by an applicant or sponsor for the issuance of a
5.5 Agreements—Agreements should be established in ad-
credential to the applicant and the validation of this request by
vance of implementation of credentialing activities for access
the sponsor.
to an incident or event. Consider all partners that may require
5.4.2 Enrollment and Registration—Thegoalofthisactivity
access to the incident or event site. Begin with a list of those
is to verify that the claimed identity of the applicant and the
partners typically involved in joint training and exercising
entire set of identity source documents presented at the time of
events and then identify those that may be required for specific
registration are valid. Background verification according to the
situations, hazards, or events. In developing agreements, share
entity’s laws, policies, or processes should be conducted as a
information regarding the credentialing program and processes
part of this process.
with potential partners or stakeholders, or both.
5.4.3 Issuance—This activity deals with the personalization
of the credential and the issuance of the credential to the 5.6 Information Management—Information as it relates to
intende
...