AMET — Agile Municipal Emergency Technology
Emergency response plans assume external responders will arrive. They rarely account for what happens when those responders need access to your systems — in the first hour, across organizational lines, under conditions that don’t allow for normal IT provisioning timelines.
The integration of external resources into emergency response is not a matter of if, but when. The question your organization has almost certainly never been asked is whether your systems were ready to receive them.
— Beyond City Limits: The AMET Framework
About This Framework
The author of this framework has spent more than two decades working at the intersection of information technology and emergency management — deploying as a responder to major incidents including wildfires, floods, and interface fires, while also designing and managing IT infrastructure for large organizations.
The problem this framework describes was not found in a literature review. It was encountered in the middle of an active response, in the early hours of a multi-agency operation, when external personnel needed system access that the host organization's IT architecture could not provide on the timeline the situation required.
The framework is authored by a practitioner with professional credentials in both domains — formal training in Incident Command System (ICS), emergency management program advisory roles at the post-secondary level, and hands-on experience designing identity and access management systems for large-scale, multi-jurisdictional organizations.
AMET is an independent research publication. It has no vendor affiliation, no procurement relationship, and no institutional sponsor. It exists because the problem is real, the evidence is substantial, and no published framework had addressed it at the operational level.
The Structural Problem
Municipal emergency plans address what to do when your organization's resources are overwhelmed. They rarely address what happens in the first hour after external responders arrive — and need access to your systems.
This isn't a technology failure. It's a structural incompatibility that has existed since the first mutual aid agreement was signed. Municipal IT systems are built to grant access to employees, tie that access to specific individuals, and block everyone else. Emergency operations run on functional identity: role-based, temporary, crossing organizational boundaries. These two models are not compatible by default.
The gap does not resolve itself under pressure. It compounds. Two decades of government audits, legislative investigations, and peer-reviewed research document the same outcome: information-sharing failures caused by incompatible systems are not edge cases — they are a predictable, recurring feature of large-scale emergency response.
The cost of the current state is not hypothetical. If your municipality activated mutual aid tomorrow, external personnel would need system access. The way that access is currently granted — improvised, undocumented, ad hoc — is a live FIPPA compliance gap, a potential insurance exclusion, and a liability that crystallizes only after the emergency is already underway.
IT Security Model
Emergency Response Model
The structural gap
Neither model is wrong. Both do exactly what they were designed to do. The gap exists because they were designed in isolation — without awareness that the other would eventually need to interface with it. That’s not a technology failure. It’s an architectural oversight that has never been formally addressed.
Why It Matters Now
Each obligation is active today — not contingent on an emergency occurring. The gap between them is a live compliance exposure, not a future planning risk.
Obligation 1 — Legislative
Statutory mandate to prepare for and facilitate emergency response. That mandate does not pause at the IT perimeter. When mutual aid activates, your legal obligation to enable effective response extends to the systems external responders need to do their job.
Emergency Management and Civil Protection Act • Emergency Program Act (BC) • BC EDMA — compliance target Jan 2027 • Federal emergency frameworks
Obligation 2 — Legislative
Legal obligation to maintain documented, controlled, auditable access to resident data — including during emergencies when external personnel are brought in. The emergency does not create an exemption. It creates heightened scrutiny and an audit trail someone will eventually examine.
FIPPA s.30 • TBS Directive on Security Management • US Privacy Act • GDPR Art. 32(4)
Obligation 3 — Contractual
Cyber policies uniformly require documented access controls and audit trails. Undocumented, ad-hoc external access is precisely the scenario underwriters price when setting premiums — and exclude when processing claims. This is not a hypothetical policy interpretation.
Standard cyber liability policy conditions • Underwriter access management requirements • Incident response documentation clauses
Most municipalities meet obligations 1 and 2 in isolation. Almost none have built the IT access architecture that allows all three to be met simultaneously — during an active emergency, with external responders already in the room. That is the gap AMET closes.
The AMET Framework
AMET is the first published, operational architecture for emergency IT access management designed specifically for municipal government.
Existing frameworks — NIMS, CISA SAFECOM, NIST SP 1800-13 — acknowledge interoperability as a requirement. None provide the operational architecture to achieve it for external personnel arriving under mutual aid. AMET does.
The framework specifies how to provision function-based guest identities, assign role-scoped access, maintain audit trails, and expire access automatically — in a way that satisfies privacy legislation, insurance requirements, and emergency response timelines at the same time.
✓ Zero new procurement required — built on Microsoft 365 & Entra IDAMET is a technology-agnostic framework. Microsoft 365 and Entra ID are referenced as the majority-deployed platform for Canadian municipal government — the framework’s principles apply to any identity management platform with equivalent capability.
Pillar 1
Function-based guest accounts with defined provisioning authority, scoped access, and automatic expiry tied to the operational period.
Pillar 2
Access assigned to the function, not the individual. Responders receive exactly what their operational role requires — nothing broader.
Pillar 3
Built and validated before an emergency occurs. When mutual aid activates, provisioning executes against a tested runbook — not improvised judgment under pressure.
Pillar 4
Every access grant recorded, time-stamped, and attributable. Satisfies FIPPA documentation requirements and cyber insurance policy conditions simultaneously.
Readiness Assessment Tool
The AMET Assessment evaluates your municipality's readiness across eight architectural dimensions. The output is a written readiness profile you can bring to your IT leadership counterpart to schedule a joint exercise.
15 minutes • No login required • Radar chart output
Take the Assessment →Produces a radar chart across all 8 dimensions
Framework Paper
The paper documents two decades of evidence that the access gap is not hypothetical — legislative investigations, government audits, and peer-reviewed research confirm that information-sharing failures are a recurring, predictable feature of large-scale emergency response.
It establishes the legal and operational basis for the AMET Framework, maps the three-obligation intersection, and provides the implementation architecture specification. It is written for emergency managers and IT leadership together — not for technical specialists alone.
The action it recommends is not a procurement decision. It is one conversation: bring the assessment results to your IT leadership counterpart, schedule a two-hour joint exercise, and produce a written record that your municipality has actively addressed this gap. It costs nothing to procure. It takes one afternoon to test. It takes one conversation to start.
Read the Framework Paper →Get In Touch
The AMET Framework is an independent research initiative. Reach out with questions about the framework, the assessment, or implementation in your municipality.
Or email directly: [email protected]