Chapter 1
BY ORDER OF THE AIR FORCE MANUAL 31-XXXSECRETARY OF THE AIR FORCE XX XXXXX 2019 Security INTEGRATED DEFENSE RISK MANAGEMENT PROCESS INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page1image895864528" \* MERGEFORMAT COMPLIANCE WITH THIS PUBLICATION IS MANDATORYACCESSIBILITY: Publications and forms are available on the e-Publishing website at for downloading or ordering. RELEASABILITY: There are no restrictions on the release this publication OPR: HQ XXXXX CERTIFIED BY: HQ XXXX (XXXXXX) Pages: XX This manual explains the Integrated Risk Management Process (IDRMP) as directed in AFI 31-101. It provides procedures for conducting the IDRMP precursors to include: development of mission statement; development of commander’s intent and guidance; conducting of mission analysis; and intelligence preparation of the battlespace. Additionally, it provides procedures for conducting the risk management process to include: developing the criticality assessment; developing the threat assessment; developing the vulnerability assessment; developing the risk assessment; developing the risk tolerance decision; developing risk mitigation courses of action; and decision and implementation.Table of Contents TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc174971" Chapter 1 — Introduction PAGEREF _Toc174971 \h 6 HYPERLINK \l "_Toc174972" Background PAGEREF _Toc174972 \h 6 HYPERLINK \l "_Toc174973" Objective PAGEREF _Toc174973 \h 6 HYPERLINK \l "_Toc174974" Methodology PAGEREF _Toc174974 \h 6 HYPERLINK \l "_Toc174975" Phases PAGEREF _Toc174975 \h 6 HYPERLINK \l "_Toc174976" IDRMP Output PAGEREF _Toc174976 \h 7 HYPERLINK \l "_Toc174977" Chapter 2 – Preparatory Activity – Mission Analysis, Integrated Defense (ID) Mission Statement and Commander’s Intent PAGEREF _Toc174977 \h 8 HYPERLINK \l "_Toc174978" Overview PAGEREF _Toc174978 \h 8 HYPERLINK \l "_Toc174979" Goal PAGEREF _Toc174979 \h 8 HYPERLINK \l "_Toc174980" Process PAGEREF _Toc174980 \h 8 HYPERLINK \l "_Toc174981" Output PAGEREF _Toc174981 \h 10 HYPERLINK \l "_Toc174982" Chapter 3 – Preparatory Activity – Intelligence Preparation of the Battlespace PAGEREF _Toc174982 \h 11 HYPERLINK \l "_Toc174983" Overview PAGEREF _Toc174983 \h 11 HYPERLINK \l "_Toc174984" Goal PAGEREF _Toc174984 \h 11 HYPERLINK \l "_Toc174985" Process PAGEREF _Toc174985 \h 11 HYPERLINK \l "_Toc174986" Chapter 4 – IDRMP Step 1 – Criticality Assessment PAGEREF _Toc174986 \h 16 HYPERLINK \l "_Toc174987" Policy PAGEREF _Toc174987 \h 16 HYPERLINK \l "_Toc174988" Goal PAGEREF _Toc174988 \h 16 HYPERLINK \l "_Toc174989" Process PAGEREF _Toc174989 \h 16 HYPERLINK \l "_Toc174990" Tools: PAGEREF _Toc174990 \h 20 HYPERLINK \l "_Toc174991" Output: PAGEREF _Toc174991 \h 20 HYPERLINK \l "_Toc174992" Chapter 5 – IDRMP Step 2 – Threat Assessment PAGEREF _Toc174992 \h 21 HYPERLINK \l "_Toc174993" Policy: PAGEREF _Toc174993 \h 21 HYPERLINK \l "_Toc174994" Goal: PAGEREF _Toc174994 \h 21 HYPERLINK \l "_Toc174995" Process: PAGEREF _Toc174995 \h 21 HYPERLINK \l "_Toc174996" Tools: PAGEREF _Toc174996 \h 24 HYPERLINK \l "_Toc174997" Output: PAGEREF _Toc174997 \h 24 HYPERLINK \l "_Toc174998" Chapter 6 – IDRMP Step 3 -- Vulnerability Assessment PAGEREF _Toc174998 \h 25 HYPERLINK \l "_Toc174999" Policy: PAGEREF _Toc174999 \h 25 HYPERLINK \l "_Toc175000" Overview PAGEREF _Toc175000 \h 25 HYPERLINK \l "_Toc175001" Goal: PAGEREF _Toc175001 \h 25 HYPERLINK \l "_Toc175002" Process: PAGEREF _Toc175002 \h 25 HYPERLINK \l "_Toc175029" Process Output PAGEREF _Toc175029 \h 27 HYPERLINK \l "_Toc175032" Chapter 7 – IDRMP Step 4 – Risk Assessment PAGEREF _Toc175032 \h 29 HYPERLINK \l "_Toc175033" Overview PAGEREF _Toc175033 \h 29 HYPERLINK \l "_Toc175034" Process Goal PAGEREF _Toc175034 \h 29 HYPERLINK \l "_Toc175035" Process PAGEREF _Toc175035 \h 29 HYPERLINK \l "_Toc175036" Process Output PAGEREF _Toc175036 \h 30 HYPERLINK \l "_Toc175037" Chapter 8 – IDRMP Step 5 – Risk Tolerance Decision PAGEREF _Toc175037 \h 32 HYPERLINK \l "_Toc175038" Overview PAGEREF _Toc175038 \h 32 HYPERLINK \l "_Toc175039" Process Goal PAGEREF _Toc175039 \h 32 HYPERLINK \l "_Toc175040" Process PAGEREF _Toc175040 \h 32 HYPERLINK \l "_Toc175041" Process Output PAGEREF _Toc175041 \h 33 HYPERLINK \l "_Toc175042" Chapter 9 – Step 6 – Course of Action Development PAGEREF _Toc175042 \h 34 HYPERLINK \l "_Toc175043" Overview PAGEREF _Toc175043 \h 34 HYPERLINK \l "_Toc175044" Process Goal PAGEREF _Toc175044 \h 34 HYPERLINK \l "_Toc175045" Process: PAGEREF _Toc175045 \h 34 HYPERLINK \l "_Toc175046" Process Output PAGEREF _Toc175046 \h 37 HYPERLINK \l "_Toc175047" Chapter 10 – Step 7 – Decision and Implementation PAGEREF _Toc175047 \h 38 HYPERLINK \l "_Toc175048" Overview PAGEREF _Toc175048 \h 38 HYPERLINK \l "_Toc175049" Process Goal PAGEREF _Toc175049 \h 38 HYPERLINK \l "_Toc175050" Process PAGEREF _Toc175050 \h 38 HYPERLINK \l "_Toc175051" Process Output PAGEREF _Toc175051 \h 39 HYPERLINK \l "_Toc175052" Attachment 1 – Glossary of Terms and Acronyms PAGEREF _Toc175052 \h 40 HYPERLINK \l "_Toc175053" Attachment 2 – Threat Analysis Factors PAGEREF _Toc175053 \h 41 HYPERLINK \l "_Toc175054" Attachment 3 – IDRMP Threat Tactics PAGEREF _Toc175054 \h 44 HYPERLINK \l "_Toc175055" Attachment 4 – Commander’s Critical Information Requirements PAGEREF _Toc175055 \h 45 HYPERLINK \l "_Toc175056" Attachment 5 – Asset Criticality Worksheet Template PAGEREF _Toc175056 \h 48 HYPERLINK \l "_Toc175057" Attachment 6 – Pre-scored Asset List PAGEREF _Toc175057 \h 49 HYPERLINK \l "_Toc175058" Attachment 7 – Asset Subcategories PAGEREF _Toc175058 \h 50 HYPERLINK \l "_Toc175059" Attachment 8 – Default Preferred Targets PAGEREF _Toc175059 \h 51 HYPERLINK \l "_Toc175060" Attachment 9 – Default Target Preference PAGEREF _Toc175060 \h 52 HYPERLINK \l "_Toc175061" Attachment 10 – Default Consequence Factors PAGEREF _Toc175061 \h 53 HYPERLINK \l "_Toc175062" Attachment 11 – Vulnerability Worksheet PAGEREF _Toc175062 \h 54 HYPERLINK \l "_Toc175063" Attachment 12 – Risk Summary Worksheet PAGEREF _Toc175063 \h 55 HYPERLINK \l "_Toc175064" Attachment 13 Integrated Defense Tool Kit PAGEREF _Toc175064 \h 56Chapter 1 — Introduction7Background7Objective7Methodology7Phases8Chapter 2 – Preparatory Activity – Mission Analysis, Integrated Defense (ID) Mission Statement and Commander’s Intent9Overview9Process Goal9Process9Process Output11Chapter 3 – Preparatory Activity – Intelligence Preparation of the Battlespace14Overview14Process Goal14Process14Process Output17Chapter 4 – IDRMP Step 1 – Criticality Assessment19Policy19Goal19Process20Process Output:29Chapter 5 – IDRMP Step 2 – Threat Assessment29Overview:29Process Goal:30Process:30Process Output:35Chapter 6 – IDRMP Step 3 -- Vulnerability Assessment36Overview36Process Goal36Process36Process Output38Chapter 7 – IDRMP Step 4 – Risk Assessment38Overview38Process Goal38Process38Process Output40Chapter 8 – IDRMP Step 5 – Risk Tolerance Decision41Overview41Process Goal41Process41Process Output42Chapter 9 – Step 6 – Course of Action Development43Overview43Process Goal43Process:43Process Output46Chapter 10 – Step 7 – Decision and Implementation47Overview47Process Goal47Process47Process Output48Attachment 1 – Risk Assessment Model49Attachment 2 – Threat Analysis Factors50Attachment 3 – IDRMP Threat Tactics53Attachment 4 – Commander’s Critical Information Requirements54Attachment 5 – Asset Criticality Worksheet Template57Attachment 6 – Pre-scored Asset List58Attachment 7 – Asset Subcategories59Attachment 8 – Default Preferred Targets60Attachment 9 – Default Target Preference61Attachment 10 – Default Consequence Factors62Attachment 11 – Vulnerability Worksheet63Attachment 12 – Risk Summary Worksheet64Attachment 13 Integrated Defense Tool Kit65Chapter 1 — Introduction Overview: This manual explains how to conduct the Integrated Defense Risk Management Process (IDRMP) consistent with DoD standards, including the Joint Publication 3-07.2 Antiterrorism and DoDI O-2000.16-V1, Change 1, May 5, 2017. When executed, IDRMP satisfies annual requirements for threat assessments (TA), criticality assessments (CA), vulnerability assessments (VA), risk assessments (RA) and antiterrorism (AT) program reviews. The IDRMP provides Installation Commanders, Integrated Defense Working Groups (IDWGs), Defense Force Commanders (DFCs) and defense planners the ability to produce effects-based Integrated Defense Plans (IDPs) by using a standardized model to identify risks and develop risk management strategies. These strategies leverage finite resources against adaptive threats to protect AF assets. This manual also provides guidance regarding the use of the Enterprise Protection Risk Management Program, which is the HAF/A4S-approved automated IDRMP application to facilitate the Integrated Defense (ID) risk management process and is the Joint Staff J364-required system for antiterrorism assessments. (Attachment X) Background: The IDRMP combines the relevant processes of the Military Decision Making Process (MDMP), Intelligence Preparation of the Battlespace (IPB) and the Risk Assessment (RA) process described DoDI O-2000.16-V1, Change 1. The combination of these processes supports the transition of installation security from compliance-based standards to effects-based strategies designed to defeat threats and mitigate risks to an installation’s mission assets.Objective: The IDRMP should provide the commander with objective data to determine “what” to defend and “how” to defend it when considering threat, criticality, vulnerabilities and operating environment unique to each installation. This will result in ID plans that achieve specific desired effects and effectively manage risks to an installation’s mission assets. Additionally, the process serves as the basis for determining the most effective method for employing ID forces and aids in determining the need for physical security construction, equipment and technology upgrades.Methodology: The process is based upon the AT risk management procedures and methodology that is required by AT Standard 3 in DoDI O-2000.16-V1, Change 1, outlined in DoDI 3020.45 and modeled in JP 3-07.2 It executes the TA, CA, and VA, and aggregates them into an RA. Phases: There are two phases to completing the IDRMP. Preparatory activities: 1) mission statement; 2) Installation Commander’s intent; 3) mission analysis; and 4) IPB process. Risk assessment (RA) execution: 1) developing the criticality analysis; 2) developing the threat assessment; 3) developing the vulnerability assessment; 4) developing the risk assessment; 5) developing the risk tolerance decision; 6) developing risk mitigation courses of action; and 7) decision and implementation. IDRMP Output: The result of the IDRMP will be:A prioritized list of threat-asset-vulnerability risk scenariosA prioritized list of remediation actions to reduce vulnerability to threatsA revised list of risk scenarios that accounts for how much the remediation actions reduce risk by reducing assets’ vulnerability to threatsChapter 2 – Preparatory Activity – Mission Analysis, Integrated Defense (ID) Mission Statement and Commander’s IntentOverview: Based upon the mission statement, the mMission analysis is conducted by the IDWG to identify explicit and implicit tasks required to successfully execute the mission and meet the AF Installation Commander’s intent. To accomplish this, the Commander’s staff conducts mission analysis to staff identifiesy what the command must accomplish, when and where it must be done, and most importantly why – the purpose of the mission - while identifying supported Combatant Commands (CCMDs), OPLANs, Mission Essential Functions (MEFs), Mission Essential Tasks (METs), critical assets, etc. This analysis supports the development of a comprehensive installation Mission Statement which is the basis for the Installation CC’s ID mission statement. Process Goal: The goal is to conduct a comprehensive Mission aAnalysis in order to break down the ID mission, and analyze the key and essential tasks required to accomplish the mission and meet obtain the Commander’s iIntent. Mission Analysis is not a tangible product; rather, it is the process by which decision makers attain tactical intuition into various aspects of friendly and enemy situations within the operating environment. Mission Analysis should include all missions supported by an installation, as well as, identify all assets that are critical to the accomplishment of those missions. At a minimum, the analysis should include a review of the OPLANs that installation units/agencies are tasked in, and any assets identified as Defense Critical Assets/Infrastructure or Task Critical Assets in various defense critical asset management systems. The process can support evolving missions for a site and should be re-visited frequently. Process: Mission analysis helps the Installation CC understand the operational environment and identify limiting factors (LIMFACs) and cConstraints that they must consider when developing guidance to drive the rest of the planning process. The Installation CC’s staff conducts mMission aAnalysis to fully understand all aspects related to the execution of the installation’s mission, and to fulfill the Commander’s intent, using the following stepsprocess: right5504411EXAMPLE ABW MISSION STATEMENTSOperational Mission: 1776 ABW conducts continuous operations of General Colonial AFB in order to support sustainment, training, and deployment employment of Air Force assets to deliver combat power globally in support of designated Combatant Commands worldwide. Integrated Defense Mission: 1776 ABW executes sustained operations for the integrated defense of General AFB and its Base Security Zone in order to achieve the objective of a fully protected installation, and assets, in support of the AFB operational mission.4000020000EXAMPLE ABW MISSION STATEMENTSOperational Mission: 1776 ABW conducts continuous operations of General Colonial AFB in order to support sustainment, training, and deployment employment of Air Force assets to deliver combat power globally in support of designated Combatant Commands worldwide. Integrated Defense Mission: 1776 ABW executes sustained operations for the integrated defense of General AFB and its Base Security Zone in order to achieve the objective of a fully protected installation, and assets, in support of the AFB operational mission.A) Analyze the Air Base Wing (ABW) or Installation Mission Statement: Mission Analysis begins with the collection of validated documents. The key document for the integrated defense (ID) mission statement is the Base, or air base wing mission statement. This identifies the mission(s), which must be protected by the ID. In other words, the base has an operational mission that the ID mission is designed to protect the assets on which that mission depends. If no AWB mission statement exists, then a new process of mission development must be followed (see Attachment Z), but, in the preponderance of cases there should be existing guidance. Detailed Aanalysisze the ABW mission. On behalf of the Installation CC, the Integrated Defense Working Group (IDWG) analyzes conducts a more detailed analysis to identify the assets that must be protected by ID. It may extend beyond the ABW mission to include assets of tenant organizations that support missions other than those of the ABW. Below are activities that the IDC should consider:the installation mission by:Identifying specified and implied tasks for the installationExamining the Commander’s intent two echelons aboveAnalyzing higher headquarters planning activities and strategic guidance Reviewing commander's initial planning guidance, including his initial understanding of the operational environment, of the problem, and description of the operational approachReviewing higher headquarters intelligence and knowledge products.Reviewing installation OPLANs and other type guidance/directives.Considering the mission of adjacent installations/units to understand how they contribute to the decisive operation of their higher headquarters.Determining known facts and develop planning assumptions Determining and analyze operational limitationsDetermining specified, implied, and essential tasksIdentifying MEFs/METsDeveloping assumptionsIdentifying LIMFACsIdentifying cConstraintsIdentifying critical aAssets right4249824EXAMPLE ID MISSION STATEMENTS(Who) Operational Mission: 1776 ABW conducts continuous operations of General AFB in order to support sustainment, training, and deployment of Air Force assets in support of designated Combatant Commands worldwide. Integrated Defense Mission: 1776 ABW Security Forces executes (When) sustained operations for (What) the integrated defense of (Where) General Colonial AFB and its Base Security Zone (Why) in order to achieve the objective of a fully protected installation, and assets, in support of the AFB operational mission.4000020000EXAMPLE ID MISSION STATEMENTS(Who) Operational Mission: 1776 ABW conducts continuous operations of General AFB in order to support sustainment, training, and deployment of Air Force assets in support of designated Combatant Commands worldwide. Integrated Defense Mission: 1776 ABW Security Forces executes (When) sustained operations for (What) the integrated defense of (Where) General Colonial AFB and its Base Security Zone (Why) in order to achieve the objective of a fully protected installation, and assets, in support of the AFB operational mission.B) Develop the Integrated Defense Mission Statement: IDWG, as the ID planning staff, prepares a proposed mission statement for the Installation based on the mission analysis accomplished by the group. The mission statement is a short sentence or paragraph that describes the ID unit’s essential task(s) and purpose. It should be a clear statement of the actions to be taken and reason for doing so, and it should contain the elements of who, what, when, wheren, and why.Attachment Y has a select list of possible ID METs, which are key in the development of the ID mission statement. They are from the Air Force Tactical-level Mission Essential Tasks (AFTA) found in the Air Force Universal Task List and include:AFTA 3.6.1, Provide Installation and Asset ProtectionAFTA 6.6.1, Integrated Defense AssessmentAFTA 6.6.2, Command and Control of Integrated Defense Operations Note: All units with a readiness reporting requirement are also required to have a Mission Essential Task List (METL), IAW AFI 10-201, Force Readiness Reporting, and consistent with DoDI 7730.66, Guidance for the Defense Readiness Reporting System. If there is a question, consult the readiness reporting official for the unit. These tasks describe the things that must be accomplished in order to complete the mission.Identify essential installation tasks. The Integrated Defense Working Group (IDWG) identifies essential tasks that clearly specify required actions to support installation operations, such as, AFTA 3.6.1: Provide Installation and Asset Protection. Additionally, determine enabling and supporting tasks for the mission essential tasks identified.ConfirmDetailed analysis of the ID Mission Statement: In support of the ID mission statement, the IDC should:. Traditionally the IDWG, as the ID planning staff, prepares a proposed mission statement for the Installation based on the mission analysis accomplished by the group. The mission statement is a short sentence or paragraph that describes the unit’s essential task(s) and purpose. It should be a clear statement of the actions to be taken and reason for doing so, and it should contain the elements of who, what, when, when, and why. Conduct initial force allocation reviewDevelop mission success criteriaDevelop commander's critical information requirementsPrepare staff estimatesIdentify cConstraints and limiting factors (LIMFACs)Publish commander's updated planning guidance, intent statement, and refined operational approachWho will execute the operation (unit/organization)?What is the Installation’s essential task or tasks?When will the operation begin (by time or event) or what is the duration of the operation?Where will the operation occur (Area of Operation, objective, grid coordinates, base boundary, base security zone)?Why will the force conduct the operation (for what purpose)? C) Present ID Mission mission aAnalysis and mMission sStatement to the iInstallation Commander and obtain Commander’s intent. The IDWG presents the mMission aAnalysis, and any proposed changes to Installation mMission sStatement, and the ID mission statement to the Installation CC for approval during a mission analysis briefing. The CC either approves or adjusts the mMission sStatement and p, or provides specific guidance to the group as his Commander’s intent to refine the statement establish his or her priorities in the execution of the Integrated Defense Plan (IDP). The commanders’ intent should include, beyond mission essential assets non-mission-essential assets such as high-occupancy buildings; mass gathering activities; and any other facility, equipment, service, or resource (including non-DoD assets) deemed important by the commander as warranting protective measures to ensure continued, efficient operation; protection from disruption, degradation, or destruction; and timely restoration. (AT Std 5). Process Output: This analysis confirms the unit’s mission statement—a clear statement of the action to be taken and the Commander’s Intent—the reason for taking it. The mission statement contains the elements of who, what, when, where, and why, but seldom specifies how. The IDWG uses the approved Mission Statement to continue the planning process for the development of the Installation Commander’s Intent and Initial Guidance for Integrated Defense, and eventually the Integrated Defense Plan (IDP). The Mission Analysis is typically presented to senior leadership (Installation CC) in a briefing or staff package format, and includes other outputs such as:Primary outputs:Approved ID mission statementUpdated Updated Commander’s Intent statement and ; if previously completedUpdated planning guidanceSecondary outputs:Identification of installation MEFs/METs and critical assets, which supports IDRMP Step 1 – critical assets Updated Commander’s Critical Information Requirements (CCIRs)Updated Intelligence Preparation of the Battlespace (IPB); if previously providedAssumptions, LIMFACs, cConstraints, which aids in the development and execution of the IDP Identification of MEFs/METs Identification of Critical Assets Chapter 3 – Preparatory Activity – Intelligence Preparation of the BattlespaceOverview: The IDRMP requires a comprehensive understanding of the threat sources and tactics that can reasonably be expected to impact the Installation’s assets. This information for this analysis is generated in the preparatory activity called Iintelligence pPreparation of the bBattlespace (IPB). IPB is defined in the DoD Dictionary as the analytical methodology employed by the commander to reduce uncertainty with regard to enemy, environment, time, and terrain. Because the battlefield/battlespace is a dynamic operating environment, the IPB process is continuous and does not reach a formal end state. As new information is received and analyzed, the tactical situation evolves, and intelligence products are updated, as appropriate. A systematic, four-step process, IPB’s bottom line intent is to support operational decisions by providing analyzed information regarding the threat and environment in a given set of circumstances. IPB is the primary mechanism used to achieve the ID Desired Effect of “Anticipate”. It is a continuous process, enabling the Commander to visualize the spectrum of friendly and adversarial capabilities and weaknesses; how they are affected by a variety of environmental factors (e.g., weather, light, terrain, political and social conditions); and the logical predictions of the most likely and most dangerous enemy COAs. In turn, these predictions are provided to the DFC’s staff to shape and support ID plans designed to mitigate the threat. Once the initial IPB process matures, products are developed and friendly COAs are selected to mitigate the predicted enemy COAs; the resultant IPB estimate of the adversary's intentions and capabilities serves as the norm to which all subsequent adversarial activities in the operating environment are compared. Finally, IPB is a continuous process in that it does not reach an end state. The initial friendly and enemy situation and how they are affected by the changing environment and the predicted enemy COAs are continually assessed and evaluated against events occurring within the operating environment. As new information is received and analyzed, the tactical situation evolves, and intelligence products are updated, as appropriate. Process Goal: The goal of this activity is to leverage the IPB process as it pertains to IDRMP is to: a) provide information on adversaries and tactics and data to execute IDRMP Step 2 – Threat Analysis and b) collect information on adversary courses of action (COA) to help inform IDRMP Step 6 - development of friendly mitigation COAs.aid the Installation CC in decision making for security operations, vulnerability mitigation, risk tolerance, and risk reduction. Data derived during IPB facilitates the creation of intelligence products that are used during IDRMP to aid in developing friendly courses of action (COAs) and decision points for the Installation CC. The conclusions reached, and products created, during IPB are critical to integrated defense planning and operations. The conclusions also fill Commander’s Critical Information Requirements (CCIRs) in support of ID. Because the battlefield/battlespace is a dynamic operating environment, and the commander’s ID decisions must be refined accordingly, the IPB process is continuous and does not reach a formal end state.Process: IPB is a continuous process that cycles through four analytical steps, to provide information regarding the threat and environment in a given set of circumstances. Step 1: Define the battlespace environmentStep 2: Describe the battlespace’s effectsStep 3: Evaluate the adversary (this provides information needed for IDRMP Step 2)Step 4: Determine adversary COAs (this helps inform IDRMP Step 6)The requirement initiating IPB is the commander’s need for specific information to enable informed decisions with respect to integrated defense. Specifically, the commander needs to: 1) understand the operating environment; 2) comprehend the effects of the operating environment on their operations, equipment, and personnel; 3) acknowledge the capabilities of adversaries in the operating environment; and 4) forecast probable enemy COAs within the operating environment. The IPB information is derived from the following input sources (this is not an all-inclusive list; any relevant and credible threat source document could be used to glean information): The IPB information is derived from the following input sources (this is not an all-inclusive list; any relevant and credible threat source document could be used to glean information):Local Threat Assessment (LTA) – Air Force Office of Special Investigation (AFOSI)World Wide Threat Assessment – Defense Intelligence Agency (DIA) Defense Critical Infrastructure Threat Assessment (DCITA) State, Federal products; Joint Terrorism Task Force (JTTF), FBI, DHS, State Fusion Cell, National Guard Open Source/Internet search focusing on activities/events in Area of Interest (AOI)/ Area of Responsibility (AOR) Combatant or Component Command – e.g. CENTCOM-AFCENT, NORTHCOM-AFNORTH, etc. Criminal Threat Assessment (CTA) – AFOSI Intelligence/Information Fusion Cell developed products A) IPB Step 1 - Define the battlespace environment: IPB begins with the approval and publication of the Installation CC’s initial intent and guidance. The following steps describe the process flow for conducting IPB with respect to IDRMP:The IPB collection and analysis effort to support ID must be constrained to a scope that is reasonable and achievable. To do so, the ID lead and IDC can use the steps, below, to define the commander’s area of interest and bound IPB activities.Goal: To define the AO and bound IPB activities Step 1.a. Installation Commander’s iIntent and guidance for ID. The IPB OPR must receive and , accurately understand , and precisely convey the Installation CC’s intent and guidance for integrated defense. This knowledge allows to the information fusion cell and collection specialists to apply that purpose and intent to their intelligence collection and analysis efforts. Step 1.b. Define the operating environment. During the preparatory activity of mission analysis, the ID staff identified the ‘where’ related to the ID mission. Now, the ID staff elaborates on that to This is analogous to identify the physical areas and issues that are relevant to the ID mission. They must “scoping” a problem. The Intelligence leader must accurately define the specific limits of commander’s area of interest in order to focus collection and analysis on those physical areas and assets that aspects of the mission variables (enemy, terrain, weather, and civil considerations) that will have significant effect on friendly operations. For example, there may be large unpopulated areas of the installation that have no impact on friendly missions; IBP should not spend much time addressing threats in those areas. Similarly, there may be off-base assets or civil infrastructure that does affect the mission; IBP should spend research and analytical effort on those. , threat/adversary operations, and population in a unit’s area of operations or area of interest (AO/AOI). Minimum requirements to complete defining the operating environment include:Identify limits of AO (e.g., boundaries), and AOI (regional area, etc.) Collect background data on the operating environment to include: history, demographics, socioeconomic data, religious groups, political attitude, etc. Develop lists, dispositions, and capabilities (offensive and defensive) of tasked Friendly Forces and other forces that contribute to the security of the installation and which are available to contribute during enemy surges [e.g., increased Force Protection Conditions (FPCON)]. Friendly forces include but are not limited to: Host Nation (HN) military and police forces, local, state, national agencies Associate Tenant Uunits and Other DoD Components Emergency response entities Evaluate terrain and weather (including light data) Collect background data on the operating environment to include: history, demographics, socioeconomic data, religious groups, political attitude, etc. Collect and review incident and emergency response plans. Step 1.c. Describe the operating environment. The operating environment has effects on operations, equipment, and personnel. Analyze existing/gathered data to build a foundation of intelligence knowledge for performing IPB and mission analysis/problem framing. This information helps inform both the next IPB step, in which adversaries and tactics will be identified and IDRMP step 6 in which friendly courses of action will be determined. Minimum requirements include: Analyze the data collected above (Step 1.b Define the operating environment) and describe how the factors affect operations, equipment, and personnel. Analyze the human dimension, poverty, crime, sentiment of surrounding areas. Depict the effects of the operating environment Develop graphics of Go, Slow, No Go Areas and environmental overlays Mission essential assets for ID (entry control points (ECP), fences, etc.)Analyze the physical environment, location of friendly forces, terrain features, any obstacles effecting the defense of the installation Analyze the effects of weather Analyze the effects of lines of communication, roadways and waterways Analyze the effects of weather Analyze the human dimension, poverty, crime, sentiment of surrounding areas. Depict the effects of the operating environment Develop graphics of Go, Slow, No Go Areas and environmental overlays Mission essential assets for ID (entry control points (ECP), fences, etc.)Leveraging the acquired knowledge related to the operating environment, describe how each of the four mission variables (enemy, terrain, weather, and civil considerations) will affect friendly operations and similarly, how terrain, weather, and civil considerations will affect enemy operations. One example of using the mission variables to determine the effect to both friendly and enemy operations is considering the simultaneous interaction of friendly forces, enemy forces, and indigenous populations. Output: Result of IPB Step 1Determination of the AO and area of interest.Determination of the area of intelligence responsibility.Identification of general characteristics of the AO that could influence the unit’s mission and threat actors.Identification of gaps in current intelligence holdings, translating them into requirements for collection (requests for information, requests for collection) in order to complete IPB.B) IPB Step 2: Describe the battlespace effect on operations: This IPB step determines how significant characteristics of the operational environment can affect friendly and threat/adversary operations. The battlespace has many such characteristics (e.g. weather, terrain), but for IDRMP, the focus is mainly identifying what types of threat/adversary forces normally execute operations in the area affecting the installation and what tactics should be anticipated based on the environment, installation mission, and mission assets.Goal: To identify the adversaries and their preferred tactics within the AO.Process: Collect intelligence reportsIdentify adversaries and tactics in the AOIdentify any information gaps and submit requests for additional informationStep 2.a.: Collect intelligence reports: The IPB lead should collect historical data and existing intelligence analyses of the operating environment, or other reports about adversaries capable of operating in the geographic area of concern. Relevant reports and sources should include: Local Threat Assessment (LTA) – Air Force Office of Special Investigation (AFOSI)Criminal Threat Assessment (CTA) – AFOSI World Wide Threat Assessment – Defense Intelligence Agency (DIA) Defense Critical Infrastructure Threat Assessments (DCITA)State, Federal products; Joint Terrorism Task Force (JTTF), FBI, DHS, State Fusion Cell, National Guard Open Source/Internet search focusing on activities/events in Area of Interest (AOI)/ Area of Responsibility (AOR)Combatant or Component Command (e.g. CENTCOM-AFCENT, NORTHCOM-AFNORTH) threat estimates Intelligence/Information Fusion Cell products that: Collect historical data and existing Intel productsID adversaries capable of operating in areaDetermine capability, intent, activity, and freedom of movement Determine preferences for tactics and targetsAnalyze effects of environment on adversary (terrain, weather, etc.)Step 2.b.: Identify adversaries and tactics in the AO: The IPB lead should review the collected documents and identify the threat actors that have historically been or are anticipated to be active in the AO. DoDI 6055.17 directs installations to use the Defense Threat Reduction Agency’s All Hazard Threat Assessment (ATHA) methodology to standardize hazard and threat baseline scoring across the joint environment. The AHTA provides a standardized list of threat actor and tactic categories to be considered. For the purposes of IDRMP, the only the ‘threats’ need to be consider; ‘hazards’ are beyond the scope.Step 2.c.: Identify any information gaps and submit requests for additional information: When well-known threat actors are identified, the Information Fusion Cell (IFC) can rely on historical data and well-developed threat models to capture information required in this process flow. When new or less well-known threat actors are identified the IFC will need to generate information request to fill gaps.Output: The primary output associated with step 2 of the IPB process is a compilation of adversaries that are relevant in the AO and the tactics that can reasonably be expected to be used against the installation’s mission assets. C) IPB Step 3: Evaluate the adversary: Step 3 of the IPB process determines threat/adversary force capabilities and the tactics that each threat/adversary forces prefer to employ. The IPB lead will consider and analyze the effects of the operating environment on each individual adversary in order to determine the threat’s capabilities, their most likely targets and their most likely tactics.Goal: To have all information necessary to complete the ‘threats’ portion of the DTRA AHTA including identification of and scoring of all relevant threat adversary-tactic combinations.Process: The IPB lead review the information collected in IPB Step 2 and fill out the ‘threats’ section of the DTRA ATHA guide which includes:Identify all threat source and tactic combinations that are relevant in the AO.Analyze each threat source and tactic combination and estimate likelihood Prepare descriptions and justifications for each source and tactic combinationEvaluate the Threat. Collect historical data and existing intelligence analyses [e.g., Defense Country Threat Assessments, Dynamic Threat Assessments and Country Profiles, DIA Foreign Intelligence Threat Country Snapshots, Local Threat Assessments (LTA) and Criminal Threat Assessments (CTA)] of the operating environment, or other reports about adversaries capable of operating in the geographic area of concern. Consider the capabilities and weaknesses of each specific group without assuming enemy forces collaborate. Consider and analyze the effects of the operating environment on each individual adversary. Determine the threat’s capabilities, what they target, their most likely targets, their most dangerous tactics, and whether they have a nexus to any crime/activities impacting the installation or its personnel. Minimum requirements should include: Collect historical data and existing Intel productsID adversaries capable of operating in areaDetermine capability, intent, activity, and freedom of movement Determine preferences for tactics and targetsDHS, JTTFs/FBI, DIA, NORTHCOM/AFNORTH, DTA, etc.Analyze effects of environment on adversary (terrain, weather, etc)When well-known threat actors are identified, the Information Fusion Cell (IFC) can rely on historical data and well-developed threat models to capture information required in this process flow. When new or less well-known threat actors are identified the IFC will need to generate information request to fill gaps. Attachment 2 presents factors to consider when evaluating a threat actor.Output: Completed ‘threats’ section of DTRA ATHA including identification of and scoring of all relevant threat adversary-tactic combinationsWhen well-known threat actors are identified, the Information Fusion Cell (IFC) can rely on historical data and well-developed threat models to capture information required in this process flow. When new or less well-known threat actors are identified the IFC will need to generate information request to fill gaps. Attachment 2 presents factors to consider when evaluating aD) IPB Step 4: Determine enemy courses of action. Consider all data collected in the previous steps of IPB and make logical predictions of enemy courses of action (ECOAs). For each adversary assessed to be present and capable, establish a prediction of the “most likely” and “most dangerous” ECOAs. Then, through a process of war gaming, establish friendly COAs that would effectively meet the commander’s intent in defeating the predicted ECOAs. Attachment 3 provides a listing of threat tactics considered as part of the IDRMP process.Lastly, this step should include the development of additional CCIRs as well as Essential Elements of Friendly Information (EEFI). Commander’s Critical Information Requirements are elements of information required by the CC directly affecting timely decision making. Key Elements include Priority Intelligence Requirements (PIRs) and Friendly Force Information Requirements (FFIRs). Essential Elements of Friendly Information (EEFI) is critical friendly information that, if known by an adversary, could be used against the installation. Part of the Commander’s Critical Information List managed by the Operational Security program manager. Attachment 43 provides a review of Commander’s critical information requirements.Present results. Analysts present the results of the IPB to the Information Fusion Cell (IFC) for initial review. The IFC makes necessary adjustments based on intelligence. At this time, the analyst may need to repeat steps within the IPB Process Flow to adjudicate any changes. The IFC presents the IPB to the Threat Working Group (TWG), IDWG, IDC, and Installation CC. Process Output: IPB yields data from which the IFC creates intelligence products that are used during IDRMP to aid in developing friendly courses of action and decision points for the Installation CC. Some of these intelligence products are listed below. Commanders threat estimateData to complete the Threat Assessment in the risk assessment portion of IDRMPData for Local Threat Assessment (LTA)Installation advisory/warning briefsRecommendations for FPCON adjustmentsBriefing for IDWG, DFCCommanders Critical Information Requirements (CCIRs), Priority Information Requirements (PIRs), Specific Information Requirements (SIRs), Essential Elements of Friendly Information (EEFI)Supportive data to the Risk Assessment out brief - threat assessmentGraphic and Environmental Overlays Chapter 4 – IDRMP Step 1 – Criticality AssessmentPolicy: The Criticality Assessment (CA) is an annual requirement from DoDI O-2000.16-V1, Change 1 in AT Standard #5, and it classifies the relative criticality of both mission-essential and non-mission-essential assets utilizing the mission decomposition process outlined in Volume 1 of DoDM 3020.45 and is based upon each asset’s mission criticality, impact on national defense, replaceability and monetary value. This step of IDRMP satisfies annual requirements for a criticality assessment.Overview: The CA is one of the three core elements of the risk assessment process and provides a required factor in the final risk calculation. An asset is defined in DoDI 3020.40 as a distinguishable entity that provides a service or capability. Assets are people, physical entities, or information located either within or outside the United States and employed, owned, or operated by domestic, foreign, public, or private sector organizations. Criticality is defined in DoDI 6055.17 as the consequence of loss of an asset based on the effect the incapacitation or destruction of the asset would have on operations and the ability of the organization/command to fulfill its mission. Therefore, the CA must determine which assets a commander has that impact mission execution, and what level of impact would result from the loss of a particular asset. Additionally, all assets included in the Criticality Assessment must be under the Installation CC’s control and/or influence; assets beyond the commander’s ability to influence are outside the scope of this step and are not included in the Criticality Assessment. The Criticality Assessment developed in this Step meets the intent of the Department of Defense (DoD) Antiterrorism (AT) Guide Standard 5 (Criticality Assessment): CA FactorAT Standard 5 FactorMission ImpactImportance, Effect of LossNational Security ImpactImportance, Effect of LossReplicabilityRecovery, Substitutability, ReparabilityRelative ValueImportance, Effect, Mission FunctionalityGoal: As detailed in JP 3.07-2, the goals of an effective asset CA are to identify key assets and the critical functions that assets contribute to mission accomplishment. Also, to determine the extent to which a function can be replicated if lost, time to restore the function, and priority of effort to restore or replace the function and/or asset. The CA helps the IDWG identify key assets or infrastructure whose loss would affect an installation’s or unit’s (to include tenant’s) ability to perform its mission. (Note: the CA is an intermediate step in the Risk Management process. JP 3-07.2 states that Risk Management, “requires an RA. An RA is determined by combining a TA, VA, and criticality assessment (CA) in order to provide a commander with a more complete picture of the risks facing an asset or group of assets.” It SHOULD NOT be considered an end product)Process: The execution of the CA will identify of installation assets, categorize those assets and characterize the criticality of each asset on a 0 to 1 scale. Step 1.a. Identify Assets: To identify the installation assets, the IDRM lead should consult various documents, systems and organizational sources in order to build a consolidated list. A good starting point is to include assets already identified in the last previous criticality assessment (if available), and then the IDRMP lead can then identify any additional assets that should be included. The asset list should also include tenant organizations’ assets, and any Defense Critical Infrastructure, and/or Task Critical Assets. Much of the information needed for this step comes from the preparatory phase in which the mission analysis was conducted. The sources needed to develop an installation asset list is very much site-dependent but the list contains typical sources. Documents and systems:Current Installation Criticality Assessment(s)Installation asset list(s)Tenant asset list(s)Defense Critical Infrastructure Program (DCIP) list(s)Task Critical Assets List (TCAs)Strategic Mission Assurance Data System (SMADS)Air Force Critical Asset Management System (AF-CAMS) Mission Assurance Risk Management System (MARMS) Organizational sources : Integrated Defense Working Group Tenant, group, unit commander(s) Asset owner’s subject matter experts Critical Asset Risk Management (CARM) program managerCritical Asset Identification Process (CAIP) documentsIntegrated Defense Counsel (IDC) inputCommander’s intent (from preparatory phase)Higher headquarters Step 1.b. Categorize installation assets: Each asset is placed into one of eleven asset categories. The use of asset categories and subcategories is important to the overall RA methodology because it allow adversary tactics to be related to individual assets. Some adversary tactics are only appropriate for certain types of assets. For example, active shooter tactics may be used against assets in the “General Population” category, but would have little impact on those in the “Facilities and Building” category. Also, adversary preferences may differ. Terrorists target people and mass casualties to advance their political objectives, whereas vandals and unsophisticated criminals target equipment and pilferable assets with the objectives of sabotage or theft. The Asset categories include: AircraftArms, Ammunition, and ExplosivesC2 EquipmentClassified informationFacilities and BuildingsGeneral PopulationIndividualsIndustrial and Utility EquipmentInfrastructureSensitive InformationVehicles Subcategories (relative to each category) are identified in Attachment 7 and included in the approved automated tool. Subcategories are important because they help standardize the criticality scoring that is conducted in the next step. Step 1.c. Asset Score assetsing: The criticality of each asset is scored 0-1 based on its relative importance to the mission. Table X below shows the asset rating scale that links numerical, color and linguistic ratings. (Note: The scale is derived from DoDI 6055.17 and is same scale is used for threat and overall risk scores when they are calculated; threat and vulnerability use the same ranking/scoring.) Table X – Asset Criticality ScoringAsset CriticalityRANKINGSCORINGDEFINITIONHigh0.81 - 1.0Risk to Mission: Total loss will create a level of Combatant Commander (CCDR) Risk where the ability to achieve Current or Contingency Operations mission objectives is UNLIKELY.Risk to Force: Total Asset Loss will result in Extreme Resource Delays (Unacceptable Costs).Significant0.51 - 0.80Risk to Mission: Total loss will create a level of CCDR Risk where the ability to achieve Current or Contingency Operations mission objectives is QUESTIONABLE..Risk to Force: Total Asset Loss will result in Extended Resource Delays (Substantial Costs).Moderate0.21 - 0.50Risk to Mission: Total loss will create a level of CCDR Risk where the ability to achieve Current or Contingency Operations mission objectives is LIKELY.Risk to Force: Total Asset Loss will result in Limited Resource Delays (Acceptable Costs).Low0.01 - 0.20Risk to Mission: Total loss will create a level of CCDR Risk where the ability to achieve Current or Contingency Operations mission objectives is VERY LIKELY.Risk to Force: Total Asset Loss will result in Planned Resource Availability (Minimal Costs).To assist assessors in scoring and to help standardize scores across installations, IDRMP incorporates an evaluation methodology from the Unified Facility Criteria (UFC) 4-020-01 DoD Security Engineering Facilities Planning Manual. Using that methodology, assets are valued using four factors: Mission, National Defense, Replaceability, and Relative Value. Each factor is scored on a graduated point scale and summed to generate the asset criticality score (up to 100 points). In other words: Asset Criticality = Mission + National Defense + Replaceability + Relative Value. When assets scoring is completed, scores are divided by 100 are displayed with numerical rating between 0 and 1. Mission. This factor addresses the criticality of the asset in its support of the installation’s missions. Descriptive terms and brief definitions ranging from low (little or no impact) to high (mission failure) are used. The higher numerical scores should reflect that an asset is critical to accomplish specific DoD or Air Force mission essential task (MET). If an asset’s loss would not directly impact an assigned MET, then the lower numbers should be selected.National Defense. This factor addresses the criticality of the asset in its support of the missions that are not directly related to the installation’s METs, but is critical to the missions of other Services or combatant commanders. Example, tenant units on an installation may have little impact on the primary base mission but are critical to national defense. An example might be a CCDR HQ located on the installation. High scores should only be used for assets that have been identified as supporting specific DoD missions or capabilities.Replaceability. This factor addresses the ease with which the asset’s functions (not necessarily the asset, itself) can be replaced. There are separate entries for the General Population and for Information, which are not considered replaceable once killed (people) or lost to the adversary (information). For other assets, the factor is based upon the amount of time required to replace the function of the asset or the difficulty of finding mission critical personnel replacements with the requisite skills and training. The emphasis on asset function is important. Example, if the dining facility were destroyed, replacement of the building might take a year or longer, but the people would be fed immediately through the use of alternate dining facilities, MREs, downtown restaurants, etc. Relative Value. This factor measures of value appropriate for particular asset categories. The relative value is measured in different ways for different asset categories.Example, aircraft relative values are based upon the type and number of aircraft, ranging from Trainer Aircraft to Strategic Aircraft; whereas industrial and utility equipment values vary based on the value of the equipment, either individually or in inventory. Buildings such as barracks are typically valued based upon their current maximum occupancy at a given time, not how many they could theoretically hold. (Buildings such as water treatment plants should be scored as infrastructure.)Tools: A ‘Pre-scored’ asset list (Attachment 6) has been developed to establish a common starting point for scoring of typical assets on an Air Force installation. Then the IDRMP lead can interview SMEs, asset owner, mission owners, etc., if needed, to understand the mission(s) supported by the asset(s) and the importance of asset to the mission to adjust the score.The INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page64image1763904" \* MERGEFORMAT approved for automated software for IDRMP includes both the methodology and the pre-scored asset list. Attachment X details the scoring criteria from the UFC for assessors that do not have access to the automated tool.Process Output: The end state is an Installation Commander-approved Criticality Assessment. The Criticality Assessment lists assets that is quantified in priority order of their mission contribution and is used in developing the Risk Assessment and obtaining risk scores. Chapter 5 – IDRMP Step 2 – Threat AssessmentPolicy: The threat assessment (TA) is one of three key components to determining risk. It is an annual requirement per DoDI O-20016 Standard #4. The TA process must be fully integrated with the all-hazards emergency management planning process, pursuant to DoDI 6055.17, DoD Emergency Management (EM) Program, February 13, 2017 (para 2011.j) which directs installations to use the Defense Threat Reduction Agency’s All Hazard Threat Assessment (ATHA) methodology to standardize hazard and threat baseline scoring across the joint environment. The AHTA provides a standardized list of threat actors and tactics and uses a 0 to 1 ranking scale for each threat actors/tactic combination. (Note: AlhoughAlthough the AHTA includes natural hazards, they are beyond the scope of IDRMP and are not used in this step.) . Conducting this step of IDRMP satisfies annual requirements for AT TA. Overview: The TA is one of the three critical components of a RA. It evaluates existing or known threats and the identification of previously unidentified threats and threat actors’ tactics, techniques and procedures (TTPs). It leverages the data developed in Step 3 of the IPB process which providesThe TA process guides the IDWG to refine the threat data to focus attention specifically on each adversary’s target and tactic preferences that could cause loss of, or damage to previously identified assets. To know if an adversary poses a threat requires information about their local adversary activity, intentions and history, operational capabilities (tactics), and the operational environment. Data developed during IPB and AFOSI’s Local Threat Assessment (LTA) are the starting point for general information on the security threats facing an installation. Updated specific local threat information may be required, and can be obtained from multiple sources through SF interaction with local/state law enforcement and AFOSI’s liaison with federal, state, local and foreign national law enforcement, CI and security agencies IAW AFPD 71-1 and AFI 14-119. It is important to note that threat is assessed through the presence of information, not the absence of information. If gaps in information exist, units should leverage Installation Commander’s CCIR and PIR methods to seek out the information from the appropriate sources. Goal: The goal of the TA is to generate a 0 to 1 threat score for each number for each combination of threat source and tactic facing an installation, which will later be used in calculations during the risk assessment. Process: The execution of the TA will identify threats to the installation’s assets, categorize the threat sources and tactics that are relevant to the installation using the DTRA ATHA categories, and score each source-tactic combination on a 0 to 1 scale.Step 2.a. Identifying Threats: Collect the list of local threats using This action primarily relies onthe data generated during IPB Step 2 as the source of information concerning the local threats and their preferred tactics/targets., capabilities, weaknesses, and probable COAs. More here…Step 2.b. Categorize Threats: Categorize Each teach threat is characterized by the combination of the adversary type that is the source of the threat and the tactic used by that adversary. The use of categories is important to the overall RA methodology because it allow more standardized relationships to be made between asset categories and threats. Terrorists target people and mass casualties to advance their political objectives, whereas vandals and unsophisticated criminals target equipment and pilferable assets with the objectives of sabotage or theft. Threat source category is important because different types of adversaries tend to be interested in different types of assets as their target. Also, not all tactics are used by every adversary, and not all tactics are pertinent to every assets type. For example, active shooter tactics may be used against assets in the “General Population” category, but would have little impact on those in the “Facilities and Building” category. Also, adversary preferences may differ. Terrorists target people and mass casualties to advance their political objectives, whereas vandals and unsophisticated criminals target equipment and pilferable assets with the objectives of sabotage or theft. The threat sources and tactics from the DTRA ATHA include: Threat source categoriesNon-state actorState actorCivil actorCriminal actorForeign intelligence entityForeign nation state actorHomegrown violent extremistDomestic terroristInternational terroristThreat tacticsArsonCoercionCrimeExtortionRiots, Marches, or Civil DisturbancesStrike or Work StoppagesVandalismActive Shooter/AssailantTheftFraudUnauthorized EntryIndustrialStructuralGeneral Collection ActivityTargeted (focused) Collection ActivityEconomic EspionageArmed AssaultCBRN AttackImprovised Explosive Device (IED)Vehicle Inertia AttackUnintentional Maintenance Mishap (UMM) (Cyber)SabotageWorkplace ViolenceThe definitions for each threat source and tactic, along with the standardized list of which tactics apply to which sources, is found in Attachment XXStep 2.c. Threat Score threatsing: Each source-tactic combination is scored is scored 0-1 based on its relative likelihood severity. Table X below shows the asset rating scale that links numerical, color and linguistic ratings. (Note: The scale is derived from DoDI 6055.17 and is same scale is used by the DTRA ATHA.) Table X – Threat Severity ScoringTo assist assessors in developing athe DoD-required 0 to 1 score and to help standardize threat scores across Air Force installations, IDRMP incorporates an evaluation methodology that includes a five-part process that includes:Adversary rate: Quantifies how active each adversary type is against military assets in the area of the installation. It does so by looking at:Local adversary activityIndications and historyLocal operational capabilityLocal operating environment.Adversary-tactic preference: Establishes a metric addressing which tactics each adversary prefers Adversary-target preference: Establishes a metric addressing what categories of assets each adversary prefers to targetTactic-target effectiveness: Quantifies how effective individual tactics are against a particular target.Tools: The INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page64image1763904" \* MERGEFORMAT required automated tool approved for IDRMP includes the AHTA scoring methodology and the pre-scored default threat scores. Attachment X details the scoring criteria from for assessors that do not have access to the automated tool. A set of ‘Default scores’ (Attachment 6) has been developed to establish a common starting point for scoring of typical threats on an Air Force installation. Then the IDRMP lead can engage the stakeholders identified in the IPB preparatory step to adjust the score based on local intelligence (Attachment Y)The INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page64image1763904" \* MERGEFORMAT required tool approved for automated IDRMP includes scoring methodology and the pre-scored default threat scores. Attachment X details the scoring criteria from for assessors that do not have access to the automated tool. Process Output: The threat assessment process results in a threat rating score which will be used to calculate the risk value during the risk assessment. There may be intelligence information gaps remaining after the IPB process that were not discovered until execution of the TA process. If such is the case an additional output of the TA process may be any combination of CCIRs, PIRs, FFIRs, and IRs. The end state is an Installation Commander-approved Threat Assessment. The TA lists the threat source-tactic combinations in priority order of their likelihood of occurrence and used in developing the Risk Assessment and obtaining risk scores.Chapter 6 – IDRMP Step 3 -- Vulnerability AssessmentPolicy: The Vulnerability Assessment is an annual requirement from DoDI O-2000.16-V1, Change 1 in AT Standard #6. It must include an evaluation of the relevant portions of the DoD Mission Assurance Benchmarks and must be based upon JP 3.07-2, which defines a VA as the process the commander uses to determine the susceptibility of assets to attack from threats identified in the AT TA. Conducting IDRMP satisfies annual requirements for a VA and an AT program review. Entry of an IDRMP assessment into the HAF/A4S approved tool satisfies the requirement to enter the results of a VA into the DoD system-or-record.Overview: The VA is one of the three critical components of a RA, and it answers the question “to what kind of attack are the installation’s assets most/least vulnerable?” A vulnerability defined in DoDI O-2000.16-V1, Change 1 as a situation or circumstance, which if left unchanged, may result in injury, loss of life or damage to an installation’s assets. The level of vulnerability is determined by assessing the protections (or countermeasures) that mitigate threat tactics.A vulnerability is a situation or circumstance, which if left unchanged, may result in injury, loss of life or damage to an installation’s assets. In this step, the IDWG is looking for exploitable situations created by lack of adequate security, lax or improper personnel behavior, vulnerable software or hardware, inoperable equipment or inadequate training on the equipment and insufficient security policies or procedures. Goal: The goal of the VA process is to determine the susceptibilityvulnerability of assets to identifiedpreviously identified threat tactics and generate s and answer what kind of threat the asset is most vulnerable to. a 0 to 1 vulnerability score for each threat tactic facing an installation. This will later be used in calculations during the risk assessment. Process Goal:Process: The VA process includes a holistic examination of an installation’s integrated defense security posture effectiveness from “outside the fence” to, and including, any specific critical asset. It incorporates physical security, supporting infrastructure security, and information security, and other security and response disciplines. In so doing, the process considers the effectiveness of tangible forms of security measures (e.g., gates and alarms), as well as, non-tangible (e.g., policy, procedures, and training) forms of security.The VA evaluates those countermeasures that are in-place and identifies those that are not. Countermeasures that are in-place tend to mitigate threat tactics. Those that are not in-place (e.g. lack of adequate security, lax or improper personnel behavior, vulnerable software or hardware, inoperable equipment or inadequate training on the equipment and insufficient security policies or procedures) create weaknesses and thereby increase assets’ vulnerability to threat tactics. To ensure that the VA addresses the security areas from the most current guidance, units should conduct VAs using the relevant sections of the DoD Mission Assurance Assessment Benchmarks as their guidance source for countermeasures to be assessed. The vulnerability assessment (VA) provides the third variable needed to calculate risk.. The goal of the VA process is to determine the susceptibility of assets to identified threats and answer what kind of threat the asset is most vulnerable to. The VA process includes a holistic examination of an installation’s integrated defense security posture effectiveness from “outside the fence” to, and including, any specific critical asset. It incorporates physical security, supporting infrastructure security, and information security, and other security and response disciplines. In so doing, the process considers the effectiveness of tangible forms of security (e.g., gates and alarms), as well as, non-tangible (e.g., policy, procedures, and training) forms of security. Step 3.a. Collect protection informationProcess: The vulnerability assessmentVA uses information obtained during the IPB as well as, vulnerability information documented infrom various sources including any previous assessments. Consequences of a successful attack need to be considered. For example, a vehicle-borne IED may be very effective against a building target, whereas a letter bomb would be less so. Good sources of reference data include HHQ and local VAs, food and water VAs, security and emergency response plans and observations by security professionals. To ensure the data is the most current, units should conduct VAs IAW published Mission Assurance and Antiterrorism guidance, to included approved DoD Benchmarks. The following are data point sources that can be used in conducting a VA:HHQ Vulnerability Assessment(s)Installation’s Local VAMission Assurance (MA) Assessment(s), if applicable Inspection ReportsInstallation Plans and Procedures Emergency Management Plan IDPAT PlanMedical Readiness Plan Other plans as neededOther Risk Assessments The EPRM checklist downloaded to excel, or used in the EPRM tool based on assessment location and other factorsBecause the IDRMP VA is a holistic evaluation of security programs supporting integrated defense the assessors will likely have subject matter expertise across a variety of functional areas [e.g., AT, AFOSI, Security Forces, Intel, Emergency Management (EM), Communications, Civil Engineer (CE), etc.] and provide functional-specific input into the VA process.Step 3.b. Conduct assessment: Assessors should review the list of relevant countermeasures that are drawn from the DoD MAA Benchmarks (see Attachment X), and assess each to determine if it is or is not being met at the installation. When evaluating each countermeasure, it is important to have an effects-based perspective in which the assessor is not just looking at the presence or absence of a countermeasure, but is also evaluating whether or not the countermeasure (as implemented) will have the desired effect. Example, although a fence may be present, if its condition or arrangement does not effectively delay intruders (as a fence should), then it is not achieving its effects-based objective of ‘delay’. Example, if an alarm is installed and does operate, but does not annunciate in a location where it is continuously monitored, then it does not achieve its effects-based objective of ‘detect’.Though much of the information regarding the presence and absence of countermeasures can be determined from the information sources consulted in step 3.a., it is important for the assessor to confirm the presence and effect of countermeasures not just though a documentation review or SME interview. The IDRMP cannot be well-executed from behind a desk, and the assessor should seek to validate the VA through eyes-on/hand-on confirmation and review of actual artifacts, wherever possible.Step 3.c. Record VA results: Once each of the countermeasures has been assessed, the assessor can enter the results into the approved IDRMP tool. Each countermeasure has been related to the appropriate DoD benchmark, and the assessor should indicate ‘yes’ if the effect of the countermeasure has been met, ‘no’ if it has not and ‘NA’ if it is, for some reason, not applicable to the security environment. Attachment X contains the full list of countermeasures from DoD Mission Assurance Benchmark that are addressed in IDRMP and they are from the following families:All benchmarks from:ATPhysical securityEmergency managementSelected benchmarks from:Petroleum oil and lubricants (POL)Chemical Biological Radiological Nuclear ElectromagneticCommunication & Network InfrastructureContinuity of operationsElectrical PowerFire ProtectionForce Health ProtectionMunitions OperationsOperations securityUtilitiesTransportationWater & wastewater systemsTools: The checklist of countermeasures (mapped to DoD benchmarks) can downloaded from the approved tool. Assessors can complete their data entry in off-line Excel exports and upload to the tool. For locations that do not have access to SIPRNET, an unclassified copy of the list of countermeasures can be downloaded from the EPRM help site.Attachment X describes the process used in the automated tool to calculate the level of vulnerability to each tactic.Process Output: The VA process provides a vulnerability score for use in the IDRMP and in so doing, the VA process gives the Commander a holistic evaluation of vulnerabilities facing the installation. Once risk values are calculated and the commander’s risk tolerance is determined, then the subordinate commanders and staff can use this vulnerability information to inform their COA development and eventual implementation to reduce risk. The following steps will lead an assessor through the VA process. The installation is divided into four layers (Outside the Perimeter, Perimeter, Inside the Perimeter and at the Asset), and the existing countermeasures and vulnerabilities within each layer are evaluated. For each tactic under consideration, the vulnerability in each layer is scored by the SMEs against a four-point scale (High- 3; Significant- 2; Moderate- 1; and Low- 0). Each layer is weighted by tactic, reflecting the importance of the particular layer’s defensive features to defeating the given tactic. For example, the Perimeter layer is very important against the vehicle-borne IED tactic and carries a large weight. This layer is less important against the standoff weapon tactic. Once the SMEs have scored the individual layer vulnerabilities, the vulnerability rating (0.00 to 1.00) for each tactic can be calculated using the formula: Vulnerability Rating = (∑layer Score x Weight ) ÷ 300. Use the worksheet at Attachment 11 to calculate VA rating.Vulnerability Rating Scale. The figure below shows a vulnerability rating scale drawn from DoDI 6055.17 that links numerical, color, and linguistic ratings. The objective of the VA step is to understand the weaknesses in an installation’s security that is are exploitable by adversaries, especially as they are tied to specific tactics and targets. Table X INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page73image1993280" \* MERGEFORMAT VulnerabilityRANKINGSCORINGDEFINITIONHigh0.81 - 1.0The vulnerability is exposed and exploitable and its exploitation would be capable of causing greater than 75% disruption of asset functionality.No effective mitigation measures are in place or planned but not implemented; no compensatory measures are in place or those that are in place are not effective.Significant0.51 - 0.80The vulnerability is of significant concern, based on the exposure of the vulnerability and ease of exploitation causing greater than 75% disruption of asset functionality.Some effective mitigation measures are in place or planned but not implemented; compensatory measures are in place and at least minimally effective.Moderate0.21 - 0.50The vulnerability is of moderate concern based on the exposure of the vulnerability and ease of exploitation.Multiple effective mitigation measures are in place.Low0.01 - 0.20The vulnerability is of minor concern.Mitigation is fully implemented, assessed, and effective.Risk to Force: Total Asset Loss will result in Planned Resource Availability (Minimal Costs).The EPRM checklist downloaded to excel, or used in the EPRM tool based on assessment location and other factorsProcess Output: The VA process provides a vulnerability score for use in the IDRMP and in so doing, the VA process gives the Commander a holistic evaluation of vulnerabilities facing the installation. Once risk values are calculated and the commander’s risk tolerance is determined, then the subordinate commanders and staff can use this vulnerability information to inform their COA development and eventual implementation to reduce risk. Chapter 7 – IDRMP Step 4 – Risk AssessmentPolicy: The AT Risk assessment is an annual requirement from DoDI O-2000.16-V1, Change 1 in AT Standard #3. The process is outlined in DoDI 3020.45 and modeled in JP 3-07.2 It executes the TA, CA, and VA, and aggregates them into an RA. Entry of an IDRMP assessment into the HAF/A4S approved tool satisfies the requirement to enter the results of a RA into the DoD system-or-record.The DoDI 3020.40 defines a risk assessment as a systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risksConsequences of a successful attack need to be considered. For example, a vehicle-borne IED may be very effective against a building target, whereas a letter bomb would be less so.Overview: The purpose of the Risk Assessment (RA) is to develop a quantitative measurement of risk by comparing the relative impact of any loss or damage to an asset (Criticality) with the relative probability of the occurrence of an unwanted event (Threat) with the level of vulnerability to that event ( x Vulnerability). To do so, the RA uses combines data and information developed during earlier stages in IDRMP Steps 1-3 (Criticality, Threat, and Vulnerability assessments) to provide senior leaders adevelop comprehensivea comprehensive picture of risk(s) to a Commander’s an asset or group of assets. With this information, the decision maker (Commander) can make prudent and cost-effective decisions to manage (not necessarilythough not eliminate) risk. Before the Commander can make a Risk Tolerance Decision, the Risk Assessment must be developed and reviewed by SMEs, then presented to the IDWG and IDC. Process Goal: The goal of the Risk Assessment is to provide decision makers the necessary information to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks. Asset, Threat, and Vulnerability Assessments must be complete, and the assessor must have followed the process for each IDRMP step to have calculated numerical values for each. The risk assessment results will provide the IDWG and senior leaders a prioritized list of security risks to begin the development of risk mitigating strategies against threats and vulnerabilities to the installation. Process: The process for developing the risk assessment begins when all previous steps, IDRMP precursors, criticality assessment, threat assessment and vulnerably assessment are complete. The following steps should be used for conducting the risk assessment:Develop Risk Results. Risk is calculated using the equation: Risk = Asset Criticality X Threat X Vulnerability. Developing a worksheet as in the example Attachment 12 will assist in collating all the data required to calculate risk. NOTE: At this stage I’m a little confused on how this attachment actually works. Not sure how we’re matching threat tactic to a given asset.Review Risk Results. The IDWG can review the important factors associated with individual assets, referring back to the earlier worksheets and supporting data when necessary to understand how each factor increases or decreases the overall risk. By reviewing these ratings, the IDWG can finally begin to make an informed judgment about how “at risk” each asset is from its corresponding unwanted event. When comparing “threat tactics” against “assets” to generate the “calculated risk” value in the Risk Summary Worksheet, it becomes evident that not all threat tactics reasonably apply to each asset. These unlikely situations are referred to as an “illogical target-tactic pair.” For example, a poisoned food/water or mail-bomb threat tactic would not be a logical or realistic threat against a PL-3 aircraft on the flightline. In circumstances where the target- tactic pair is not logical, use sound judgment and rationale to omit the “calculated risk” value derived from these situations. Provide Decision Briefing to Installation Commander. The IDWG, through the IDC, presents a decision briefing or staff package to the Installation CC for a risk tolerance decision. This briefing/package contains the results of the CA, TA, VA, and overall RA. It may also include a brief overview of available ID forces and capabilities to provide the Installation CC with a good overview of available assets to address RA concerns and risks outside of the Installation CC’s tolerance level. Risk Rating Scale. The scale below shows a risk rating scale that links numerical, color and linguistic ratings. The scale is intentionally non-linear, with half the scale reserved for very high or critical assets in order to keep the most important assets visible throughout the IDRMP. (Note: The same scale is used for overall asset scores when they are calculated.) INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page64image1763904" \* MERGEFORMAT Process Output: The output of this step is a finalized risk assessment with assigned risk scores listed in order from highest risk to lowest risk. The risk assessment results provide the IDWG and senior leaders a prioritized list of security risks that will be used in developing the risk tolerance decision as well as developing risk mitigation courses of action. Chapter 8 – IDRMP Step 5 – Risk Tolerance DecisionOverview: This process is traditionally initiated with either an IDWG or IDC briefing to the Installation CC upon completion and review of the IDRMP results. The results of the risk assessment can be presented in either a briefing format or staff package. After reviewing the information presented in the briefing, the Installation CC will further define intent, guidance, and risk tolerance for ID planning. Process Goal: The goal of this step is to allow the Installation CC to develop risk tolerance decisions by analyzing information from the RA and determining if identified risks are within acceptable tolerance levels. Because uncertainty exists in all military operations, every military decision contains risk and Installation CCs must exercise the art of command when deciding how much risk to accept. This philosophy of command fosters an environment of mutual trust and shared understanding among commanders, staffs, and subordinates. By developing and communicating their risk tolerance, the Installation CC ensures that actions are taken to maintain an acceptable level of risk, and that risk management decisions are made consistently throughout the installation. Process: The Installation Commander is the installation risk taker and determines his/her risk tolerance. The Installation Commander makes such decisions with input from the IDWG. By following a structured risk analysis approach, the commander can readily understand the threat towards an asset, how the asset is vulnerable to that threat, and the impact of loss (or damage) of the asset. The Installation Commander may then make an educated and accountable decision on what to do next. The results of the IDRMP can be presented in either briefing format or staff package, providing an opportunity for the Installation Commander to further define intent, guidance, and risk tolerance for ID planning. The following steps should be used when making the risk tolerance decision:Decide on Risk Tolerance. In today’s resource-constrained environment, some risks must be accepted; however, there are risk(s) that cannot be tolerated due to their frequency and/or severity of consequence. Prudent risk is a deliberate exposure to potential injury or loss when the commander judges the outcome in terms of mission accomplishment as worth the cost. As the installation risk taker, the Installation CC determines their risk tolerance considering the following after being provided the RA decision briefing or staff package:Receive RA information from the IDWG through the IDC.Analyze information and determine risk tolerance level(s). Take necessary action to address each identified risk. Accept the risk (i.e. the risk lies within the Installation CC’s level of tolerance) Direct the IDWG to develop COAs to reduce risk. Implement a combination of the two. Elevate unacceptable risk(s) to a higher authority. The Installation CC may not have the resources or authority to mitigate/reduce an identified risk, but may also not be willing to accept the risk. In these instances, the Installation CC should elevate/transfer the risk decision to HHQ for adjudication/action. Communicate Decisions to IDC. Upon risk tolerance decision, traditionally the decision is captured in the meeting agenda minutes of the IDC as an official record of the decision. Then with the assistance of the IDWG, the IDC will assist in capturing the risk tolerance decision in the written Commander’s Intent. Upon completion of the risk tolerance decision made by the Installation CC, the IDC will ensure Installation CC’s Intent and Initial Guidance for ID, is re-accomplished to capture their risk tolerance. Process Output: The output for this process is traditionally the Installation CC’s guidance or direction which is provided to the IDC and used to draft an update to Commander’s Intent for Integrated Defense (ID) The Installation CC’s ID intent will define the level of tolerance. For risks exceeding the Installation CC’s tolerance level, COAs will be developed to render these risks more acceptable. Chapter 9 – Step 6 – Course of Action DevelopmentOverview: The purpose of this step is to develop, present, and evaluate options to reduce risk. While risks can be alleviated by reducing an asset’s criticality rating or mitigating the threat, eliminating vulnerabilities is the area which can have the greatest influence in on adjusting the Installation Commander’s risk tolerance decision. To support this, the IDWG can develop various COAs to mitigate vulnerabilities and reduce unacceptable risks, while providing an estimated reduction of risk (i.e., “benefit” of risk reduction) along with the anticipated cost associated with COA implementation. Process Goal: This step will focus on a relatively small number of risks that fall above the commander’s risk tolerance level and will require the development of COAs to mitigate the risk to an acceptable level.Process: COAs should seek to mitigate weaknesses identified in the VA using a balanced, integrated, defense-in-depth approach. The approach should synergize ID forces, construction standards, Tactics, Techniques, and Procedures (TTPs), and technology into an effective and focused risk reduction strategy. COA development consists of the following: Develop Courses of Action to Reduce Risk. Upon direction from the IDC, the IDWG develops multiple risk reduction strategies focused on mitigating vulnerabilities that are under the control or influence of the Installation CC. In doing so, the IDWG uses numerous sources to develop potential COAs, ranging from guidance in existing instructions or local plans (EM, AT, ID, etc.), guides and handbooks, to soliciting recommendations from subject matter experts to support specific defensive strategies. COA developments includes procedures to: Identify and quantify countermeasures that can be used/implemented to reduce risks that exceed the Installation CC’s tolerance level. Identify capabilities that can be applied in synergistic sets to ensure defense-in-depth, and to help mitigate multiple risks simultaneously. The proposals may include the following capability sets: TTPs developed to delay, deny, deter, defeat, etc. enemy COAs. Construction projects in compliance with Unified Facility Criteria (UFC). Technology insertion to provide early detection, assessment, warning, and access control. Physical security safeguards (e.g., barriers, fencing, and lighting) for the installation perimeter and high-risk facilities. Additional ID forces to sustain extended operations. Ensure that each proposed COA is evaluated for validity (reference JP 5-0). NOTE: COAs that do not meet all five of the following validity criteria should be rejected. Feasible: Can the proposed COA accomplish the mission within the established time, space, and resource limitations? Acceptable: Does the proposed COA balance cost and risk with the advantage gained? Adequate: Does the proposed COA accomplish the mission within the Commander’s guidance? Distinguishable: Is the proposed COA sufficiently different from other COAs? Complete: Does the proposed COA answer the questions who, what, when, where, why and how? Conduct a cost benefit analysis to determine best risk reduction value to the installation. Provide an estimate of risk reduction (i.e., “benefit” of risk reduction). Using the Vulnerability module within ForcePRO, the assessor will select appropriate Topics and Questions in the FVAT Revised Topics Tab. The elements of the COA will improve the original rating given to vulnerability questions and topics during the initial assessment. Once compete, the assessor will use the software to calculate revised risk and compare the original risk score to the revised risk score to determine risk reduction benefit of the COA. The assessor should repeat this step for all proposed COAs. Provide the estimated cost associated with COA implementation. Compare COAs. Compare the proposed COAs which were developed using the process above against one another to determine their individual strengths and weaknesses in a costs/benefits analysis. This includes consideration of factors such as additional personnel requirements, capital investment, life-cycle costs, inconvenience, etc. When evaluating/comparing COAs, the effectiveness of competing alternatives can be evaluated by SME opinion, Red Teaming, exercises, Sand table exercises, War Gaming, or the use of modeling and simulation software. For countermeasures mitigating or removing vulnerabilities, the IDWG can calculate a revised vulnerability rating and a revised risk score using the equation: Revised Risk = Asset Criticality x (Threat x Revised Vulnerability) The General Rules of War Gaming (reference JP 5-0) Remain objective, not allowing personality or their sensing of “what the commander wants” to influence them. They must avoid defending a COA just because they personally developed it. Accurately record advantages and disadvantages of each COA as they become evident. Continually assess feasibility, acceptability, and suitability of the COA. If a COA fails any of these tests during the war game, they must reject it. Avoid drawing premature conclusions and gathering facts to support such conclusions. Avoid comparing one COA with another during the wargame.Countermeasure COA Selection and Recommendation. Using the information generated during COA analysis, recommendations are developed for the Commander’s decision. In developing final recommendations, consider COAs capable of immediate implementation utilizing resources on hand, as well as COAs requiring programming action through the installation’s unfunded requirements (e.g., technology insertion, construction, physical security equipment and safeguards and additional personnel). COA Worksheet. The risk reduction, along with the costs to implement the COAs (i.e., additional personnel, capital investment, life-cycle costs, inconvenience), provides data for a simple cost-benefit analysis. The table below shows an example of a COA worksheet. A reasonable strategy is to focus on those measures with the highest cost-benefit ratings first and addressing the highest risks, while paying attention to having effective countermeasures among all defensive layers. INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page77image1999680" \* MERGEFORMAT Develop Briefing and Staff Package. Once COAs have been developed meeting the requirements from actions above, the IDWG develops a detailed staff package containing the specifics of each COA. This package is used to provide the commander and IDC membership all of the necessary detail to make an informed COA decision including:A detailed implementation strategy to support each COA Identify needed resources to adequately accomplish implementation of proposed COA(s)If COA affects TTPs, prepare change to plan or operating instruction If COA inserts technology, begin requirements and acquisition process If COA requires construction, prepare AF Form 332 or DD Form 1391 (MILCON) to initiate process Specifics regarding cost benefit analysis. Assessor must be prepared to address specifics such as cost, impacts of COA, results of testing, etc. Additional documentation, as needed, to complete the COA such as Plan or instruction updates, budgeting actions, or work orders for CE or MILCON request, etc. Process Output: The output of this process is a Commander’s COA briefing or fully coordinated staff package that is presented to the Installation CC for decision. The briefing/package should address each individual vulnerability and describe recommended course(s) of action, the impact of the COA by depicting the anticipated reduction of the vulnerability to the threat tactic of concern (revised vulnerability), and the COAs impact on the identified risk (revised risk). Focus should be on measures with the highest cost-benefit ratings while addressing the highest risks. Attention should also be given to COAs that provide effective countermeasures among all defensive layers. Chapter 10 – Step 7 – Decision and ImplementationOverview: The Installation Commander selects the COA s/he believes will best accomplish the ID mission. If the Commander rejects all COAs, the IDWG re-accomplishes COA development. Along with the COA decision, the Commander may issue final planning guidance that requires a revision to the Commander’s intent and new CCIR to support execution. The IDWG acts on orders to fulfill the Commander’s intent, executes the COA and revises the IDP accordingly. Process Goal: The Installation Commander selects COAs that brings risks within the Commander’s tolerance level, and direct resources to implement the decision. Process: COA(s) presented to the Installation Commander for an implementation decision must effectively mitigate vulnerability(ies) and the resultant revised risk rating must be within the Commander’s risk tolerance level. This allows the commander to make decisions on which COA(s) the installation should implement. Decision and implementation consists of the following:Present COA decision brief and staff package. Presents the Commander’s briefing or fully coordinated staff package to the Installation Commander for COA selection. The briefing/package should address each individual vulnerability and describe proposed course(s) of action, the impact of the COA by depicting the anticipated reduction of the vulnerability to the threat tactics of concern (revised vulnerability), and the COAs impact on the identified risk (revised risk). Focus should be on measures with the highest cost-benefit ratings first and addressing the highest risks, while paying attention to having effective countermeasures among all defensive layers. Courses of action must be effective in mitigating vulnerability(ies). Therefore, COA(s) presented to the Installation Commander for an implementation decision should effectively mitigate vulnerability and reduce risk to a level within the Commander’s risk tolerance. This allows the commander to make decisions on which COA(s) to move forward with implementation. COA decision. The Installation Commander selects the COA they believe will best mitigate unwanted risk(s) while accomplishing the ID mission. If the Commander rejects all COAs, the IDWG re-accomplishes COA development. Along with the COA decision, the Commander may issue final planning guidance that requires a revision to the Commander’s intent and new CCIRs to support COA implementation and execution. The IDWG acts on the commander’s direction to fulfill the Commander’s intent, executes the COA, and revises the IDP accordingly. COA implementation. Upon the Installation CC’s selection of which COAs will be implemented, the IDC will direct the IDWG to begin implementation.Ownership falls with either the asset owner or owner of COA (logistics, infrastructure, security, etc.) Status tracking of the COA(s) to be implemented is the responsibility of the owner, however status reports should be provided to the IDC through the IDWG, as required. Continuous assessment. The IDRMP is a living process in that it does not reach a defined end-state. Changes in mission and assets, evolving threats, implementation of mitigation measures and even change in leadership can precipitate the need to reassess the security environment. Without continuous assessment, security becomes reactive, responding to the latest crisis or security failure. By replacing a crisis response mentality with a proactive and structured management approach to security, changes can be better anticipated and long- term fixes implemented. Crises will still occur, but they should not be the driver that determines the direction of the ID program. The implementation of countermeasure COAs should change the installation’s risk posture, sometimes in unexpected or unintended ways. By measuring the effectiveness of implemented COAs, decision-makers can continually refine the installation’s risk posture. Process Output: Once COAs have been implement a new installation risk posture will be in place. The assessor will need to ensure: vulnerabilities are revised our updated; risk are revised or updated; and IDP is updated to capture changes and COAs.Attachment 1 – Risk Assessment ModelGlossary of Terms and AcronymsAttachment 2 – Threat Analysis FactorsOperational CapabilitiesOperational capabilities are acquired, assessed, or demonstrated levels of the capability to conduct terrorist attacks.Group tactics. What type of attack has the group conducted in the past? Has the group conducted large- or small-scale bombings, kidnappings, assassinations, drive-by shootings, or other assaults? Has there been an indication that the group has new capabilities? Has the group been notably unsuccessful in an attack??Mass-casualty capabilities. Does the group have the capability and willingness to conduct a mass-casualty attack? Has the group conducted mass-casualty attacks in the past? Has the group shown an interest in CBRNE material?Targeting techniques. Does the group conduct attacks that are intended to maximize casualties? Does the group attempt to damage only property by placing IEDs after business hours or in remote locations??State sponsorships. Does the group have state sponsorship? Who is the state sponsor? What type of intelligence, logistics, training, or funding is provided? Is support issued from one or more governments? If so, which ones?Group operating areas. Is the group indigenous, regional, or transnational? Can indigenous groups operate regionally or internationally??High-technology accesses. Does the group have access to high technology? Does the group use computers? If so, to what extent? Can the group conduct sophisticated, technical surveillance or employ advanced IEDs? What type of equipment is used? Where did the group get the equipment? Who trained the group??Operational methods. What is the group’s method of operation? (A group usually continues to use TTPs that have been successful in the past.)?Professional representations. What is the group’s overall professionalism? Has the group consistently carried out successful, sophisticated attacks? Has the group demonstrated a high or low degree of tradecraft??IntentionsIntentions. Intentions are stated purposes and/or actual attacks on U.S. interests.Recent attacks. Has the group conducted a recent terrorist attack? If so, what type of attack? Which weapons were used? Were preincident indicators noted? Was outside support used? Did the group take credit for the attack?Anti-U.S. ideologies. Does the group have an anti-U.S. ideology? Is the ideology stated publicly? What are the group’s grievances against the United States? What trigger events could entice the group to act??Anti-HN ideologies. Does the group have an anti-HN ideology? Does the group consider U.S. aid or support to be a hindrance to its goals? At what point would the group consider attacking U.S. interests because of this support?Attacks in other countries. Has the group conducted a terrorist attack in another country? If so, where? What type of attack? Which type of support network was in place??Responses to current, international events. Has the group responded to an international event with a terrorist attack? If so, what was the event? What type of response did it carry out? Has the group ever publicly denounced an international event involving the United States? Did it threaten U.S. interests?ActivityActivities. A terrorist group’s activities may not always be related to operational planning or present a threat to U.S. or HN interests. Many groups use countries as support bases and may not want to jeopardize their status by conducting terrorist acts in those countries. Analysts determine the group’s activity by examining influential elements and by remembering that the situation is always fluid and subject to change.Presence. Is a group present, but inactive?Fundraisers and safe havens. Does the group use the country for fundraising? If so, what type of fundraising? How much money is generated? What is its intended use? Is any of the money funneled to other locations or groups? Does the group use a country as a safe haven?Suspected surveillance, threats, and suspicious incidents. Has the group conducted surveillance? Is the group proficient at surveillance? What does the group do with surveillance information? Has the group threatened DOD or U.S. interests? How does the group conduct surveillance? Have suspicious events been linked to the group??Philosophy changes. Has the group shown signs of changing philosophies? Does the philosophical change include targets? Is DOD affected??External cells. How does local leadership interact with external leadership? How much contact is normal? Does the group have connections with other cells? Do the cells train together? Do they share intelligence??Key operative movements. Has there been noted movement of key operatives? If so, from where to where? Was the movement covert? Was there a reaction from other cells? What was the purpose of the movement? Were code words used??Contingency planning. Has contingency planning been noted? Who or what were the targets? How were past plans executed? Who conducted the planning? Was outside help used or requested? Did any of the attacks occur after planning was noted? How much time elapsed??U.S. or HN security element disruptions. Have U.S. or HN security forces disrupted group activities? Does the group perceive U.S. involvement? What caused the disruption? What was uncovered by security? How does it affect the group’s operational capability in the country?U.S. or HN security element disruptions. Have U.S. or HN security forces disrupted group activities? Does the group perceive U.S. involvement? What caused the disruption? What was uncovered by security? How does it affect the group’s operational capability in the country?Weapons caches. Have weapons caches been uncovered? If so, what weapons were found? Are the weapons consistent with the group’s past weapons usage? Who supplied the weapons??Cell activities. What type of activity does the group primarily conduct in country? Operational? Support? Size of cells? Number of cells??U.S.-targeted asset indicators. Is there an indication that the group is targeting U.S. assets? If so, at which stage of the targeting process was the plan uncovered? What is the timing, specific target, and location of the plan?Terrorist activity intelligence report assessments. What type of intelligence is being reported? What is the source, reliability, and access of the reports??Operating EnvironmentOperating Environment. This factor rates how the overall environment influences the ability, opportunity and motivation to attack DoD interests in a given location. Capability of Host Nation Security. An important element of this factor is the capability of the host nation security apparatus to combat terrorism, its degree of cooperation with the US and the quality of the reporting on terrorist groups in the country. DoD Presence. A key element is whether there is a DoD presence and if so the type, size, location, political sensitivity and if temporary its duration. Overall political, economic and military stability of the country. Does the overall political, economic and military stability of the country and its effect on the ability of a group to attack.DIA determinations of the operating environment for Terrorist activity. DIA establishes the operating environment for Terrorist activity. The analyst will to need to make the determination for other threat actors of concern to an installation.Attachment 3 – IDRMP Threat TacticsThe following threat tactics are considered when conducting the IDRMP.Ballistic TacticsAnti-Personnel – muggings, hostage, kidnapping, assassinationDirect Fire – active shooter, guns, light antitank weapons, MANPADSContamination TacticsAirborne CBRN – TIC/TIM release, chem/bio materials, military chemical weapons, dirty bombsFood Supply – contaminated at food prep/serving, in distribution system, at processing centerWaterborne CBRN – agents with short lives and/or mitigated with chlorine, up to stable, chlorine-resistant agentsEavesdropping TacticsAcoustic and Electronic – use of listening devices (bugs) and electronic emanations interception equipmentVisual – observation and note-taking, use of binoculars and cameras, active solicitationExplosives TacticsIndirect Fire – incendiary devices, mortars, rocketsMan-Portable Bombs – improvised incendiary devices, improvised explosive devices up to 55 lbs TNT, hand grenadesPackage/Mail Bombs – mail or packages with 2.2 to 55 lbs TNT, chem/bio agentsVehicle-borne IED – vehicles carrying 55 to 4400 lbs TNT, aircraft bombWaterfront Attack – jet skis and boats with up to 1100 lb TNT, anti-tank and 0.50 cal weaponsProperty TacticsAnti-Aircraft – vandalism, sabotage, hijackingAnti-Property – vandalism, theft, civil disturbance, riots, protests, arson, sabotageAttachment 4 – Commander’s Critical Information RequirementsCommander’s Critical Information Requirements (CCIRs). CCIRs are elements of information required by the Installation Commander that directly affect timely decision making. CCIRs are a key information management tool for the Installation Commander and help assess the operational environment and identify decision points throughout the conduct of operations. Examples of CCIRs include the availability of forces, munitions, communications equipment and expected points of attack. CCIRs belong exclusively to the Installation Commander. The Installation Commander designates CCIRs to ensure planning staffs know which information is necessary for decision-making. In all cases, fewer CCIRs are better so the staff can focus efforts and allocate finite resources. CCIRs are not static. The Installation Commander can add, delete, adjust and update them based upon the information needed for decision-making. Key Elements. CCIRs include priority intelligence requirements (PIRs) and friendly force information requirements (FFIRs). CCIRs generate PIRs and FFIRs; the staff focuses on answering the CCIRs to support the Commander’s decision-making ability. Intelligence Requirement (IR). Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence. A requirement for intelligence to fill a gap in the command’s knowledge or understanding of the operational environment or threat forces. Priority Intelligence Requirement (PIR). PIRs are the basic building blocks that define the information requirements the DFC has deemed most vital for successful mission accomplishment. PIRs are generated to obtain intelligence to make decisions. Good PIRs have three things in common: they ask only one question (e.g., about an enemy status or action); they focus on a specific fact, event or activity; and they provide the information required to support a single decision (e.g., if the enemy does this, then I have to decide what to do). The DFC ensures ID PIRs and CCIRs are coordinated with the Installation Commander and incorporated into the installation’s FP PIRs. ID PIRs and CCIRs should be included in the Intelligence Annex of the IDP. Friendly Force Intelligence Requirement (FFIR) . FFIRs are items the DFC needs to know about ID forces that affect his or her ability to execute the ID mission, such as changes in forces available or changes in the disposition of adjacent friendly units. Specific Intelligence Requirement (SIR). An identified gap in intelligence holdings that may be satisfied only by collection action, and that has been validated by the appropriate requirements control authority. Specific Orders and Requests (SOR). Allows the commander to direct forces in mission tasks or submission tasks to gather information to “answer” SIRs. Essential Elements of Friendly Information (EEFI). EEFI are critical aspects of friendly operations that, if known by the adversary, would likely compromise, lead to failure or limit success of the operation; therefore, they should be protected from enemy detection. By definition, EEFIs are not part of CCIR; however, they become part of a Commander’s priorities when stated so. EEFIs are articulated in the Installation Commander’s Critical Information List (CIL) which is developed and managed by the installation operations security (OPSEC) program manager. IR/PIR Examples. IR (PIR) #1 – What local and regional groups pose a threat to (base name) or the surrounding area?SIR #1-1: What means do these groups have to conduct attacks against (name of base), within the base security zone or surrounding community?Indicators:Information on purchase or theft of materials used in making IEDsInformation on purchase or theft of large quantities of weapons or ammunitionInformation regarding suspicious cars, trucks vans in the areaIR (PIR) #2 – Are there any patterns of activity or threats that indicate an increased probability of attack against (name of base), the base security zone or surrounding community?SIR #2-1: Have there been any reported or noted suspicious surveillance activities of (name of base) operations/personnel?Indicators: Information on unusual or excessive inquiries regarding the security measures for the rmation on or reports of individuals photographing, videotaping or sketching in the area of the installationReported incidents of individuals attempting unauthorized installation entryFFIR ExamplesWhat are the critical assets on the installation—any single point failure assets?Do I have enough forces to meet all FPCONS?If augmentation is required, what is needed and when?How long can I maintain FPCONs with existing forces?Are ID comm assets safe from tampering/monitoring?Can we sustain the Selective Arming program?Is the IDP synchronized with other installation plans, as well as local, state, and federal agencies What products or equipment does the installation have that could be used against us?Is our back up/alternate ID C2 capability fully functioning? What do we lose if we lose the primary? EEFI ExamplesLocation, schedule and security of command groupSecurity and configuration of the information networkInstallation incident response capability and consequence management plansDesignation of critical facilities and High Risk Targets Measures to reduce/mitigate vulnerabilities (COAs)Integrated Defense PlanList of Critical Facilities/installation maps / drawingsTDY schedules for employeesMOAs/MOUs for support from civilian or DOD agenciesLocations of active and passive surveillance capabilities used on the installationAttachment 5 – Asset Criticality Worksheet TemplateWorksheet is self explanatory. The more information gathered will further assist the CA and provide historical documentation and contact information for asset owners. This sheet is not used for asset scoring. Asset scoring should be conducted in conjunction with the IDRMP facilitator and asset owner/SME.Asset Criticality WorksheetPOC: Unit: Date: Asset Name: Bldg#: Catgory:Description: Population: 75#Msn Critical or 1st Responder Personnel: Assets in Assets (armory, SCIF, unique equipment, etc): Anything unique/unusual about asset:The following is an example of a completed asset worksheet.Asset Criticality WorksheetPOC: MSgt Gene Smith x1212Unit: 700 Comm SqdnDate: 5 Jan 2019Asset Name: Network Control CenterBldg#: 501Catgory:Description: Building contains installation network control equipment and Sqdn personnelPopulation: 75#Msn Critical or 1st Responder Personnel: 5Assets in Assets (armory, SCIF, unique equipment, etc): N/AAnything unique/unusual about asset: Building also houses Sqdn admin spaces. Network control center is manned by 5 personnel 24/7Attachment 6 – Pre-scored Asset ListThis list was developed by HAF/A4S and provides for the standardization of scoring for certain assets. Notwithstanding these standard scores installations can override and rescore the asset should the standard score not be suitable. NOTE: This is a place holder. Not sure how we want to capture this.Linguistic RatingScoreItemCritical100CIP Tier 192PL 1 Nuclear90CIP Tier 284PL 1 Non-nuclear80Top Secret InfoVery High64Installation Wide Infrastructure60PL 2 Assests52PL 3 Assets, High Risk Personnel (HRP)High48AA&E Category 1, Power Projection Assets44Command PostMedium High36Comm Facility, Medical Facilities32Mission Support FacilitiesMedium Low28Dorms, Retail, HQ Facilities, Admin FacilitiesLow20Military Family Housing over 13 unitsVery Low12Single/Duplex Military Family HousingAttachment 7 – Asset SubcategoriesPlace holder. Not sure this is needed.Attachment 8 – Default Preferred Targets INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page68image1320080" \* MERGEFORMAT Attachment 9 – Default Target Preference INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page69image1342704" \* MERGEFORMAT Attachment 10 – Default Consequence Factors INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page70image1771136" \* MERGEFORMAT Attachment 11 – Vulnerability Worksheet INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page72image2045344" \* MERGEFORMAT Instructions for use:Score each layer of security individuallyScore each layer against each tactic if applicableUse the following scores when scoring tactics Critical - 3; High - 2; Medium - 1; and Low- 0 For each layer, multiply each layer score by the weight of the tactic (layer % contribution to defeating tactic number).Add each of the layer numbers within a given tactic together and divide the total by 300Resulting number is the vulnerability score to a given tactic.See example below (NOTE: the example only shows a calculation for two tactics. Each tactic should be calculated in the final product) INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page73image1992240" \* MERGEFORMAT Attachment 12 – Risk Summary Worksheet INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page74image1578896" \* MERGEFORMAT Instructions for use:List each asset identified in the criticality assessmentAttachment 13 Integrated Defense Tool KitTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecover100 Percent Identification CheckXXXX1-Person Security PatrolXXXXActive / Passive BarriersXXXAdversary Timeline Analysis SystemXXAll-Terrain Vehicle (ATV)XXXAlternate Critical FacilitiesXArmed Entry Control (variousXXXXXXconfigurations)Asset CamouflageXXXAsset ConcealmentXXXAsset DispersalXXXAdditional ID ForcesXXXXXXXBackscatterXXXBallistic ProtectionXXXXXBallistic Windows (including MylarXXretrofit)Bar Code CardsXXXBiometric SystemsXXXBollard (special purpose)XXXBollard LineXCard ReadersXXXCBRNE Detection andXXXXDecontaminationCCTV (includes Birds-Eye andXXXothers)Chain Link Fence, 3 feetXXTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverChain Link Fence, 7+ feet, w/barbed wire outriggersXXXClose-Boundary Sentry (CBS)XXXXXXXClose-In Sentry (CIS)XXXXXXXCommunity Policing (e.g., OperationHome-watch and Eagle EyesXXXXXPrograms)Concealment ScreeningXXXConcertina WireXXXCurbingXDitchXXDrop-Arm BarrierXXXEarth Berm, 4+ feetXXXECSI Active Infrared SensorXXXElectric TurnstileXXElectronic Facility Entry ControlXXX(proximity card, cipher lock, etc)Eltec 864M1E Long Range PassiveXXXInfrared SensorEngineer Support (heavy equipment)XXFacility and Room SpallingXXProtection (including retrofit)Facility Hardening (various)XXXFence Protection System (FPS-2-2XXXXXTASS) SensorFingerprintXXFire TeamXXXXXXFree Standing / Walk-through MetalXXXDetectorsTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverAnticipateAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverAnticipateGeoshieldXXGeospatial Analysis and PlanningXXSupportHand GeometryXXHand-Held Metal DetectorXXXHand-Held Thermal Imager (HHTI)XXHazard Prediction AssessmentXXXXCapabilityHollerith CardsXXXHydraulic Road WedgeXXXXImaging SystemsXXXImmediate Visual Assessment (IVA) SentryXXXXXXXIncreased Stand-offXXInfrared Perimeter IntrusionDetection System-LightweightXXXXXX(IpidLw)Information / Intelligence GatheringXXX(local, federal, etc)IonscanXXXJersey BarrierXXXJoint Conflict and TacticalXSimulationKnee WallXXLarge Vehicle SearchXXXLighting, AreaXXXXXLighting, BoundaryXXXXXLighting, Entry PointXXXXXLighting, IR/VNIRXXXXXLighting, Special PurposeXXXXXTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverLine of DemarcationXLocks / HaspsXXXM-2 Machine GunXXXM-24 RifleXXXM-240B Automatic RifleXXXM-249 Automatic RifleXXXMagnetic CardsXXManual TurnstileXXMeta VR 3D VisualizationXXMetal Detector / X-RayXXXMiscellaneous Ad-hoc Barriers (55-gallon drums, large tires, large rocks,XXetc)MK-19 Machine GunXXXMock Devices (sensors, cameras, etc)XXXXXMWD PatrolXXXXXXXNight Vision Capability for GuardXXForceMSTARXXXXOptex Short Range Passive InfraredXXXSensorOwner / User PersonnelXXXXXXXPerimeter Surveillance Radar SystemXXXX(PSRS)Photo IdentificationXXXPyramid X1 SensorXXPolice Bicycle PatrolXXXPower Production BackupXXQuick Reaction Force (QRF) (variousXXXXconfigurations, contingency)TOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverAnticipateAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverAnticipateRandom Antiterrorism MeasuresXX(RAMs)Radiological Dosimeter / PagerXXX(passive)Retina ScanXXXRF Communication, encryptedXRF Communication, unencryptedXSATCOM, encryptedXSATCOM, unencryptedXSecure Room / VaultXXXSecurity ContainersXSecurity Response Team, ExternalXXXXXXX(ESRT)Security Response Team, InternalXXXXXXX(ISRT)Security TurnstilesXXSecurity Forces Unit Type CodesXX(UTCs) (various, contingency)Security Forces Vehicle, SpecialXXXPurpose (various)Short Range Thermal Imager (SRTI)XXSignature SystemsXXSpeed Humps / TablesXXSteel Cabling (arrestor)XXSteel Cabling (linking and / orXXchains)Stop / Check / PassXXXSurveillance System, OtherXXXSW 310B Dual Stack BiostaticXXMicrowave SensorTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverSW 385 Monostatic MicrowaveXXSensorTech Logistics AIR SensorXXXTelescoping CameraXXXTMS Active Infrared Sensor (Air)XXXTMS Break Wire SensorXXXTMS Magnetic SensorXXXTMS Passive Infrared SensorXXXTMS Seismic SensorXXXXXXTrace Detection SystemsXXXTraffic Control / Circulation PlanXXTransfrisker WandXXXPL-1 Restricted AreaXXXXXXPL-2 Restricted AreaXXXXXXPL-3 Restricted AreaXXXXXXPL-4 Restricted AreaXXXXXXUnmanned Aerial Vehicles (various)XXUnder Vehicle Inspection SystemXXXUnmanned Aerial ObservationXXXPlatforms (various)Vapor Detection SystemsXXXVault / SafeXXXVisitor ControlXXXXVoice PatternsXXVulnerability Assessment andXXProtection OptionWall, Misc, < 7 feet, BallisticXXXWall, Misc, < 7 feet, Non-ballisticXXXTOOLAnticipateDeterDetectAssessWarnDefeatDelayDefendRecoverWall, Misc, 7+ feet, BallisticXXXWall, Misc, 7+ feet, Non-ballisticXXXWaterborne Patrol CraftXXXXXXXWide Area Surveillance ThermalXXImager-Uncooled (WSTI-U)Wide Area Surveillance Thermal Imager-Cooled (WSTI-C)XXWindow Catcher BarsXXXXX-Ray SystemsXXXAsset Criticality ScoringThe following provides a break down on the methodology of asset scoring:Mission. This factor addresses the criticality of the asset in its support of the installation’s missions. Descriptive terms and brief definitions ranging from low (little or no impact) to high (mission failure) are used. The higher selections should reflect that they are critical assets to accomplish a DoD or Air Force mission essential task (MET). If an asset’s loss would not directly impact an assigned MET, then the lower numbers should be selected. The following table should be used in scoring the Mission factor.Mission ImpactAssets Other Than InfrastructureDescriptionValueCRITICAL, loss results in mission failure5SIGNIFICANT, loss results in significant mission impact4MODERATE, loss results in moderate mission impact3LOW, loss degrades mission2MINIMAL, loss results in little/no mission impact1Infrastructure Category AssetsLoss causes installation or DoD MISSION FAILURE5Loss SIGNIFICANTLY DEGRADES installation/DoD mission4Loss DEGRADES MOST of installation3Loss DEGRADES PORTION of installation2Loss has MINIMAL IMPACT on installation/DoD mission1If previous two tables are the same, then consolidate.National Defense. This factor addresses the criticality of the asset in its support of the missions that are not directly related to the installation’s METs. . It accounts for the fact that some assets on the installation may be critical to the mission of other Services or combatant commanders.. For example, tenant units on an installation may have little impact on the primary base mission but are critical to national defense. An example might be a CCDR HQ located on the installation. The following table should be used in scoring the National Defense factor, and the high scores should only be used for assets that have been identified as supporting specific DoD missions or capabilities.National DefenseDescriptionValueGreat harm to US strategic capability5Great harm to US military capability4Damage to US strategic/military capability3Damage to defense infrastructure2Damage to element of US military capability (e.g., installation)1Insignificant impact on military capability0Replaceability. This factor addresses the ease with which asset functions can be replaced. There are separate entries for the General Population and for Information, which are not considered replaceable once killed (people) or lost to the adversary (information). For other assets, the factor is based upon the amount of time required to replace the function of the asset or the difficulty of finding mission critical personnel replacements with the requisite skills and training. The emphasis on asset function is important. For example, if the dining facility were destroyed, replacement of the building might take a year or longer, but the people would be fed immediately through the use of alternate dining facilities, MREs, downtown restaurants, etc. The following table should be used in scoring the Replacement factor.Replaceability of FunctionDescriptionValueGeneral population– (incl dependents) not considered “replaceable”5Sensitive Information – not replaceable once lost to adversary5Assets Other Than General Population or InformationLong time (>6 months) / very difficult to replace5Significant time (1-6 months) or difficulty; extensive training required4Moderate time (1 month) or difficulty; transfer from other bases3Short time (1 week) / not difficult; transfer from other units2Replacement available in area (3 days); people available in unit1Nearly immediate replacement (1 day)0Relative Value. This factor provides a measure of the relative value of an asset based on measures of value appropriate for particular asset categories. The relative values of the different asset categories are measured in different ways. For example, aircraft relative values are based upon the type and number of aircraft, ranging from Trainer Aircraft to Strategic Aircraft; whereas industrial and utility equipment values vary based on the value of the equipment, either individually or in inventory. Buildings such as barracks are typically valued based upon their current maximum occupancy at a given time, not how many they could theoretically hold. (Buildings such as water treatment plants should be scored as infrastructure.) The following table should be used in scoring the Relative Value factor.Relative ValueFacilities and Buildings and General PopulationDescriptionValue>1000, or >100 mission critical people5501-1000, or 50-100 mission critical people4101-500, or 11-49 mission critical people350-100, or 6-10 mission critical people211-49, or 1-5 mission critical people1<11 people0IndividualsCabinet-Level High Risk Person5SECDEF-Authorized High Risk Person43- and 4-star or equivalent31- and 2-star or equivalent2Installation Commander2Other Senior Staff1AircraftStrategic aircraft5Tactical or attack aircraft, >squadron4Tactical or attack aircraft, <squadron3Cargo, refueling or utility aircraft, >squadron3Cargo, refueling or utility aircraft, <squadron2Trainer aircraft1Arms, Ammunition & ExplosivesStrategic Weapons5Category I3Category II2Category III1Category IV 1Uncategorized1Industrial & Utility EquipmentValue > $100K, or Inventory > $2M5Value $50K - $100K, or Inventory $1M - $2M4Value $25K - $50K, or Inventory $500K - $1M3Value $10K - $25K, or Inventory $250K - $500K2Value $2500 - $10K, or Inventory $100K - $250K1Value <$2500, or Inventory < $100K0Vehicles20+ weapons systems520+ tactical or critical maintenance/support420+ general purpose vehicles 3<20 weapons systems3<20 tactical or critical maintenance/support2<20 general purpose vehicles 1Command & Control EquipmentStrategic/COCOM C2 Equipment, SCI Communications5Tactical/Installation C2 Equipment, Top Secret Communications4Air Traffic Control Systems, Secret Communications3Individual ATC/C2 Equipment, General Communication Towers2Individual ATC/C2 Equipment, General Communication Towers1Classified Information and Sensitive InformationSensitive Compartmented Information5Top Secret4Secret3Confidential2Unclassified but Sensitive1InfrastructureRegional support, or item value > $2M5Installation-wide support, or item value $1-2M4Area-wide support, or item value $500K-1M3Localized support, or item value $100-500K2Non-critical infrastructure, or item value < $100K1Asset Scoring Calculation. The following table is an example of asset scoring. AssetCategoryBldg #Mission ImportanceNational DefenseReplaceabilityRelative ValueAsset ScoreRunwayInfrastructure413464PL 3 AircraftAircraft415364Network Control CenterC2 Equipment501414144WG HQFacilities and Bldgs1210336TLFFacilities and Bldgs700100220Asset Criticality = Mission + National Defense + Replaceability + Relative Value 4. When assets scoring is completed scores they are divided by 100 are displayed with numerical rating between 0 and 1.Threat Scoring MethodologyCalculating Adversary Factor: The baseline Adversary Threat Factor for International Terrorists is based upon the Department of Homeland Security National Terrorism Advisory System (NTAS). The baseline threat does not require calculation the following table provides adversary rates based on the current threat level:National Terrorism Threat LevelBaseline Adversary Threat Factor for International TerroristsHigh.40Significant.30Moderate.20Low.10The baseline value establishes a minimum threat level addressing the general terrorist threat; however, it does not take into account the locally developed threat picture. For adversaries known or suspected to be in the local AOI, the known localized intelligence information is summarized and valued using four factors derived from the DoD ATO Guide: Activity, Intentions, Operational Capability and Operating Environment. Each factor is scored on a ten-point scale (0 to 10) using the tables below. Local Activity of AdversaryOrganized Criminals, Sophisticated & Unsophisticated Criminals, VandalsDescriptionValueIndications of targeting US assets10Identified operational activity or solicitation to commit8Suspected threats or incidents6Unknown5Petty criminal activity (theft, drugs)3Minor mischief (vandalism)1All OthersIndications of targeting US assets10Identified operational or support activity8Suspected surveillance, threats, or incidents6Unknown5Fundraising/Recruiting/Safe Haven or petty criminal activity3Present locally but inactive or Present in Area of Interest (AOI)1Adversary Intentions and HistoryOrganized Criminals, Sophisticated & Unsophisticated Criminals, VandalsDescriptionValueHigh crime – direct US military attacks10Medium crime – direct US military attacks8Low crime – direct US military attacks6High crime – no direct US military attacks5Unknown5Medium crime – no direct US military attacks4Low crime – no direct US military attacks2No history of attacks0All OthersRecent attacks (past 3 years) against US assets locally10Recent attacks (past 3 years) in region, or locally in past 10 years8Anti-US ideology, with history of attacks outside region6Unknown5History of attacks in region, or compromising assets locally4Anti-US ideology, but no direct attacks against US assets3Pro-US ideology, but with history of attacks outside region2No history of attacks0Adversary Local Operational CapabilityDescriptionValueCapable and willing to use Mass Casualty Tactics10Capable and willing to use Anti-Personnel and Ballistic Tactics8Somewhat capable in Mass Casualty, Anti-Personnel, or Ballistic Tactics6Unknown5Very capable in Property Tactics4Somewhat capable in Property Tactics3Non-destructive Tactics (e.g., propaganda, protest, intelligence gathering)2Local Operating EnvironmentDescriptionValueFavors Adversary10Neutral6Favors US/Host Nation0The following algorithm calculates the adversary factor: Adversary Factor = (Activity + Intentions + Capability + Environment) ÷ 40 will yield an adversary factor score between 0 and 1.0. In the table below, the adversary factor for Domestic Terrorist would be calculated as follows: (8 + 8 + 10 + 0) ÷ 40 = .65. AdversaryLocal ActivityIntentions & HistoryCapabilityOperating EnvironmentAdversary FactorDomestic Terrorist88100.65Foreign Intelligence6820.4Unsophisticated Criminals3236.35Evaluate Preferred Tactics. In order to fully understand the risk potentially posed by adversaries, it is important to refine the TA data down to the tactic preference level. Different types of adversary groups tend to prefer certain tactics or are more adept at executing certain tactics. For instance, vandals tend to prefer anti-property tactics, whereas international terrorists tend towards mass casualty tactics. If the intelligence information is sufficient, the threat ratings can reflect these preferences, strengths and weaknesses for the identified adversary groups. The table at Attachment 8, Default Preferred Tactics, shows the default tactics for each adversary group. Shaded cells reflect tactics normally not associated with the particular adversary group. For each specific adversary operating in the local area, the risk analyst can further refine the preferred tactics based upon available intelligence using the scale embedded in the table as a guideline. For example, if international terrorists are judged to be very adept at explosive tactics while only interested in developing a contamination tactic capability, the analyst may assign a rating of 100% for explosive tactics, and a lower rating (i.e., 50%) for contamination tactics. The follow value adjustments to target preference can be made based on local intelligence:Threat Actor ActivityValueWould likely not attack this type of target0.00Rarely attacks this type of target0.25Attacks this type of target occasionally0.50Routinely attacks this type of target0.75Has an absolute preference for this type of target1.00Evaluate Preferred Targets. Similar to the preferred tactic analysis, preferred targets should also be evaluated during the TA. Since capability is less directly related to preferred targets than for tactics, this analysis is more binary – either an asset category is (value = 100%), or is not (value = 0%) a preferred target. If an asset category is suspected of being of interest to an adversary, an intermediate value (i.e., 50%) can be selected to reflect these nuances if desired. Attachment 9, Default Preferred Targets, shows the default target preferences for each adversary group. Threat Rating. At this point in the TA, the analyst has enough information to develop threat ratings for each target-tactic pair. The challenge is to select the worst case for each pair. For example, you may determine both international and domestic terrorists working in your AOI employ explosive tactics, but at different capabilities and against different targets. While all permutations can be accomplished by hand calculation without difficulty, this step lends itself to the matrix algebra and database capabilities of computers. This step is also convenient for applying a measure of consequence to the target-tactic pairs. For example, a building may be completely destroyed by a vehicle- borne IED, but only slightly damaged by a letter bomb. The same two tactics, however, are completely effective against a person. Attachment 10, Default Consequence Factors, shows the default consequence factor used for each target-tactic pair. Inappropriate tactics are also handled with this table, such as food contamination tactics against vehicle assets. The table below, illustrates an example Adversary Threat Rating Worksheet. (NOTE: This is only an example and does not represent what a complete worksheet would look like) For each target-tactic pair (T-T Pair), select the worst case and populate the Threat Rating matrix, using the following algorithm: Threat Rating = Adversary Threat Level x Preferred Target x Preferred Tactic x Consequence Factor. In the table below, the threat rating for Domestic Terrorist would be calculated as follows: .65 X 1.0 X .50 X 100 = .33 (32.5). AdversaryRatePreferred TacticsScorePreferred TargetsScoreConsequence FactorRatingDomestic Terrorist.65Ballistic Tactics1.0Individuals.50100.33Foreign Intelligence.40Eavesdropping1.0Classified Information1.0100.4Unsophisticated Criminals.35Anti Property Tactics1Industrial and Utility Equipment.5100.18Threat Rating Scale. The figure below shows a threat rating scale that links numerical, color, and linguistic ratings. The objective of the TA step is to understand the threats facing an installation, and more specifically, the tactics ID forces must defeat. INCLUDEPICTURE "C:\\var\\folders\\02\\z62vjkjx7gd06y0ldqnhkrx40000gn\\T\\com.microsoft.Word\\WebArchiveCopyPasteTempFiles\\page71image1997232" \* MERGEFORMAT Manual VA calculationThe following steps will lead an assessor through the VA process. The installation is divided into four layers (Outside the Perimeter, Perimeter, Inside the Perimeter and at the Asset), and the existing countermeasures and vulnerabilities within each layer are evaluated. For each tactic under consideration, the vulnerability in each layer is scored by the SMEs against a four-point scale (High- 3; Significant- 2; Moderate- 1; and Low- 0). Each layer is weighted by tactic, reflecting the importance of the particular layer’s defensive features to defeating the given tactic. For example, the Perimeter layer is very important against the vehicle-borne IED tactic and carries a large weight. This layer is less important against the standoff weapon tactic. Once the SMEs have scored the individual layer vulnerabilities, the vulnerability rating (0.00 to 1.00) for each tactic can be calculated using the formula: Vulnerability Rating = (∑layer Score x Weight ) ÷ 300. Use the worksheet at Attachment 11 to calculate VA rating. ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- genesis chapter 1 questions and answers
- biology 101 chapter 1 quiz
- chapter 1 psychology test answers
- strategic management chapter 1 quiz
- psychology chapter 1 questions and answers
- cooper heron heward chapter 1 powerpoint
- chapter 1 psychology quiz
- chapter 1 what is psychology
- chapter 1 cooper heron heward
- medical terminology chapter 1 quiz
- holt physics chapter 1 test
- dod fmr volume 2a chapter 1 definitions