Vulnerability Assessments VA#2

PLAN OF INSTRUCTION/LESSON PLAN PART I

NAME OF INSTRUCTOR COURSE TITLE VA#1
VA#2
BLOCK OR UNIT TITLE ANTITERRORISM FORCE PROTECTION
LEVEL II COURSE
Vulnerability Assessments

COURSE CONTENT TIME (Hours)

Class Title: Vulnerability Assessments 1.5

Learning Objectives: The objective of this lesson is to familiarize you with the purpose of the
vulnerability assessment, the functions of the assessment, and the process one must go through in
order to conduct an assessment. The vulnerability elements associated with an assessment, the
application of physical security and assessments, and the procedures for actually conducting an
assessment. The student will have a general understanding of the Defense Special Weapons Agency
and the Joint Rear Area Coordinator assessment teams and their functions.

SUPPORT MATERIALS AND GUIDANCE

AUDIO/VISUAL AIDS: PowerPoint presentation “VUL.PPT.

Training Equipment: In-focus projector, Joint Pub 3-07.2, Appendix A.

Teaching Method: Informal Lecture/Discussion.

References: DoD O-2000.12-H VA#3

Joint Publication 3-07.2, March 1998

AFI 31-210

FC 100-37

JSIVA Assessment Program Guidelines, 3/11/98

USCINCENT OPORD 97-01 Force Protection

GAO Report to Congressional Requesters "Status of DoD efforts to protect its forces

overseas). July 1997

Instructor Guidance: This class will be conducted utilizing the informal lecture/discussion format.
The instructor will analyze the knowledge level of the class student body and tailor the class
accordingly.

SUPERVISOR APPROVAL OF LESSON PLAN DATE UNIT SIGNATURE DATE
SIGNATURE BLOCK PAGE NO.
DATE
POI NUMBER (Same as on cover page)
1 MAY 98

1

INTRODUCTION (05min)

Attention: US deployed forces are better protected today from terrorist attacks than
before the bombing at Khobar Towers. Security improvements are most evident where
the risk of terrorism is the greatest, such as Turkey and the Middle East, however, DOD
has placed less emphasis on addressing vulnerabilities in countries that are currently
considered to have a lower threat. Senior military commanders and defense officials have
emphasized that they can reduce, but not eliminate, vulnerabilities and that further terrorist
attacks against US forces should be expected. They also observed that efforts to defend
against terrorism is complicated by a number of factors, such as it is impractical to obtain
sufficient stand-off distance either due to shortages of suitable land or the high cost of
obtaining it around base facilities located in populated areas, abutting public roads and
privately owned land, offices, or residences. The problem is further compounded by the
ability of terrorists to decide where and when to attack and to choose from a wide
selection of targets. Nevertheless, the officials said, some risk must be accepted as the
United States pursues its national security strategy abroad.

Motivation: The question is not whether additional terrorist attacks will occur , but when,
where, and how. In this light, while vulnerabilities to attacks can be reduced, a "zero
defects" approach to fighting terrorism is not possible. DOD faces a number of obstacles
in defending against future attacks. First, DOD has a large presence in many countries
around the world, offering a plethora of potential targets, and DOD does not have the
resources to fully protect all of them all the time. Second, predictive intelligence on
terrorist attacks is difficult to obtain. Commanders, therefore, may not be in a position to
prevent an attack from occurring; they can only prepare to minimize the consequences
from an attack. Third, DOD installations are often located on host nation installations
and, as a result, there are limitations on the security measures DOD can undertake.
Political and cultural considerations outside the control of local commanders may
influence decisions that effect security. Vulnerability assessments are a self-assessment
tool that address the consequences of a terrorist attack in terms of the ability of units,
installations, commands, or activities to accomplish their mission even if the terrorists have
inflicted causalities, or destroyed or damaged DOD assets. In other words, what is the
probability of being hit and whether or not assigned responsibilities can be fulfilled as
required if attacked.

VA#4

Overview: VA#5

1. The function of a vulnerability assessment.

2. Concept

3. Team members

4. Elements of vulnerability.

5. Conducting the assessment.

6. Assessment teams

7. Crisis management planning.

8. GAO report findings pertaining to vulnerability assessments.

Transition: IAW DoD O-2000.12-H it is the responsibility of management and command
at every echelon to assess the risk of becoming the victim if a terrorist attack so lets start
off by looking at the functions of a vulnerability assessment.

3

VA#6

1. The Function of a Vulnerability Assessment: The minimum
purpose of vulnerability assessments is to provide commanders
with a tool to assess the potential vulnerabilities of an installation,
activity, port, unit, or base. The utility of the vulnerability
assessment is to aid commanders in identifying:

NOTE: Typically a small group of knowledgeable
individuals,( at the minimum, operations, LE, Security,
Intelligence, counterintelligence, Communications,
Engineering staff, medical services, housing, fire protection,
emergency planning, and NBC defense and response.)

a. Weaknesses in physical security plans, programs, and
structures.

b. Inefficiencies and diminished effectiveness of personnel
practices and procedures relating to security, incident control,
incident response, and incident resolution including but not limited to
law enforcement and security, intelligence, command,
communications, medical, and public affairs..

c. Enhancements in operational procedures during times of
peace, mobilization, crisis (MOOTW), and war.

d. Resource requirements necessary to meet DoD, Service, VA#7
combatant command, and local security requirements.

2. Concept: The concept for a force protection VA, is to focus on
two broad areas;

a. Emergency preparedness and crisis response

b. Preventing and substantially mitigating the effects of a
terrorist act.

(1) The proactive and reactive aspects of force protection
are divided into four significant elements;

a. Physical Security
b. Weapons Effect Mitigation
c. Threat, Vulnerability, and Risk Analysis
d. Application of DoD Standards

4

3. Team Members:

a. Assessment Team Chief
b. Physical Security Specialist
c. Structural Engineer
d. Operations Readiness Specialist
e. Intelligence and/or Counterintelligence
f. Infrastructure Engineer

(1) Assessment Team Chief: Key responsibility Overall
Management, training, and performance of the VA team
members; finalizing the VA out-brief

a Ensures team is properly trained and equipped

b Team members have appropriate security clearances.

c Oversees the pre-deployment collection and analysis of
available information to support the deployment.

d Oversees operational and procedural security training for
team members.

e On-site, assesses critical population centers and mass
population areas including travel routes in threat and
vulnerability analysis.

(2) Physical Security Specialist: Key responsibilities
Installation, facility, and personnel security/ safety

a. Assess overall physical security, operations, and
information security.

b. Assess access control, to include sensors and intrusion
devices.

c. Assess perimeter defensive positions and vehicular
and/or personnel barriers.

d. Assess lighting, police security, and security response
planning and force capability.

e. Assess overall security planning and responsiveness to
threat assessments and prepared intelligence estimates.

5

f. Assess relationship and support from local law
enforcement and other security agencies, both local
and national.

g. To the extent that vulnerabilities are found, formulate
and suggest mitigating measures and assist in their
implementation.

(3) Structural Engineer: Key responsibilities Threat and
damage assessment from terrorist weapons; suggestions
for the threat protection or damage mitigation measures.

a Assess damage mechanisms including blast, shock, and
fragmentation. Calculate hazardous radii bases on
structural dynamics and calculated structural loads.

b Assess building and barrier resistance or mitigation of
threat weapons effects. Determine appropriate
standoff distance, potential hardening or other
mitigating measures.

c Assess systems related to physical security and
personnel protection (warning devices, alarms).

d Assess and/or identify safe havens.

e Assess mechanical, electrical, and other service
systems for vulnerability to weapons effects and
suggest mitigating measures.

f To the extent that structural vulnerabilities are found,
formulate and suggest mitigating measures and assist
in their implementation.

(4) Infrastructure Engineer: This function examines three
distinct elements of force protection.

1. Protection against the effects of WMD
2. Protection against terrorist incident induced fires
3. Utility systems that can be employed to minimize terrorist

incident casualties, including elements of power,
environmental control, and life support systems. Key
responsibilities Infrastructure security, fire, safety, and
damage control.

6

a Assess facility and operational utility systems for
susceptibility to damage from terrorist acts.

b Assess fire protection planning and capabilities,
including emergency response planning and exercises.

c Assess vulnerability of installation utilities and plans
for back-up services.

d Assess availability of support, to include use of local
national capabilities.

e Assess mechanical, electrical, and other infrastructure
systems for vulnerability to weapons effects and
suggest mitigating measures.

f To the extent that structural vulnerabilities are found,
formulate and suggest mitigating measures and assist
in their implementation.

(5) Operations Readiness Specialist: Examines plans,
procedures and capabilities for crisis response,
consequence management, and recovery operations
should a terrorist incident occur.
*Objectives: provide IPM and emergency response
capabilities that minimize mass casualties and reduce the
number of severe injuries and fatalities.
*Operational readiness includes training of all personnel in
response actions to tactical warning, alarms of imminent
attack, planning and exercise of rescue operations,
emergency medical triage, and treatment in mass casualty
situations. Key responsibilities Emergency Medical and
Individual readiness assessments

a Assess individual, personnel, facility, and installation
protection capabilities.

b Assess emergency medical capabilities and planning
including and identification of key assets and
infrastructure.

c Assess recovery procedures and planning to
understand the ability to recover from loss of key
assets, infrastructure, or facilities.

7

d Assess planning and/or consideration of evacuation as
a risk mitigating measure.

e Assess application of the DOD force protection
standards and determine their value in vulnerability
reduction.

f To the extent that structural vulnerabilities are found,
formulate and suggest mitigating measures and assist
in their implementation.

(6) Intelligence and/or Counterintelligence Specialist: Key
responsibilities Local analysis and prepares possible
conclusions regarding terrorist targets and target
vulnerabilities based on processed intelligence, knowledge
of terrorist capabilities/methods.

a Develop possible threat scenarios.

b Assess installation, facility, and personnel vulnerability
in view of scenarios, and in consideration of ongoing
counterintelligence activity, demonstrated capabilities
in exercises, capabilities of local authorities, and
terrorist intelligence activities.

c Propose additional security, counteraction, and threat
reduction efforts.

NOTE: Communications, housing, fire, protection, NBC
defense, and response are functional areas which can be
executed by any team member if appropriate for the
mission and threat of the installation, base, ship, unit, or
port activity.

4. Elements of Vulnerability: Vulnerability elements include steps
that might be taken to gain access to protected DoD assets and the
resulting consequences to DoD in terms of diminished capability to
carry out assigned missions. Once approaches are identified one
should examine the facility from a physical, personnel, and operations
security perspective. Vulnerability elements include actions taken by
DoD personnel during the execution of their mission which may
increase the risk of terrorist attack or increase the severity of
consequences should an attack occur. Such as:

8

a. Terrorist can cut perimeter fences, gain access to a facility,
inflict casualties, and degrade DoD capabilities. Undetected
intrusions or detected intrusions that generate no alarm or response
suggest a potential vulnerability to terrorist attack.

b. Removal of vehicles and equipment from storage facilities for
mobility processing exercises increases the exposure of these
resources to potential terrorist attack.

c. Marshaling equipment/weapons on flight-line in preparation
for aircraft generation. The risk is further increased when crews are
scrambled and aircraft are removed from a restricted area and taxied
to the end of a runway where less security is maintained.

d. Removal of weapons from an installation to conduct weapons
qualification at distant ranges.

e. Commanders have the responsibility for balancing exposure of
DOD assets to terrorist attack risk and vulnerability with continued
preparation, training, and mission execution. Assessments of
vulnerability are continuous, based on the operational tempo of each
DOD component's specific activities.

f. DoD O-2000.12-H, Appendix C contains an instrument that can
be used to develop or conduct security surveys for DoD installations,
offices, and residences of High Risk DoD personnel.

5. Conducting the assessment: Visible, fixed, land-based DoD
facilities should have vulnerability assessments performed on a
regular basis. However, not all assets are fixed, land-based DOD
facilities. Some DoD assets that require protection are senior
military and DoD civilian officials. The specific assignments of these
individuals can put them at risk of becoming a victim of a terrorist
attack. In some cases, loss of this individual is equivalent to the
termination or failure of a DoD mission.

a. IAW DoD instruction 2000-16 VA will be conducted at least
once every three years.

9

b. Vulnerability assessments should consider the possibility of indirect
attacks or attacks from unusual approaches. Terrorists have
attempted to use hot air balloons, ultra-light aircraft, hang gliders,
and remote control model cars, aircraft, or boats in an effort to
breech perimeter security devices.

c. Three-dimensional vulnerability assessments are a must when VA#11
assessing the vulnerability of DoD personnel, facilities, or materials
not located within areas not owned or completely controlled by the
DoD.

d. Vulnerability assessments are an on going process. Vulnerability
of DoD assets change daily, if not hourly, depending upon the nature
of the threat and the nature of the tasks being performed.

e. AFI 31-210 directs that the vulnerability assessment will occur
at the installation commander level and higher. These assessments
should consider a wide range of identified and projected terrorist
threats against a specific location, installation personnel, facilities,
and other assets. This detailed, static vulnerability analysis then
provides a baseline assessment from which to develop the
installation plan.

f. What kind of questions should you be asking when conducting a
vulnerability assessment?

(1) What assets would the terrorist target? Why? (softness vs.
hardness and ease vs. value).

(2) What capabilities do the terrorist groups have? Which
capabilities would be effective against potential targets? Why?

(3) How might those capabilities be employed?

(4) What might early signs of an attack be? How might
authorities detect such attack?

(5) What are the avenues of approach terrorists would take to
reach targeted assets?

(6) How well protected are the assets likely to be targeted by
the terrorists?

10

(7) If the threat condition is raised can the installation
maintain the increased threat posture?

(8) Do we have redundant capabilities if attacked?

5. Assessment Teams.

a. DSWA, Defense Special Weapons Agency, has been selected by
the Chairman, Joint Chiefs of Staff to provide an in depth
independent assessments for all of the DOD.

(1) The Vulnerability Assessments performed by the DSWA
team members are conducted on behalf of the Joint Staff
with support from JCS/J-34 and other technical experts as
needed. The name Joint Staff Integrated Vulnerability
Assessments has been adopted, JSIVA.

(2) Methodology, The JSIVA assessments are intended to
assist the installation commander in meeting his/her AT/FP
goals. The team will identify vulnerabilities and options to
the commander in an effort to reduce the potential impact of
terrorist attacks.

(a) Checklist – JSIVA Assessment Program Guidelines
and all applicable appendixes, dated 3/11/98 will be
used.

(b) Threat assessments will be consistent with the
requirements of DoD directive 5420.1, 25 April 1988.
DoD “intelligence activities concerning collection,
retention, and dissemination of Information on US
persons.

(3) What a JSIVA is not.

(a) An inspection, effort to grade or rate force protection
efforts.

(b) An evaluation or report that scores a site or
installation.
(c) A substitute for other inspections or survey.

11

(4) JSIVA team members specialty knowledge and
responsibilities.

(a) Assessment Team

(b) Physical Security Specialist:

(c) Structural Engineer:

(d) Infrastructure Engineer

(e) Operations Readiness Specialist:

(f) Terrorist Operations Assessments Specialist:
Knowledge of terrorist goals, intentions, capabilities,
likely targets etc.

(5) Conducting the Assessment:

(a) In-brief to commander and staff
(b) Familiarization briefing and tour

(c) Team will request technical POC’S

(d) Duration site dependent

(e) Commanders out-brief

(f) Summary report/slides, observations and suggestions
provided for the installation commander( within 30 days ), J-
34, Combatant command (OCONUS) or military Service
(CONUS)

**NOTE: A final Report can be attained from service or CINC
HQ upon request.

(6) Lesson-Learned, both positive and negative will be extracted
without attribution and entered into the Joint Uniform Lessons
Learned, an Access driven data base or (JULLS). Generic lessons
learned and technology issues will be available on J-34 home-page.

12

VA#17

b. JRAC, Joint Rear Area Coordinator, the JRAC is the CINC’S
representative in the AOR for coordination of force protection efforts.

(1) Methodology, conduct a comprehensive VA in order to
provide the site commander with viable suggestions for force
protection improvements and to document site vulnerabilities.

(2) Checklist, USCINCCENT OPORD 97-1, Annex M, Appendix
7, part II CINC Force.

(3) JRAC Specialty Knowledge

(a) Tactical Defense

(b) Combat Engineering

(c) Air Base Defense

(d) Aircraft Security

(e) NBC Security

(f) EOD

(g) Coastal Defense/Port Security

(h) Counterintelligence Support

(i) Communications/Sensors

(j) Arabic Language Support

(4) Conducting of the Assessment

(a) In-brief

(b) Orientation Tour then on their own

(c) Unrestricted access (24 hours)

(d) Duration 5-7 days, site dependent

(e) Questions, Verification, pictures, plans, observations

13

(f) Out-brief (slides with commander) VA#18
VA#19
6. Crisis Management Planning. A key aspect of any vulnerability
assessment includes the existence of an effective and viable crisis
management plan.

a. The DoD Combating Terrorism Program concept builds on a
foundation of terrorist threat analysis and the preparation of an
integrated threat estimate. The integrated threat estimate examines
the interactions among the following elements:

(1) Terrorist threat (from intelligence)

(2) Risk of terrorist attack (from DoD Component military and
civilian staff at each echelon).

(3) Vulnerability of DoD Components to terrorist attack, and

(4) Assessment of asset criticality to DoD mission and
functions.

b. On the basis of the Integrated Terrorist Threat Estimate,
commanders must develop and implement a plan to reduce the
likelihood of terrorist attack (terrorism prevention) and mitigate its
effects should it occur. Preventive measures include terrorism
awareness, education, and training, physical security enhancements
at the installation, facility, DoD personnel residence, and personal
protective measures education for DoD affiliated personnel and their
dependents.

c. Notwithstanding efforts to prevent terrorist incidents
commanders are responsible for the development of a terrorism crisis
management plan to cover such contingencies when preventive
efforts fail.

d. One must realize that one of the basic tenants of terrorist
operations is to make a government appear weak and incapable of
protecting its citizens. As such this very tenant makes any DoD
activity that lacks an adequate crisis management plan relative to
antiterrorism/force protection, a valuable terrorist target.

e. DoD O-2000.12-H Appendix X contains a Crisis Management
Plan Checklist which includes elements one should consider when
developing or reviewing a crisis management plan. Appendix Y

14

contains a sample terrorist incident crisis management plan format
that may be used as an aid in the development of detailed plans.

f. There are two different sets of special concerns related to crisis
management planning as the result of terrorist acts.

(1) The first is the security problems posed by bomb threats. VA#20
The ideal terrorist weapon since they are relatively low cost;
components are easy to obtain and difficult to trace, can be designed
to fit into anything making detection difficult. They enhance the
quality of violence and destruction and can be designed to allow the
terrorist the opportunity to escape from the scene of the crime.

(2) The second concern is the challenge of maintaining an
installation’s day-to-day operations and routines while in an advanced
level of preparedness directed by the DoD Terrorist Threat Condition
System.

(a) Implementation of Terrorist THREATCONs does not
come without costs that can be measured and described quantitatively
and qualitatively.

1. Quantitative Costs such as overtime payment to VA#21
guard forces, shuttle bus lease for remote parking, acquisition of
metal detectors, x-ray machines, barriers, security lighting or other
physical inspection devices

2. Qualitative costs can be measured by delays in
response time of security personnel, loss of staff productivity because
of changes in their routines, delays in access to installation, decreased
productivity, stress induced illnesses, demoralization of staff after
prolonged periods of inconvenience, failure to receive deliveries of
shipments not marked properly, delays in emergency services
response.

(b) It is a difficult challenge for anyone to balance the costs VA#22
of maintaining normal operations with the need to enhance security
by implementation of THREATCONs.

7. US General Accounting Office Report to Congressional
Requesters referring to the Status of DoD Efforts to Protect Its
Forces Overseas.

15

a. This report reviewed the DoD’s efforts to protect U.S. forces
from terrorist attacks. It further addresses the measures taken at
overseas U.S. bases to enhance the security of deployed personnel
and recent DoD initiatives to improve its antiterrorism program

b. The following issues of concern were addressed in this report:

(1) The DoD has not provided common standards to assess
vulnerabilities. Currently there is not a common understanding within
the DoD of how to conduct a vulnerability assessment or what
constitutes a high-quality assessment.

(2) Upon reviewing vulnerability assessments completed after
the bombing of Khobar Towers, numerous inconsistencies in
frequency, approach, and quality were found.

(3) Some locations had numerous assessments, while others VA#23
had none. Officials at these sites expressed concern about the high
frequency of, and lack of cohesion among assessments.

(4) Some vulnerability assessments had limited value since
they did not identify specific vulnerabilities. By not identifying
specific vulnerabilities, it is impossible to determine what,
improvements are needed to decrease their vulnerability to terrorist
attack.

(5) Threat information in some assessments was not well
defined. IAW DoD guidance, a threat analysis provides a basis for
assessing terrorist risk, to include likelihood of attack and mode of
attack. It is a precursor to any assessment. Some assessments didn’t
mention the type of threat they needed to defend against, while others
vaguely referred to the terrorist threat, but lacked specifics on the
anticipated mode of attack. Others postulated a threat that appeared
incongruent with threat assumptions made elsewhere. One
assessment conducted at a headquarters building in the US postulated
a truck bomb threat that was twice the size of the estimated bomb
used at Khobar Towers.

(6) Some commanders believed they must implement all
recommendations contained in the vulnerability assessments, whether
they agree with them or not. They are taking this approach out of
fear that if a terrorist attack occurred, they could be criticized for
failing to implement a recommended corrective action that, in
hindsight, would have mitigated the damage from the attack.

VA#24

16

(7) Vulnerability assessments still lacked consistency. The
Downing task force criticized the approach to conducting
vulnerability assessments, noting that DoD lacked standards
governing their frequency, format, and content. DoD has
acknowledged that vulnerability assessments vary widely in scope and
comprehensiveness, further DoD has acknowledged that common
approaches and standards are needed, but it does not plan to impose
standards that would apply to all assessments. JCS/J-34 officials
reported that this was not their role. The DoD’s proposed the
following program standards:

(8) DoD components will schedule a higher headquarters
level assessment of their installations and programs at least once
every three years.

(9) Commanders will prepare a terrorist physical security
vulnerability assessment for facilities, installations, and operating
areas within their area of responsibility. The assessment will address
the broad range of physical threats to the security of personnel and
assets.

(10) The GAO report recommended that the Secretary of
Defense direct the Chairmen, Joint Chiefs of Staff to standardize
vulnerability assessments to ensure a consistent level of quality and to
provide a capability to compare the results from different sites.

(11) DoD response: The DoD concurred with the
recommendation and is developing the capability to standardize
vulnerability assessments. The Joint Staff is providing the program of
instruction that the DSWA is using to conduct their assessment to the
services and combatant commands. Additionally, the services and
combatant commands have access to the Joint Universal Lessons
Learned database that is used by the Joint Staff to distribute Force
Protection lessons learned from the JSIVA visits. The Joint Staff is
coordinating with the services and combatant commands to
consolidate all lessons learned regarding Force Protection into one
database.

VA#25

17

(12) The DoD has since issued DoD Instruction 2000-16 in an effort
to address some of the problems previously discussed. After review
of this new Instruction the GAO states the new standards will not
resolve the vulnerability assessment problems. The new standards are
performance standards, not physical security standards. Because
these performance standards focus on policies, procedures, and plans
rather than physical security vulnerabilities, it is not clear how they
can be used to identify physical security vulnerabilities. The inability
to identify specific vulnerabilities was a problem noted with
assessment reviewed. Also because the standards are not detailed
and descriptive, they are subject to interpretation by all. In the
absence of more specific, measurable standards, the fundamental
issues of methodology, scope , and completeness will remain.

(13) The steps DoD is taking should promote greater
consistency in how vulnerabilities assessments are conducted.
However, in the absence of formal DoD standards, the combatant
commanders and services may still deviate from the program of
instruction used by the Joint Staff Integrated Vulnerability
Assessment Teams. Therefore, common standards and procedures
for conducting vulnerability assessments are needed to ensure a
consistent level of quality and to provide a capability to compare
results from different sites.

VA#26

(14) How to order the GAO report:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015
(202) 512-6000
Fax: (310) 258-4066
Internet: [email protected]
Home page: http://www.gao.gov

18

CONCLUSION (:05)

Summary: VA#27

1. The function of a vulnerability assessment.
2. Concept
3. Team members
4. Elements of vulnerability.
5. Conducting the assessment.
6. Assessment teams
7. Crisis management planning.
8. GAO report findings pertaining to vulnerability assessments.

Remotivation: As the Level II Antiterrorism/Force Protection POC, it is incumbent upon you
to ensure your commander has this valuable tool to assist in making decisions which will
protect DoD assets, the mission, and ultimately save lives.

Conclusion: Are there any questions concerning this last block of instruction?

19