PLAN OF INSTRUCTION/LESSON PLAN PART I

NAME OF INSTRUCTOR COURSE TITLE

ANTITERRORISM FORCE PROTECTION LEVEL II COURSE

BLOCK OR UNIT TITLE

VA#1 VA#2

Vulnerability Assessments
COURSE CONTENT

TIME (Hours)

Class Title: Vulnerability Assessments Learning Objectives: The objective of this lesson is to familiarize you with the purpose of the vulnerability assessment, the functions of the assessment, and the process one must go through in order to conduct an assessment. The vulnerability elements associated with an assessment, the application of physical security and assessments, and the procedures for actually conducting an assessment. The student will have a general understanding of the Defense Special Weapons Agency and the Joint Rear Area Coordinator assessment teams and their functions.

1.5

SUPPORT MATERIALS AND GUIDANCE AUDIO/VISUAL AIDS: PowerPoint presentation VUL.PPT. Training Equipment: In-focus projector, Joint Pub 3-07.2, Appendix A. Teaching Method: Informal Lecture/Discussion. References: DoD O-2000.12-H VA#3 Joint Publication 3-07.2, March 1998 AFI 31-210 FC 100-37 JSIVA Assessment Program Guidelines, 3/11/98 USCINCENT OPORD 97-01 Force Protection GAO Report to Congressional Requesters "Status of DoD efforts to protect its forces overseas). July 1997 Instructor Guidance: This class will be conducted utilizing the informal lecture/discussion format. The instructor will analyze the knowledge level of the class student body and tailor the class accordingly.

SUPERVISOR APPROVAL OF LESSON PLAN SIGNATURE

DATE

SIGNATURE

DATE

POI NUMBER (Same as on cover page)

BLOCK

UNIT

DATE

PAGE NO.

1 MAY 98
1

INTRODUCTION (05min) Attention: US deployed forces are better protected today from terrorist attacks than before the bombing at Khobar Towers. Security improvements are most evident where the risk of terrorism is the greatest, such as Turkey and the Middle East, however, DOD has placed less emphasis on addressing vulnerabilities in countries that are currently considered to have a lower threat. Senior military commanders and defense officials have emphasized that they can reduce, but not eliminate, vulnerabilities and that further terrorist attacks against US forces should be expected. They also observed that efforts to defend against terrorism is complicated by a number of factors, such as it is impractical to obtain sufficient stand-off distance either due to shortages of suitable land or the high cost of obtaining it around base facilities located in populated areas, abutting public roads and privately owned land, offices, or residences. The problem is further compounded by the ability of terrorists to decide where and when to attack and to choose from a wide selection of targets. Nevertheless, the officials said, some risk must be accepted as the United States pursues its national security strategy abroad. Motivation: The question is not whether additional terrorist attacks will occur , but when, where, and how. In this light, while vulnerabilities to attacks can be reduced, a "zero defects" approach to fighting terrorism is not possible. DOD faces a number of obstacles in defending against future attacks. First, DOD has a large presence in many countries around the world, offering a plethora of potential targets, and DOD does not have the resources to fully protect all of them all the time. Second, predictive intelligence on terrorist attacks is difficult to obtain. Commanders, therefore, may not be in a position to prevent an attack from occurring; they can only prepare to minimize the consequences from an attack. Third, DOD installations are often located on host nation installations and, as a result, there are limitations on the security measures DOD can undertake. Political and cultural considerations outside the control of local commanders may influence decisions that effect security. Vulnerability assessments are a self-assessment tool that address the consequences of a terrorist attack in terms of the ability of units, installations, commands, or activities to accomplish their mission even if the terrorists have inflicted causalities, or destroyed or damaged DOD assets. In other words, what is the probability of being hit and whether or not assigned responsibilities can be fulfilled as required if attacked.

VA#4

Overview: 1. The function of a vulnerability assessment. 2. Concept 3. Team members 4. Elements of vulnerability. 5. Conducting the assessment. 6. Assessment teams 7. Crisis management planning.

VA#5

8. GAO report findings pertaining to vulnerability assessments.

Transition: IAW DoD O-2000.12-H it is the responsibility of management and command at every echelon to assess the risk of becoming the victim if a terrorist attack so lets start off by looking at the functions of a vulnerability assessment.

VA#6 1. The Function of a Vulnerability Assessment: The minimum purpose of vulnerability assessments is to provide commanders with a tool to assess the potential vulnerabilities of an installation, activity, port, unit, or base. The utility of the vulnerability assessment is to aid commanders in identifying: NOTE: Typically a small group of knowledgeable individuals,( at the minimum, operations, LE, Security, Intelligence, counterintelligence, Communications, Engineering staff, medical services, housing, fire protection, emergency planning, and NBC defense and response.) a. Weaknesses in physical security plans, programs, and structures. b. Inefficiencies and diminished effectiveness of personnel practices and procedures relating to security, incident control, incident response, and incident resolution including but not limited to law enforcement and security, intelligence, command, communications, medical, and public affairs.. c. Enhancements in operational procedures during times of peace, mobilization, crisis (MOOTW), and war. d. Resource requirements necessary to meet DoD, Service, combatant command, and local security requirements. VA#7 2. Concept: The concept for a force protection VA, is to focus on two broad areas; a. Emergency preparedness and crisis response b. Preventing and substantially mitigating the effects of a terrorist act. (1) The proactive and reactive aspects of force protection are divided into four significant elements; a. b. c. d. Physical Security Weapons Effect Mitigation Threat, Vulnerability, and Risk Analysis Application of DoD Standards

3. Team Members: a. b. c. d. e. f. Assessment Team Chief Physical Security Specialist Structural Engineer Operations Readiness Specialist Intelligence and/or Counterintelligence Infrastructure Engineer

(1) Assessment Team Chief: Key responsibility Overall Management, training, and performance of the VA team members; finalizing the VA out-brief a Ensures team is properly trained and equipped b Team members have appropriate security clearances. c Oversees the pre-deployment collection and analysis of available information to support the deployment. d Oversees operational and procedural security training for team members. e On-site, assesses critical population centers and mass population areas including travel routes in threat and vulnerability analysis. (2) Physical Security Specialist: Key responsibilities Installation, facility, and personnel security/ safety a. Assess overall physical security, operations, and information security. b. Assess access control, to include sensors and intrusion devices. c. Assess perimeter defensive positions and vehicular and/or personnel barriers. d. Assess lighting, police security, and security response planning and force capability. e. Assess overall security planning and responsiveness to threat assessments and prepared intelligence estimates.

f. Assess relationship and support from local law enforcement and other security agencies, both local and national. g. To the extent that vulnerabilities are found, formulate and suggest mitigating measures and assist in their implementation. (3) Structural Engineer: Key responsibilities Threat and damage assessment from terrorist weapons; suggestions for the threat protection or damage mitigation measures. a Assess damage mechanisms including blast, shock, and fragmentation. Calculate hazardous radii bases on structural dynamics and calculated structural loads. Assess building and barrier resistance or mitigation of threat weapons effects. Determine appropriate standoff distance, potential hardening or other mitigating measures. Assess systems related to physical security and personnel protection (warning devices, alarms). Assess and/or identify safe havens. Assess mechanical, electrical, and other service systems for vulnerability to weapons effects and suggest mitigating measures. To the extent that structural vulnerabilities are found, formulate and suggest mitigating measures and assist in their implementation.

d e

(4) Infrastructure Engineer: This function examines three distinct elements of force protection. 1. Protection against the effects of WMD 2. Protection against terrorist incident induced fires 3. Utility systems that can be employed to minimize terrorist incident casualties, including elements of power, environmental control, and life support systems. Key responsibilities Infrastructure security, fire, safety, and damage control.

Assess facility and operational utility systems for susceptibility to damage from terrorist acts. Assess fire protection planning and capabilities, including emergency response planning and exercises. Assess vulnerability of installation utilities and plans for back-up services. Assess availability of support, to include use of local national capabilities. Assess mechanical, electrical, and other infrastructure systems for vulnerability to weapons effects and suggest mitigating measures. To the extent that structural vulnerabilities are found, formulate and suggest mitigating measures and assist in their implementation.

(5) Operations Readiness Specialist: Examines plans, procedures and capabilities for crisis response, consequence management, and recovery operations should a terrorist incident occur. *Objectives: provide IPM and emergency response capabilities that minimize mass casualties and reduce the number of severe injuries and fatalities. *Operational readiness includes training of all personnel in response actions to tactical warning, alarms of imminent attack, planning and exercise of rescue operations, emergency medical triage, and treatment in mass casualty situations. Key responsibilities Emergency Medical and Individual readiness assessments a Assess individual, personnel, facility, and installation protection capabilities. Assess emergency medical capabilities and planning including and identification of key assets and infrastructure. Assess recovery procedures and planning to understand the ability to recover from loss of key assets, infrastructure, or facilities.

Assess planning and/or consideration of evacuation as a risk mitigating measure. Assess application of the DOD force protection standards and determine their value in vulnerability reduction. To the extent that structural vulnerabilities are found, formulate and suggest mitigating measures and assist in their implementation.

(6) Intelligence and/or Counterintelligence Specialist: Key responsibilities Local analysis and prepares possible conclusions regarding terrorist targets and target vulnerabilities based on processed intelligence, knowledge of terrorist capabilities/methods. a b Develop possible threat scenarios. Assess installation, facility, and personnel vulnerability in view of scenarios, and in consideration of ongoing counterintelligence activity, demonstrated capabilities in exercises, capabilities of local authorities, and terrorist intelligence activities. Propose additional security, counteraction, and threat reduction efforts.

NOTE: Communications, housing, fire, protection, NBC defense, and response are functional areas which can be executed by any team member if appropriate for the mission and threat of the installation, base, ship, unit, or port activity.

4. Elements of Vulnerability: Vulnerability elements include steps that might be taken to gain access to protected DoD assets and the resulting consequences to DoD in terms of diminished capability to carry out assigned missions. Once approaches are identified one should examine the facility from a physical, personnel, and operations security perspective. Vulnerability elements include actions taken by DoD personnel during the execution of their mission which may increase the risk of terrorist attack or increase the severity of consequences should an attack occur. Such as:

a. Terrorist can cut perimeter fences, gain access to a facility, inflict casualties, and degrade DoD capabilities. Undetected intrusions or detected intrusions that generate no alarm or response suggest a potential vulnerability to terrorist attack. b. Removal of vehicles and equipment from storage facilities for mobility processing exercises increases the exposure of these resources to potential terrorist attack. c. Marshaling equipment/weapons on flight-line in preparation for aircraft generation. The risk is further increased when crews are scrambled and aircraft are removed from a restricted area and taxied to the end of a runway where less security is maintained. d. Removal of weapons from an installation to conduct weapons qualification at distant ranges. e. Commanders have the responsibility for balancing exposure of DOD assets to terrorist attack risk and vulnerability with continued preparation, training, and mission execution. Assessments of vulnerability are continuous, based on the operational tempo of each DOD component's specific activities. f. DoD O-2000.12-H, Appendix C contains an instrument that can be used to develop or conduct security surveys for DoD installations, offices, and residences of High Risk DoD personnel.

5. Conducting the assessment: Visible, fixed, land-based DoD facilities should have vulnerability assessments performed on a regular basis. However, not all assets are fixed, land-based DOD facilities. Some DoD assets that require protection are senior military and DoD civilian officials. The specific assignments of these individuals can put them at risk of becoming a victim of a terrorist attack. In some cases, loss of this individual is equivalent to the termination or failure of a DoD mission. a. IAW DoD instruction 2000-16 VA will be conducted at least once every three years.

b. Vulnerability assessments should consider the possibility of indirect attacks or attacks from unusual approaches. Terrorists have attempted to use hot air balloons, ultra-light aircraft, hang gliders, and remote control model cars, aircraft, or boats in an effort to breech perimeter security devices. c. Three-dimensional vulnerability assessments are a must when assessing the vulnerability of DoD personnel, facilities, or materials not located within areas not owned or completely controlled by the DoD. VA#11 d. Vulnerability assessments are an on going process. Vulnerability of DoD assets change daily, if not hourly, depending upon the nature of the threat and the nature of the tasks being performed. e. AFI 31-210 directs that the vulnerability assessment will occur at the installation commander level and higher. These assessments should consider a wide range of identified and projected terrorist threats against a specific location, installation personnel, facilities, and other assets. This detailed, static vulnerability analysis then provides a baseline assessment from which to develop the installation plan.

f. What kind of questions should you be asking when conducting a vulnerability assessment? (1) What assets would the terrorist target? Why? (softness vs. hardness and ease vs. value). (2) What capabilities do the terrorist groups have? Which capabilities would be effective against potential targets? Why? (3) How might those capabilities be employed? (4) What might early signs of an attack be? How might authorities detect such attack? (5) What are the avenues of approach terrorists would take to reach targeted assets? (6) How well protected are the assets likely to be targeted by the terrorists?

10

(7) If the threat condition is raised can the installation maintain the increased threat posture? (8) Do we have redundant capabilities if attacked?

5. Assessment Teams. a. DSWA, Defense Special Weapons Agency, has been selected by the Chairman, Joint Chiefs of Staff to provide an in depth independent assessments for all of the DOD. (1) The Vulnerability Assessments performed by the DSWA team members are conducted on behalf of the Joint Staff with support from JCS/J-34 and other technical experts as needed. The name Joint Staff Integrated Vulnerability Assessments has been adopted, JSIVA. (2) Methodology, The JSIVA assessments are intended to assist the installation commander in meeting his/her AT/FP goals. The team will identify vulnerabilities and options to the commander in an effort to reduce the potential impact of terrorist attacks. (a) Checklist JSIVA Assessment Program Guidelines and all applicable appendixes, dated 3/11/98 will be used. (b) Threat assessments will be consistent with the requirements of DoD directive 5420.1, 25 April 1988. DoD intelligence activities concerning collection, retention, and dissemination of Information on US persons.

(3) What a JSIVA is not. (a) An inspection, effort to grade or rate force protection efforts. (b) An evaluation or report that scores a site or installation. (c) A substitute for other inspections or survey.

11

(4) JSIVA team members specialty knowledge and responsibilities. (a) Assessment Team (b) Physical Security Specialist: (c) Structural Engineer: (d) Infrastructure Engineer (e) Operations Readiness Specialist: (f) Terrorist Operations Assessments Specialist: Knowledge of terrorist goals, intentions, capabilities, likely targets etc.

(5) Conducting the Assessment: (a) In-brief to commander and staff (b) Familiarization briefing and tour (c) Team will request technical POCS (d) Duration site dependent (e) Commanders out-brief (f) Summary report/slides, observations and suggestions provided for the installation commander( within 30 days ), J34, Combatant command (OCONUS) or military Service (CONUS) **NOTE: A final Report can be attained from service or CINC HQ upon request. (6) Lesson-Learned, both positive and negative will be extracted without attribution and entered into the Joint Uniform Lessons Learned, an Access driven data base or (JULLS). Generic lessons learned and technology issues will be available on J-34 home-page.

12

VA#17 b. JRAC, Joint Rear Area Coordinator, the JRAC is the CINCS representative in the AOR for coordination of force protection efforts. (1) Methodology, conduct a comprehensive VA in order to provide the site commander with viable suggestions for force protection improvements and to document site vulnerabilities. (2) Checklist, USCINCCENT OPORD 97-1, Annex M, Appendix 7, part II CINC Force. (3) JRAC Specialty Knowledge (a) Tactical Defense (b) Combat Engineering (c) Air Base Defense (d) Aircraft Security (e) NBC Security (f) EOD (g) Coastal Defense/Port Security (h) Counterintelligence Support (i) Communications/Sensors (j) Arabic Language Support (4) Conducting of the Assessment (a) In-brief (b) Orientation Tour then on their own (c) Unrestricted access (24 hours) (d) Duration 5-7 days, site dependent (e) Questions, Verification, pictures, plans, observations

13

(f) Out-brief (slides with commander) 6. Crisis Management Planning. A key aspect of any vulnerability assessment includes the existence of an effective and viable crisis management plan. a. The DoD Combating Terrorism Program concept builds on a foundation of terrorist threat analysis and the preparation of an integrated threat estimate. The integrated threat estimate examines the interactions among the following elements: (1) Terrorist threat (from intelligence) (2) Risk of terrorist attack (from DoD Component military and civilian staff at each echelon). (3) Vulnerability of DoD Components to terrorist attack, and (4) Assessment of asset criticality to DoD mission and functions. VA#18 b. On the basis of the Integrated Terrorist Threat Estimate, commanders must develop and implement a plan to reduce the likelihood of terrorist attack (terrorism prevention) and mitigate its effects should it occur. Preventive measures include terrorism awareness, education, and training, physical security enhancements at the installation, facility, DoD personnel residence, and personal protective measures education for DoD affiliated personnel and their dependents. c. Notwithstanding efforts to prevent terrorist incidents commanders are responsible for the development of a terrorism crisis management plan to cover such contingencies when preventive efforts fail. d. One must realize that one of the basic tenants of terrorist operations is to make a government appear weak and incapable of protecting its citizens. As such this very tenant makes any DoD activity that lacks an adequate crisis management plan relative to antiterrorism/force protection, a valuable terrorist target. VA#19 e. DoD O-2000.12-H Appendix X contains a Crisis Management Plan Checklist which includes elements one should consider when developing or reviewing a crisis management plan. Appendix Y

14

contains a sample terrorist incident crisis management plan format that may be used as an aid in the development of detailed plans. f. There are two different sets of special concerns related to crisis management planning as the result of terrorist acts. (1) The first is the security problems posed by bomb threats. The ideal terrorist weapon since they are relatively low cost; components are easy to obtain and difficult to trace, can be designed to fit into anything making detection difficult. They enhance the quality of violence and destruction and can be designed to allow the terrorist the opportunity to escape from the scene of the crime. VA#20 (2) The second concern is the challenge of maintaining an installations day-to-day operations and routines while in an advanced level of preparedness directed by the DoD Terrorist Threat Condition System. (a) Implementation of Terrorist THREATCONs does not come without costs that can be measured and described quantitatively and qualitatively. 1. Quantitative Costs such as overtime payment to guard forces, shuttle bus lease for remote parking, acquisition of metal detectors, x-ray machines, barriers, security lighting or other physical inspection devices VA#21 2. Qualitative costs can be measured by delays in response time of security personnel, loss of staff productivity because of changes in their routines, delays in access to installation, decreased productivity, stress induced illnesses, demoralization of staff after prolonged periods of inconvenience, failure to receive deliveries of shipments not marked properly, delays in emergency services response. (b) It is a difficult challenge for anyone to balance the costs of maintaining normal operations with the need to enhance security by implementation of THREATCONs. VA#22 7. US General Accounting Office Report to Congressional Requesters referring to the Status of DoD Efforts to Protect Its Forces Overseas.

15

a. This report reviewed the DoDs efforts to protect U.S. forces from terrorist attacks. It further addresses the measures taken at overseas U.S. bases to enhance the security of deployed personnel and recent DoD initiatives to improve its antiterrorism program b. The following issues of concern were addressed in this report: (1) The DoD has not provided common standards to assess vulnerabilities. Currently there is not a common understanding within the DoD of how to conduct a vulnerability assessment or what constitutes a high-quality assessment. (2) Upon reviewing vulnerability assessments completed after the bombing of Khobar Towers, numerous inconsistencies in frequency, approach, and quality were found. (3) Some locations had numerous assessments, while others had none. Officials at these sites expressed concern about the high frequency of, and lack of cohesion among assessments. VA#23 (4) Some vulnerability assessments had limited value since they did not identify specific vulnerabilities. By not identifying specific vulnerabilities, it is impossible to determine what, improvements are needed to decrease their vulnerability to terrorist attack. (5) Threat information in some assessments was not well defined. IAW DoD guidance, a threat analysis provides a basis for assessing terrorist risk, to include likelihood of attack and mode of attack. It is a precursor to any assessment. Some assessments didnt mention the type of threat they needed to defend against, while others vaguely referred to the terrorist threat, but lacked specifics on the anticipated mode of attack. Others postulated a threat that appeared incongruent with threat assumptions made elsewhere. One assessment conducted at a headquarters building in the US postulated a truck bomb threat that was twice the size of the estimated bomb used at Khobar Towers. (6) Some commanders believed they must implement all recommendations contained in the vulnerability assessments, whether they agree with them or not. They are taking this approach out of fear that if a terrorist attack occurred, they could be criticized for failing to implement a recommended corrective action that, in hindsight, would have mitigated the damage from the attack. VA#24

16

(7) Vulnerability assessments still lacked consistency. The Downing task force criticized the approach to conducting vulnerability assessments, noting that DoD lacked standards governing their frequency, format, and content. DoD has acknowledged that vulnerability assessments vary widely in scope and comprehensiveness, further DoD has acknowledged that common approaches and standards are needed, but it does not plan to impose standards that would apply to all assessments. JCS/J-34 officials reported that this was not their role. The DoDs proposed the following program standards: (8) DoD components will schedule a higher headquarters level assessment of their installations and programs at least once every three years. (9) Commanders will prepare a terrorist physical security vulnerability assessment for facilities, installations, and operating areas within their area of responsibility. The assessment will address the broad range of physical threats to the security of personnel and assets. (10) The GAO report recommended that the Secretary of Defense direct the Chairmen, Joint Chiefs of Staff to standardize vulnerability assessments to ensure a consistent level of quality and to provide a capability to compare the results from different sites. (11) DoD response: The DoD concurred with the recommendation and is developing the capability to standardize vulnerability assessments. The Joint Staff is providing the program of instruction that the DSWA is using to conduct their assessment to the services and combatant commands. Additionally, the services and combatant commands have access to the Joint Universal Lessons Learned database that is used by the Joint Staff to distribute Force Protection lessons learned from the JSIVA visits. The Joint Staff is coordinating with the services and combatant commands to consolidate all lessons learned regarding Force Protection into one database. VA#25

17

(12) The DoD has since issued DoD Instruction 2000-16 in an effort to address some of the problems previously discussed. After review of this new Instruction the GAO states the new standards will not resolve the vulnerability assessment problems. The new standards are performance standards, not physical security standards. Because these performance standards focus on policies, procedures, and plans rather than physical security vulnerabilities, it is not clear how they can be used to identify physical security vulnerabilities. The inability to identify specific vulnerabilities was a problem noted with assessment reviewed. Also because the standards are not detailed and descriptive, they are subject to interpretation by all. In the absence of more specific, measurable standards, the fundamental issues of methodology, scope , and completeness will remain. (13) The steps DoD is taking should promote greater consistency in how vulnerabilities assessments are conducted. However, in the absence of formal DoD standards, the combatant commanders and services may still deviate from the program of instruction used by the Joint Staff Integrated Vulnerability Assessment Teams. Therefore, common standards and procedures for conducting vulnerability assessments are needed to ensure a consistent level of quality and to provide a capability to compare results from different sites.

VA#26 (14) How to order the GAO report: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 (202) 512-6000 Fax: (310) 258-4066 Internet: info@www.gao.gov Home page: http://www.gao.gov

18

CONCLUSION (:05) Summary: VA#27

1. The function of a vulnerability assessment. 2. Concept 3. Team members 4. Elements of vulnerability. 5. Conducting the assessment. 6. Assessment teams 7. Crisis management planning. 8. GAO report findings pertaining to vulnerability assessments.

Remotivation: As the Level II Antiterrorism/Force Protection POC, it is incumbent upon you to ensure your commander has this valuable tool to assist in making decisions which will protect DoD assets, the mission, and ultimately save lives.

Conclusion: Are there any questions concerning this last block of instruction?

19