Antiterrorism / Force Protection (AT/FP) Assessment Tool Training. Module 1: Policy Drivers for MARMS & AT/FP Assessments

Transcription

1 Antiterrorism / Force Protection (AT/FP) Assessment Tool Training Module 1: Policy Drivers for MARMS & AT/FP Assessments Supporting Joint Staff J33 via US Army Armament, Research, Development and Engineering Center 1

2 Admin Notes Restrooms Parking Validation Don t park in Alion reserved spots Schedule Lunch Surveys & Training Certificates Introductions 2

3 Course Overview Scope Decomposing the policy drivers for AT/FP assessments and MARMS Secondary: Future implications to Mission Assurance (MA) assessments Delivery method: Lecture 3

4 Terminal Learning Objectives (TLO) 1. Understand the policy and operational drivers for the move to AT/FP risk assessments 2. Understand the operational and policy drivers for MARMS Presentation References DoDI Vol DoD Antiterrorism Program Implementation - Change 1: Joint Publication Antiterrorism Unified Facility Criteria DoD Security Engineering Facilities Planning Manual DoDD Mission Assurance DoDI Defense Critical Infrastructure Program (DCIP) Management - Change 1:

5 Policy driver for AT risk assessments DoDI Ch 3, 2017 DoD Antiterrorism (AT) Program COCOMS & Services are required to: Review AT programs and validate the thoroughness of the AT risk management methodology used to assess DoD elements and personnel criticality, terrorist threat, and vulnerabilities to make risk-based decisions for the application of appropriate countermeasures. Requires use of DoD benchmarks to assess vulnerability (3.5.a (1)) Requires CJCS designates system of record (2.11) Requires commanders use the system of record (3.8.b (4)) DoDI O Ch 1, 2017 DoD AT Program Implementation: AT Standards DoD elements must base their AT risk management procedures on the risk management methodology introduced in the MA Defense Critical Infrastructure Program (DCIP) risk management process outlined in DoDI and modeled in JP

6 Policy Drivers for Risk Process (TLO #1 & 2) DoDI and JP Describe the Risk=Threat*Criticality*Vulnerability process References UFC for threat and criticality ranking 2012 Mission Assurance Strategy and 2016 Mission Assurance Assessments Concept of Operations Defines risk as a process integrating threat, vulnerability, consequence (criticality) Specifically includes installation-level AT/FP assessment as a required component of the MA construct DOD ATO Guide, Ch 3 ATOs establish a process that links the terrorist threat capabilities with vulnerabilities to assets, infrastructure, or personnel required for mission execution that the terrorist threat can exploit to produce countermeasures capable of reducing the terrorist threat risk. 6

7 Risk management process Risk management process as outlined in and modeled in JP

8 Relationship with MA & MARMS (TLO #1 & 2) 2016 DoDD Mission Assurance Requires Components to develop and implement a comprehensive and integrated MA risk-management construct and align associated security, protection, and risk management efforts under an MA construct. March 16, 2018 J33 Mission Assurance System of Record Designation Establishes MARMS as the replacement for the Core Vulnerability Assessment Management Program (CVAMP) 8

9 Why not vulnerability assessments? Risk management has long been AT Standard #3 in DoDI , however the process & tool really focused on vulnerability Previous CVAMP assessments, while good for an installation to document vulnerability assessment results, made it very difficult to aggregate or roll-up enterprise or regional views to expose trends: Had little quantification of threats Had little standardization in asset categories Had no standardized relationships between benchmarks and threats Had minimal functionality to facilitate the Risk Management process, so results were difficult for leadership to assess where the greatest risks are, and make investment decisions 9

10 Why new risk assessments? The new method, better supports AT Standard #3 through: Benchmark focus: Walks assessors through benchmarks to provide leadership a more complete picture of security posture not just identified observations Drives requirement for thoroughness from DoD Standardization in threats & assets: Facilitates roll-ups and cross-unit reporting Standardized risk framework: Has common relationships that help users prioritize activities for their mitigation strategies Aggregated risk results: Inherently supports trend and risk analysis at the installation, regional, and enterprise level This will provide leadership with the data they need to make smart decisions on where best to reduce risk using limited dollars 10

11 Why use the new tool? New tool has efficiencies to assist users in executing a quality risk analysis Pushes baseline threat levels by region or allows HHQ to develop localized threat baselines to push to ATOs Helps commanders achieve AT Standard #2: Intel Support Allows copy from to leverage previous assessments. HHQ can create Templates for common sites Users can export benchmark questionnaires to an Excel spreadsheet for the other installation MA partners to complete their section, and import it back into the tool Tool performs the approved math and presents results graphically and textually in Word, Excel, and PowerPoint 11

12 Background on MARMS The Mission Assurance Risk Management System (MARMS) is a Joint Staff initiative, funded by DoD CIO and managed by the US Army Armament, Research, Development and Engineering Center (ARDEC) MARMS is a multi-year program that encompasses a family of systems that will be integrated as a part of MARMS Requirement Definition Package 1 The second of MARMS capability drops (CD2) provides assessment tools that: 1. Provide ability to hold and update observations from vulnerability assessments currently in CVAMP 2. Provide replacement risk-based capability to conduct AT/FP risk assessments 3. Provide follow-on capability to do risk-based MA assessments 12

13 Timeline for Transition (TLO #2) CD2- Phase 1 Phase 1 Replace CVAMP & Provide AT/FP Risk Assessment Tool (Feb-Jun 2018) Cut-off of CVAMP data entry was 15 APR 2018, released observations to migrate Account requests by 15 MAY 2018 (for accounts on turn-on date) Initial version must be operational in place by 1 JUN 2018 Provide management of migrated observations from CVAMP Provide installation personnel a mechanism to facilitate risk-based AT/FP assessments CD2- Phase 2 Phase 2 Mission Assurance Assessment Enhancements (Jun-Dec 2018) Frame Mission Assurance Assessments approach into assessment tool using guidance/input from DTRA JMAA teams Develop and incorporate full MA assessment capabilities for fielding, targeting 31 DEC 2018 CD2- Phase 3 Phase 3 MARMS Enhancements (Jan-Sep 2019) Integration planning and execution with the MARMS Registry Push asset criticality from authoritative sources to MA & AT/FP assessors Improved mission-risk analytics and dashboard capabilities Improved Geospatial Risk Visualization All development work on assessment tool complete by October

14 Current Mission Assurance Assessment Strategy Industrial Security (INDSEC) 14

15 Future Mission Assurance Assessment Strategy Industrial Security (INDSEC) 15