WIXLIB

Mission Assurance RiskManagement SystemAntiterrorism / Force ProtectionAssessment Tool TrainingTrainer: Caleb JonesContact: EPRMhelp@alionscience.comSupporting Joint Staff J33 via US Army Armament, Research, Developmentand Engineering Center1

Agenda Module 1 – Foundational Points: (30 min) Slides– Background on MARMS, Policy drivers, Terms, Role of Automation; Intro to EPRM Module 2 – Legacy Vulnerability Data: (30 min) Slides and live demo– Accessing legacy data. Managing corrective actions Module 3 – AT/FP Risk Assessments: (45 min) Slides and live demo– Conducting AT/FP risk assessments, analyzing and managing risk2

Course Overview Scope– Primary: Focus on entering and managing Antiterrorism/Force Protection (AT/FP)assessment data– Secondary: Future implications to Mission Assurance (MA) assessments Delivery method:– Lecture and demonstration3

Terminal Learning Objectives (TLO)1. Understand the operational and policy drivers for MARMS and risk assessments (Whyand who)2. Understand the timeline for transition to EPRM MARMS modules (When)3. Describe a “risk scenario” and its components (What)4. Describe the benefits of risk-based assessments (Why)5. Understand how to access and update legacy vulnerability in EPRM (How)6. Understand the process of entering an AT/FP risk assessment in EPRM (How)7. Understand how to obtain EPRM account, training and help (How)4

Module 1 – Foundational Points(30 min)5

Why not vulnerability assessments? Risk management has long been AT Standard #3 in DoDI 2000.16, however the process& tool really focused on vulnerability Previous CVAMP assessments, while good for an installation, made it very difficult toaggregate or roll-up enterprise or regional views to expose trends:– Had little quantification of threats– Had little standardization in asset categories– Had no standardized relationships between benchmarks and threats– Had minimal functionality to facilitate the Risk Management process, so resultswere difficult for leadership to assess where the greatest risks, and makeinvestment decisions.6

Why ‘new’ risk assessments? The new method, better supports AT Standard #3 through:– Benchmark focus: Walks assessors thorough benchmarks to provide leadershipmore complete picture of security posture not just identified observations– Standardization in threats & assets: Facilitates roll-ups and cross-unit reporting– Standardized risk framework: Has common relationships that help users prioritizeactivities for their mitigation strategies– Aggregates risk results: Inherently supports trend and risk analysis at theinstallation, regional, and enterprise level. This will provide leadership with the data they need to make smart decisions onwhere best to reduce risk on limited dollars.7

Why use the new tool? New tool has efficiencies to assist users in executing a quality risk analysis– Pushes baseline threat levels by region or allows HHQ to develop localized threatbaselines to push to ATOs– Allows ‘copy from’ to leverage previous assessments. HHQ can create ‘Templates’for common sites– Users can export benchmark questionnaires exporting to an Excel spreadsheet forthe other installation MA partners to complete their section, and import it back intotools– Tools performs the approved math and presents results graphically and textually inWord, Excel and PowerPoint8

Background on MARMS The Mission Assurance Risk Management System (MARMS) is a Joint Staff initiative,funded by DoD CIO and managed by the US Army Armament, Research, Developmentand Engineering Center (ARDEC) MARMS is a multi-year program that encompasses a family of systems that will beintegrated as a part of MARMS Requirement Definition Package 1 The second of MARMS’ capability drops (CD2) provides assessment tools that:1. Provide ability to hold and update observations from vulnerability assessmentscurrently in CVAMP2. Provide replacement risk-based capability to conduct AT/FP risk assessments3. Provide follow-on capability to do risk-based capability to do MA assessments9

Policy Drivers (TLO #1) 2012 Mission Assurance Strategy and 2016 MissionAssurance Assessments Concept of Operations: Defines risk as a process integrating threat, vulnerability,consequence (criticality) Specifically includes installation-level AT/FP assessment as arequired component of the MA construct 2016 DoDD 3020.40 Mission Assurance: Requires Components to “develop and implement acomprehensive and integrated MA risk-managementconstruct” and “align associated security, protection, and riskmanagement efforts under an MA construct. 2018 J33 Mission Assurance System of RecordDesignation: Established MARMS as the replacement of the CoreVulnerability Assessment Management Program (CVAMP)10

Timeline for Transition (TLO #2) Phase 1 – Replace CVAMP & Provide AT/FP Risk Assessment Tool (Feb-Jun 2018)CD2Phase 1CD2Phase 2 Cut-off of CVAMP data entry was 15 APR 2018, ‘released’ observations to migrate Account requests by 15 MAY 2018 (for accounts on turn-on date) Initial version of EPRM must be operational in place by 1 JUN 2018 Provide management of migrated ‘observations’ from CVAMP Provide installation personnel a mechanism to facilitate risk-based AT/FP assessments Phase 2 – Mission Assurance Assessment Enhancements (Jun-Dec 2018) Frame Mission Assurance Assessments approach into assessment tool using guidance/input from DTRA JMAA teams Develop and incorporate full MA assessment capabilities for fielding targeting 31 DEC 2018 Phase 3 – MARMS Enhancements (Jan-Sep 2019)CD2Phase 3 Integration planning and execution with the MARMS RegistryPush ‘asset criticality’ from authoritative sources to MA & AT/FP assessorsImproved mission-risk analytics and dashboard capabilitiesImproved Geospatial Risk VisualizationAll development work on assessment tool complete by October 201911

EPRM Functionality Walks users though the life-cycle of risk assessments& Hazards12

Assets (TLO #3) Asset. A distinguishable entity that provides a service or capability.– Assets are people, physical entities, or information located either within or outsidethe United States and employed, owned, or operated by domestic, foreign, public,or private sector organizations. Must have quantified (or qualified) value to the unit’s / organization’s missions13

Asset criticality (TLO #3)Task Critical Assets (TCA) and Defense Critical Assets (DCA) are defined in DoDD3020.40 and have established criticalityOther assets are characterized by their criticality in 4 criteria (UFC 04-20-01 DoDSecurity Engineering Facilities Planning Manual) Criticality to Mission Criticality to National Defense Replacement (time, LOE) Relative Value (monetary, classification, etc.)14

Threats (TLO #3)Threat is any circumstance or event with the potential to cause the loss of or damageto an asset Threats are considered in terms of a threat source (sentient actor or natural hazard), athreat tactic (threat method) and a severity or likelihood.15

Threat severity (TLO #3)Threats are characterized by their severity (UFC 04-20-01 DoD Security EngineeringFacilities Planning Manual) Local Activity Intentions and history Local Operational Capability Local Operating Environment16

Vulnerabilities (TLO #3)A situation or circumstance which, if left unchanged, may result in the loss of life ordamage to mission-essential resources from a terrorist attack. (DoDI O-2000.16-V1)Vulnerabilities can result from characteristics of– building characteristics– equipment properties– personal behavior– locations of people, equipment and buildings– operational procedures and personnel practices List of potential AT/FP vulnerabilities are drawn from the 2018 DoD Mission AssuranceAssessment Benchmarks ges/JMAA%20Home.aspx Each benchmark can reduce vulnerability one or more threat tactics17

Risk Scenarios (TLO #3) Risk is calculation that is based on ‘risk scenarios’Risk A risk scenario has:– Asset with a criticality (C) on a 0-1 scalelinked to a:– Threat adversary-tactic combination (T) on a 0-1 scale of severity/likelihoodwith a:– Vulnerability to the tactic (V) calculated on a 0-1 scale𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 3𝑇𝑇 𝑉𝑉 𝐶𝐶18

Analysis of Risk Scenarios (TLO #3) Risk is understood by evaluation “risk scenarios” in accordance with approved metrics19

Benefits - risk-based assessments (TLO #4) Provides standardized/common analytical framework Converges multiple protection disciplines into acommon sight picture Allows roll-up of multiple units into a single analysis Supports commanders in making better informeddecisions on where to best allocate security resourcesCJCSM 3105.01, Figure 720

Module 2 – Accessing Legacy Vulnerability Data andUpdating ‘Corrective Actions’ on ‘Observation’(30 min)21

MARMS Module AccessOnly designated users will see icon Legacy Assessment Data22

CVAMP Starts with Quad SummaryInstallation users currently land onthis CVAMP page.Will have them land on differentpage, but will provide access tothese statistics23

Mapping ‘Legacy Assessment Data’ moduleNot importing,Hierarchy Node (unit) AttributesFocus AreaIs a query tool; willhandle with advancedanalysis gridLinked to observations &Hierarchy Node AttributeNot needed; no newassessments24

CVAMP ‘Manage Observations’ ScreenDuplicativeNote columnheadersReplace tabs to a‘status’Will use newsorting andfiltering fieldsWill call up window fordata entryWill show details of observations intabs below grid25

CVAMP ‘Observation Detail’ screenNot editing ‘released’observationsButton is onManagement GridFields to be in tabsbelow observationmanagement gridUse existingfeatureIn tab below‘observation’26

MARMS “Manage Observations” screenHeaders match CVAMP ‘ObservationManagement’ screen. (Some additions.) Mouseovers for full text.Upon selecting an observation in the grid above, data renders below. Tabs matchsections in “Observation Details”. Data fields match sections.27

Replacement for ‘search’ & 2 tabsSearch window replaced by text filters and sorting. User can sort orfilter on the various grid fields to view observations falling intospecific criteriaUse of ‘Status’ column eliminates need for‘No action required’ and ‘Risk AcceptedTabs’28

Attachments & Statistics‘Corrective actions’ forselected observation‘References &attachments’Will pull up statisticspage that is the CVAMPlanding page29

Excel ReportUser can export the grid data to Excel, just like CVAMP.Moving functionality to larger button at top30

CVAMP Corrective action input screen“Corrective Action” button willput up editable window, likethe CVAMP window,.Will show previous correctiveactions in tab below“Observation Management”screen.New features to allow users torevert back from ‘closed’ and‘risk accepted’31

Demo of ‘Legacy Assessment Data’ Module32

Module 3 – Entering AT/FP Risk Assessments (TLO #6)(30 min)33

Starting a risk assessment “Start” assessment brings assessors to the workflow (below) to collect data. Opportunity to ‘copy from’ Each icon takes users to the appropriate screen34

CD 2 Phase 1 – AT/FP Risk Assessments Guides personnel through standards-based assessment; fillable forms for each step35

Profile the Organization Profile and Scope screens containinformation that:– Filters subsequent screens– Provides ‘hooks’ on which queries can beconducted– Collects data that can be inserted to the MSWord Assessment ReportMouse-over info bubblesprovide guidance36

Asset identification Select and score assets. Addcomments / justificationsNamePull-down list /filter of all AssetGroupsAssetSubcategoriesLocal name of assetExport to Excel foroff-line data entry37

Asset characterization ‘Yes’ selection triggersquestions from UFC 04-020-01(DoD Security Engineering Facilities PlanningManual) Responses to questionscalculate criticality on0-1 scale TCAs use pre-scored criticalityfrom authoritative source38