Government Mission Survivability and ContinuityTypes of Systems and Facilities Assessed: * Command & control architectures and sites * Operations centers * Information technology architectures and sites * Telecommunications architectures and sites * Intelligence collection and fusion centers * Missile defense sites * Deployment sites * Depots and weapons storage sites * Logistics operations centers * Airfields * Naval Bases * Strategic ports * DoD manufacturing sites * Medical research facilities * Stockpile sites * Navigation, positioning, and timing sites * DamsDefense Threat Reduction AgencyDTRA_0d031236-eddf-11e7-8f80-7cb0c7516356Gregory GilbertCBCP -- Emergency Operations and Continuity Specialist, Contractor Support for Defense Threat Reduction Agency (DTRA)William AustinChief, BSA Branch, DSN_0d031588-eddf-11e7-8f80-7cb0c7516356To safeguard the United States and its Allies from weapons of mass destruction by providing capabilities to reduce, eliminate, and counter the threat and mitigate its effect_0d0316fa-eddf-11e7-8f80-7cb0c7516356Survivability AssessmentsConduct integrated, multidisciplinary, mission-survivability assessments to identify vulnerabilities of critical national/theater mission systems and recommend mitigations_0d031808-eddf-11e7-8f80-7cb0c75163561Risk Management Process -- * Risk Assessments - Commander /Asset Owner -- * Threat/Hazard Assessments - Local/Unit, State, Federal, CI Staff, DIA/CIA, Etc. * Vulnerability Assessments - AT/FP, BSA, Red Team, Local VA * Criticality Assessments - Commander, Mission Essential Functions, and Tasks (MEFs/METs) SystemsUnderstand entire system (details to architecture)_0d0319a2-eddf-11e7-8f80-7cb0c75163561.1MissionsEnsure mission survivability with an emphasis on identifying single point vulnerabilities (SPVs)_0d031aec-eddf-11e7-8f80-7cb0c75163561.2Single Point Vulnerability (SPV) -- Equipment, processes, procedures, infrastructures, and/or key positions that, if destroyed or denied, would result in the loss or severe degradation of mission.PerformanceAssess performance (not compliance)_0d031bfa-eddf-11e7-8f80-7cb0c75163561.3Threats & HazardsConsider entire threat and hazard spectrum_0d031d62-eddf-11e7-8f80-7cb0c75163561.4TeamsMatch teams to site needs_0d031eb6-eddf-11e7-8f80-7cb0c75163561.5AnalysesConduct 2- to 3-week analyses onsite plus post-site analyses_0d031fce-eddf-11e7-8f80-7cb0c75163561.6ProductsConduct out-briefing and report identifying vulnerabilities, impacts, and recommended mitigations_0d032190-eddf-11e7-8f80-7cb0c75163561.7CIP ProgramsLeverage the analyses to support CIP programs_0d032384-eddf-11e7-8f80-7cb0c75163561.8DistributionEmpower customers to control product distribution_0d032492-eddf-11e7-8f80-7cb0c75163561.9Recomendations_0d032604-eddf-11e7-8f80-7cb0c75163562Major BSA RecommendationsFacility DesignInclude mission survivability/resiliency in facility design_0d03283e-eddf-11e7-8f80-7cb0c75163562.1Open Source & InternetMonitor and limit open-source and Internet information_0d032960-eddf-11e7-8f80-7cb0c75163562.2Counter-SurveillanceEstablish counter-surveillance programs and awareness_0d032b9a-eddf-11e7-8f80-7cb0c75163562.3Security SystemsEnsure electronic and physical security systems are integrated and effective_0d032d0c-eddf-11e7-8f80-7cb0c75163562.4Threats & HazardsUnderstand threat/hazards, their probabilities, and impacts_0d032e2e-eddf-11e7-8f80-7cb0c75163562.5Operations & ProceduresAvoid predictable security routines; ensure randomness in procedures/operations_0d032faa-eddf-11e7-8f80-7cb0c75163562.6Blast ProtectionEnsure standoff/construction provides survivable blast protection_0d0330fe-eddf-11e7-8f80-7cb0c75163562.7NetworksEnsure information networks are protected from insider and external threats_0d033220-eddf-11e7-8f80-7cb0c75163562.8Wireless DevicesLimit and control of wireless devices (PEDs, RFIDs, etc.)_0d03339c-eddf-11e7-8f80-7cb0c75163562.9Diversity & RedundancyEnsure communications, information, and utility systems are redundant and diverse_0d033504-eddf-11e7-8f80-7cb0c75163562.10Fire & HazardsEnsure fire and hazard protection is consistent with mission criticality_0d033630-eddf-11e7-8f80-7cb0c75163562.11LightningEnsure lightning protection and grounding systems are effective and maintained_0d0337fc-eddf-11e7-8f80-7cb0c75163562.12Mail & ParcelsEnsure mail and parcel handling prevents the introduction and spread of contaminants_0d03396e-eddf-11e7-8f80-7cb0c75163562.13Emergency Action & COOPImplement and exercise emergency action and COOP plans_0d033aa4-eddf-11e7-8f80-7cb0c75163562.14Information SharingEnsure that information on critical vulnerabilities and best practices for mission survivability reaches decision makers._0d033c2a-eddf-11e7-8f80-7cb0c75163563Sharing BSA Experience -- Transfer BSA results to the DoD (and Agency) communities in many waysOut-Briefs & ReportsProvide out-briefings and reports_0d033da6-eddf-11e7-8f80-7cb0c75163563.1Trends & Lessons LearnedShare lessons learned and issue trends products_0d033ed2-eddf-11e7-8f80-7cb0c75163563.2GuidelinesProvide "Designing for Mission Survivability" guidelines_0d034062-eddf-11e7-8f80-7cb0c75163563.3(~44 copies distributed to customers since August 2010)Special Reports & BriefingsSpecial reports and "roll-up" briefings to DoD leadership_0d0341de-eddf-11e7-8f80-7cb0c75163563.4DoD LeadershipDesign ReviewsConduct design reviews_0d034332-eddf-11e7-8f80-7cb0c75163563.5(COCOMs, Agencies, etc.)Vulnerability TrackingSupport customers using databases to track vulnerabilities_0d0344e0-eddf-11e7-8f80-7cb0c75163563.6Working GroupsParticipate in working groups_0d03465c-eddf-11e7-8f80-7cb0c75163563.7Policy ReviewsConduct policy document reviews_0d034792-eddf-11e7-8f80-7cb0c75163563.8Assessment Tool_0d03494a-eddf-11e7-8f80-7cb0c75163564BSA Information Operations Assessment ToolCustomer FocusCustomer discretionary and tailored assessment of customer defined networks_0d034ad0-eddf-11e7-8f80-7cb0c75163564.1VulnerabilitiesPrecisely identify IO/IA vulnerabilities w/o impacting operations_0d034c38-eddf-11e7-8f80-7cb0c75163564.2Networks & IT SystemsProvides in-depth understanding of networks and IT systems security_0d034ed6-eddf-11e7-8f80-7cb0c75163564.3Penetration TestingNo penetration testing while connected_0d03511a-eddf-11e7-8f80-7cb0c75163564.4Tools_0d03535e-eddf-11e7-8f80-7cb0c75163564.5Tools include:Best PracticesMethodology based on NSA, DoD, NIST, BSA and commercial best practices_0d035534-eddf-11e7-8f80-7cb0c75163564.5.1VulnerabilitiesNSA developed Blue Team vulnerability tool suite_0d0356ec-eddf-11e7-8f80-7cb0c75163564.5.2ScanningCommercial and open-source modeling and vulnerability scanning tools_0d03580e-eddf-11e7-8f80-7cb0c75163564.5.3ProcessBSA IA toolkit process_0d0359b2-eddf-11e7-8f80-7cb0c75163564.5.4Pre-CoordinationDetailed pre-coordination - formal agreement Letter/scoping worksheet_0d035b56-eddf-11e7-8f80-7cb0c75163564.5.5SchedulingScan at "non-peak" times with strict schedule control_0d035ca0-eddf-11e7-8f80-7cb0c75163564.5.6Data ProtectionEnd-to-end data protection_0d035e44-eddf-11e7-8f80-7cb0c75163564.5.7Encryption & Air GapsEncrypted external drive/volume, secure GFE laptops, and DTRA air-gapped SCI LAN_0d035fca-eddf-11e7-8f80-7cb0c75163564.5.8ReportingCritical findings immediately reported to customer while on-site_0d036114-eddf-11e7-8f80-7cb0c75163564.5.9Accomplishments_0d0362c2-eddf-11e7-8f80-7cb0c75163564.5.10identified potential malware, unauthorized and non-secure network activities, and vulnerable configurations; 4 years with no adverse impacts/outagesTrends AnalysisCompile, statistically analyze, and report long-term survivability trends_0d036448-eddf-11e7-8f80-7cb0c75163565Compile, statistically analyze, and report long-term survivability trends in: Physical security, surveillance, structural protection, WMD/Hazmat, electromagnetics, utilities, telecommunications, information systems, emergency operations, COOP, and architecture resiliency. -- Aspects with highest historical ratings: * Utilities endurance and capacity * Architecture resiliency * Structural blast resistance * Utilities redundancy and diversity -- Aspects with lowest historical ratings: * Open source information * Lightning protection * External signatures/vulnerabilities * WMD detection, identification, warning * External electromagnetic protection * Information systems and dataPhysical Security_0d03659c-eddf-11e7-8f80-7cb0c75163565.1Surveillance_0d036754-eddf-11e7-8f80-7cb0c75163565.2Structural Protection_0d0368e4-eddf-11e7-8f80-7cb0c75163565.3WMD/Hazmat_0d036a42-eddf-11e7-8f80-7cb0c75163565.4Electromagnetics_0d036c18-eddf-11e7-8f80-7cb0c75163565.5Utilities_0d036dbc-eddf-11e7-8f80-7cb0c75163565.6Telecommunications_0d036f1a-eddf-11e7-8f80-7cb0c75163565.7Information Systems_0d037118-eddf-11e7-8f80-7cb0c75163565.8Emergency Operations_0d0372bc-eddf-11e7-8f80-7cb0c75163565.9COOP_0d037424-eddf-11e7-8f80-7cb0c75163565.10Architecture Resiliency_0d037730-eddf-11e7-8f80-7cb0c75163565.11Threats and Hazards_0d037a14-eddf-11e7-8f80-7cb0c75163566AnalysisConsolidate threats and hazards analysis_0d037b7c-eddf-11e7-8f80-7cb0c75163566.1ensure it drives risk managementUnderstandingManagers and security personnel should understand threats/hazards, their probabilities, and impacts_0d037d5c-eddf-11e7-8f80-7cb0c75163566.2ManagersSecurity Personnelstay currentRationalizationAvoid "rationalizing away" threat/hazard risk_0d037f1e-eddf-11e7-8f80-7cb0c75163566.3RoutinesAvoid predictable security routines_0d03807c-eddf-11e7-8f80-7cb0c75163566.4ensure randomness in procedures/operationsMonitoringMonitor infrastructure hazards and cyber threats_0d038266-eddf-11e7-8f80-7cb0c75163566.5MentalityAvoid an "all threats/hazards" mentally that overlooks risks_0d038414-eddf-11e7-8f80-7cb0c75163566.6IncidentsAccidents, electromechanical failures, and human errors are the most likely incidents; include them_0d038586-eddf-11e7-8f80-7cb0c75163566.7DisruptionsEnsure contract and business disruptions risks are considered_0d03877a-eddf-11e7-8f80-7cb0c75163566.8Surveillance_0d038932-eddf-11e7-8f80-7cb0c75163567InternetMonitor, control, and mitigate infrastructure and operational information available on the Internet_0d038aa4-eddf-11e7-8f80-7cb0c75163567.1Imagery, organization websites, organization publications, acquisition documents, budget and program documents, resumes... on .mil, .com, .org, .net, .govOPSECEstablish OPSEC inside and outside the perimeter_0d038ca2-eddf-11e7-8f80-7cb0c75163567.2Rules & CultureImplement and enforce rules to establish an OPSEC culture_0d038e5a-eddf-11e7-8f80-7cb0c75163567.2.1Facilities & PerimetersControl and maintain outer perimeter and facility physical access_0d038fcc-eddf-11e7-8f80-7cb0c75163567.3Communications LinesEnsure communications lines cannot be easily identified_0d0391d4-eddf-11e7-8f80-7cb0c75163567.4Surveillance DetectionImplement surveillance detection programs_0d039382-eddf-11e7-8f80-7cb0c75163567.5External ActivitiesMonitor external activities_0d0394fe-eddf-11e7-8f80-7cb0c75163567.5.1Awareness & ReportingPromote a culture of awareness and reporting_0d039706-eddf-11e7-8f80-7cb0c75163567.5.2Physical Security_0d0398c8-eddf-11e7-8f80-7cb0c75163568Integration & LayeringEnsure defense is layered and integrated to detect, assess,delay, deny, and respond_0d039a44-eddf-11e7-8f80-7cb0c75163568.1Security SystemsEnsure physical and electronic security systems are properly installed, integrated, utilized and provide adequate coverage_0d039d78-eddf-11e7-8f80-7cb0c75163568.2Visual AssessmentImplement an immediate visual assessment capability_0d03a084-eddf-11e7-8f80-7cb0c75163568.3Insider ThreatsImplement internal circulation controls that account for insider threats and do not over-rely on employee "trust"_0d03a278-eddf-11e7-8f80-7cb0c75163568.4LightingEnsure external lighting coverage is effective_0d03a55c-eddf-11e7-8f80-7cb0c75163568.5CirculationControl personnel and vehicle circulation in/around critical areas/resources_0d03a778-eddf-11e7-8f80-7cb0c75163568.6PersonnelEnsure personnel managing electronic access control systems are properly vetted/cleared_0d03a930-eddf-11e7-8f80-7cb0c75163568.7Security Control CentersProtect security control centers; ensure alternates are adequate_0d03aba6-eddf-11e7-8f80-7cb0c75163568.8AccessPrevent unauthorized vehicle and pedestrian access to installation and compound perimeters_0d03ada4-eddf-11e7-8f80-7cb0c75163568.9Active BarriersInstall and use active vehicle barriers, ensure they can be activated quickly enough to prevent access_0d03af5c-eddf-11e7-8f80-7cb0c75163568.9.1Passive BarriersInstall effective passive vehicle barriers_0d03b1c8-eddf-11e7-8f80-7cb0c75163568.9.2ID CardsPhysically and electronically verify Identification cards_0d03b420-eddf-11e7-8f80-7cb0c75163568.9.3VehiclesImplement effective vehicle vetting and inspections_0d03b5e2-eddf-11e7-8f80-7cb0c75163568.10Bills of LadingDo not grant commercial vehicle access using a printed bill of lading or similar document_0d03b8a8-eddf-11e7-8f80-7cb0c75163568.10.1DeliveriesVerify deliveries_0d03bb14-eddf-11e7-8f80-7cb0c75163568.10.2ExplosivesImplement explosives detection capabilities_0d03bcf4-eddf-11e7-8f80-7cb0c75163568.10.3Emergency Operations_0d03bfc4-eddf-11e7-8f80-7cb0c75163569Emergency PlansDevelop and implement effective emergency plans_0d03c23a-eddf-11e7-8f80-7cb0c75163569.1Threats & HazardsAddress likely threats/hazards_0d03c564-eddf-11e7-8f80-7cb0c75163569.1.1CoordinationCoordinate with support organizations_0d03ca00-eddf-11e7-8f80-7cb0c75163569.1.2Immediate ResponseLeverage immediate response actions available to organic personnel_0d03cce4-eddf-11e7-8f80-7cb0c75163569.1.3Monitoring & AssessmentContinuously monitor infrastructure hazards; ensure incident warnings/indications are properly assessed_0d03cf0a-eddf-11e7-8f80-7cb0c75163569.2Training & ExercisesTrain and exercise plans to ensure planning is effectively implemented_0d03d176-eddf-11e7-8f80-7cb0c75163569.3Evacuation & ShelteringEnsure evacuation and shelter-in-place planning is integrated and tailored to threats/hazards_0d03d392-eddf-11e7-8f80-7cb0c75163569.4Safety & PreventionEnforce prevention and safety programs; do not allow a culture of acceptance(U) Battery Room lacking Hydrogen Detection Sensors, Exhaust Ventilation, and Early Warning Fire Detection(U) Moisture Detection Sensor Alarm Panel in an Unmanned Data Center_0d03d572-eddf-11e7-8f80-7cb0c75163569.5Fire Protection_0d03d856-eddf-11e7-8f80-7cb0c7516356DesignEnsure protective design is commensurate with criticality and integrated with operations_0d03dad6-eddf-11e7-8f80-7cb0c751635610.1Detection & SuppressionMaintain detection and suppression systems and configurations_0d03dcc0-eddf-11e7-8f80-7cb0c751635610.2Warning & MonitoringEnsure fire detection systems provide early warning and are continuously monitored locally_0d03df7c-eddf-11e7-8f80-7cb0c751635610.3ControlsControl fire loads and ignition sources_0d03e1ca-eddf-11e7-8f80-7cb0c751635610.4ExtinguishersEnsure fire extinguisher deployment is tailored to systems and fire risks_0d03e3aa-eddf-11e7-8f80-7cb0c751635610.5TrainingImplement effective immediate actions training_0d03e698-eddf-11e7-8f80-7cb0c751635610.6Structural Response_0d03e904-eddf-11e7-8f80-7cb0c751635611Common System/Facility Themes -- * Reliability (N+1, 2N, etc.) does not equal survivability - Does not account for threats, hazards, and accidents * Construction, upgrade, and renovation project requirements should consider survivability, resiliency, and integrate operationsParkingDo not allow vehicles to park under or too close to buildings_0d03ec1a-eddf-11e7-8f80-7cb0c751635611.1WallsAvoid building designs that install glass curtain walls_0d03f0ca-eddf-11e7-8f80-7cb0c751635611.2Greater risk of injuries (~80% of casualties from flying glass)Construction & Staging AreasEnsure construction and staging area security and inspections prevent exposing critical buildings_0d03f3b8-eddf-11e7-8f80-7cb0c751635611.3Critical StructuresEnsure critical structures have sufficient stand-off from public roads and perimeter fences_0d03f5d4-eddf-11e7-8f80-7cb0c751635611.4Building DesignsEnsure building designs identify appropriate strength and threat standoff requirements_0d03f912-eddf-11e7-8f80-7cb0c751635611.5CriteriaDo not accept minimum criteria_0d03fb92-eddf-11e7-8f80-7cb0c751635611.5.1MitigationsAvoid post-construction mitigations_0d03fd9a-eddf-11e7-8f80-7cb0c751635611.5.2Post-construction mitigations are extremely expensiveTelecommunications_0d04009c-eddf-11e7-8f80-7cb0c751635612NetworksEnsure communication networks are resilient and survivable_0d040358-eddf-11e7-8f80-7cb0c751635612.1RedundancyInclude redundant system components_0d04052e-eddf-11e7-8f80-7cb0c751635612.1.1Points of FailureAvoid multiple series single points of failure_0d040808-eddf-11e7-8f80-7cb0c751635612.1.2CollocationDo not collocate redundant systems and components_0d040a6a-eddf-11e7-8f80-7cb0c751635612.1.3CircuitsInclude physical diversity between primary and secondary circuits_0d040c68-eddf-11e7-8f80-7cb0c751635612.1.4Physical DiversityRoute cabling through physically diverse manholes and building penetrations_0d040fe2-eddf-11e7-8f80-7cb0c751635612.1.5DiagramsEnsure site internal and external fiber diagrams are accurate, identify physical locations, and are maintained_0d041438-eddf-11e7-8f80-7cb0c751635612.2HardeningHardened communications_0d041744-eddf-11e7-8f80-7cb0c751635612.3ensure supporting systems are also hardenedInformation Operations_0d041a46-eddf-11e7-8f80-7cb0c751635613Redundancy & DiversityEnsure system and network components have redundancy and physical diversity_0d041cbc-eddf-11e7-8f80-7cb0c751635613.1Defense & IncidentsIntegrate coordinated computer network defense and incident handling response_0d041ec4-eddf-11e7-8f80-7cb0c751635613.2Protections & MonitoringEnsure network security protections and monitored network security devices effectively protect systems_0d0421c6-eddf-11e7-8f80-7cb0c751635613.3Configuration ManagementManage configuration to avoid significant end-of-life hardware and software issues in Program of Record systems and customer-controlled networks_0d042428-eddf-11e7-8f80-7cb0c751635613.4Production NetworksProduction networks should not be connected to software development networks; avoid Internet connections_0d042630-eddf-11e7-8f80-7cb0c751635613.5Insider ProtectionImplement effective malicious insiders protection_0d042950-eddf-11e7-8f80-7cb0c751635613.6Non-Traditional NetworksImplement effective IA measures on non-traditional networks_0d042bb2-eddf-11e7-8f80-7cb0c751635613.7Utility control systems, electronic physical security systemsSCADA Systems_0d042dc4-eddf-11e7-8f80-7cb0c751635614SCADA = supervisory control and data acquisition (utility monitoring and control systems)Accreditation, Monitoring & ManagementProperly accredit, monitor, and manage SCADA_0d0430a8-eddf-11e7-8f80-7cb0c751635614.1ConfigurationEnsure configuration provides defense-in-depth_0d04335a-eddf-11e7-8f80-7cb0c751635614.2External ConnectivityAvoid non-secure remote dial-up access modems; manage external connectivity_0d043576-eddf-11e7-8f80-7cb0c751635614.3Vendor AccessControl vendor access; ensure his laptop, software, and data are scanned_0d043a30-eddf-11e7-8f80-7cb0c751635614.4RedundancyProvide SCADA system redundancy_0d043e7c-eddf-11e7-8f80-7cb0c751635614.5NetworksEnsure SCADA does not tie into site networks_0d0440ca-eddf-11e7-8f80-7cb0c751635614.6PermissionsStrictly segregate control and monitoring permissions_0d0443d6-eddf-11e7-8f80-7cb0c751635614.7Utilities_0d04464c-eddf-11e7-8f80-7cb0c751635615UtilitiesRedundancy & DiversityImplement redundant and diverse utility system designs_0d044872-eddf-11e7-8f80-7cb0c751635615.1Distribution PathsAvoid single-threaded distribution paths between components_0d044b88-eddf-11e7-8f80-7cb0c751635615.1.1Components & PathsProtect collocated components and single threaded paths equal to supported operations_0d044e1c-eddf-11e7-8f80-7cb0c751635615.1.2External EquipmentProtect external equipment to include transformers, switchgear, and cooling towers_0d045038-eddf-11e7-8f80-7cb0c751635615.2GeneratorsEnsure emergency generators can be manually started and aligned to loads_0d04536c-eddf-11e7-8f80-7cb0c751635615.3ControllersEnsure programmable logic controllers do not prevent manual operations_0d045600-eddf-11e7-8f80-7cb0c751635615.3.1CapacitiesEnsure utility systems have the required capacities_0d045826-eddf-11e7-8f80-7cb0c751635615.4Water SourcesTwo independent water sources to cooling towers_0d045bc8-eddf-11e7-8f80-7cb0c751635615.5ThreatsProtect, control, and manage SCADA systems to mitigate insider and external threats_0d045eb6-eddf-11e7-8f80-7cb0c751635615.6MaintenanceEnsure preventive maintenance is identified and accomplished_0d04621c-eddf-11e7-8f80-7cb0c751635615.7ConfigurationsManage configurations ("as-built" drawings, technical documentation, etc.) to safely and efficiently operate/maintain systems, prevent compromising resiliency, and enhance recovery_0d04667c-eddf-11e7-8f80-7cb0c751635615.8SurvivabilityCurrent technology permits dual-power-cord input to electronic devices; redundant and diverse power supply inputs improve survivability_0d046924-eddf-11e7-8f80-7cb0c751635615.9Dual-Power-Cord DevicesEnsure dual-power-cord electronic devices are not fed single-threaded power from the same power panel/power distribution unit_0d046b54-eddf-11e7-8f80-7cb0c751635615.10WMD_0d046e7e-eddf-11e7-8f80-7cb0c751635616Air IntakesEnsure building make-up air intakes are elevated and protected_0d047108-eddf-11e7-8f80-7cb0c751635616.1Warning, Identification & AssessmentImplement an effective warning, identification, and assessment capability_0d047338-eddf-11e7-8f80-7cb0c751635616.2VentilationInstall a capability to quickly shut down facility ventilation_0d047680-eddf-11e7-8f80-7cb0c751635616.3Emergency Response PlansEnsure emergency response plans address CB/hazmat threats and hazards_0d04790a-eddf-11e7-8f80-7cb0c751635616.4Shelter & EvacuationIntegrate into shelter-in-place and evacuation plans_0d047b44-eddf-11e7-8f80-7cb0c751635616.4.1Force ProtectionEnsure response is linked to force protection conditions_0d047e96-eddf-11e7-8f80-7cb0c751635616.4.2Hazards & ThreatsIdentify hazards and threat vectors; plan to these_0d048134-eddf-11e7-8f80-7cb0c751635616.4.3Equipment & SuppliesStock and deploy sufficient CB/hazmat protection equipment and medical supplies_0d04836e-eddf-11e7-8f80-7cb0c751635616.5Mail and Package Delivery_0d04886e-eddf-11e7-8f80-7cb0c751635617DeliveryAccept and process all delivery (USPS, FedEx, UPS, etc.) externally from facilities supporting operations or containing large populations_0d048c7e-eddf-11e7-8f80-7cb0c751635617.1delivery facility/room design should include:VentilationNegative pressure ventilation_0d048ec2-eddf-11e7-8f80-7cb0c751635617.1.1WallsFrangible exterior wall_0d049264-eddf-11e7-8f80-7cb0c751635617.1.2HVAC IndependenceIndependent HVAC system_0d04950c-eddf-11e7-8f80-7cb0c751635617.1.3HVAC = heating, ventilation, and air conditioningEquipment & SuppliesProtective/decontamination equipment/supplies_0d04975a-eddf-11e7-8f80-7cb0c751635617.1.4Detection EquipmentX-ray, radiation, and explosives detection equipment_0d049ae8-eddf-11e7-8f80-7cb0c751635617.1.5MailProcedures to safely examine or open mail_0d049d90-eddf-11e7-8f80-7cb0c751635617.1.6Suspicious PackagesImplement suspicious package handling procedures and training_0d049fde-eddf-11e7-8f80-7cb0c751635617.2HVAC ShutdownInstall a capability to rapidly shutdown HVAC to contain releases_0d04a3d0-eddf-11e7-8f80-7cb0c751635617.3Electromagnetic Protection_0d04a6fa-eddf-11e7-8f80-7cb0c751635618GroundingInstall and maintain effective facility, systems, and component grounding_0d04a948-eddf-11e7-8f80-7cb0c751635618.1Lives & SystemsMust address life safety and protect systems_0d04acd6-eddf-11e7-8f80-7cb0c751635618.1.1Lightning ProtectionInstall, maintain, and test effective lightning protection systems_0d04b262-eddf-11e7-8f80-7cb0c751635618.2Risk AssessmentAssess lightning risk_0d04b488-eddf-11e7-8f80-7cb0c751635618.2.1Lives & SystemsMust address life safety and protect systems_0d04b82a-eddf-11e7-8f80-7cb0c751635618.2.2Electromagnetic PulseContact DTRA POC if an EMP requirement is known or perceived_0d04bb04-eddf-11e7-8f80-7cb0c751635618.3Defense Industrial Base_0d04bd66-eddf-11e7-8f80-7cb0c751635619SuppliersAvoid single-source and foreign-source suppliers_0d04c0f4-eddf-11e7-8f80-7cb0c751635619.1JITMitigate the risks associated with Just-in-time delivery_0d04c3b0-eddf-11e7-8f80-7cb0c751635619.2Just-in-time delivery introduces potential risksInventoryHave more than a few days supply of parts on hand_0d04c61c-eddf-11e7-8f80-7cb0c751635619.2.1PenaltiesAvoid penalties for early shipping to downstream customers_0d04ca40-eddf-11e7-8f80-7cb0c751635619.2.2Manufacturing EquipmentEnsure replacing specialized manufacturing equipment have acceptable lead times_0d04cd88-eddf-11e7-8f80-7cb0c751635619.3SubcontractorsEnsure government has insight into and monitors subcontractors_0d04cff4-eddf-11e7-8f80-7cb0c751635619.4SubcontractorsMission Restoral_0d04d3a0-eddf-11e7-8f80-7cb0c751635620Damage AssessmentEnsure planning addresses damage assessment procedures and is coordinated with supporting organizations_0d04d90e-eddf-11e7-8f80-7cb0c751635620.1Personnel, Equipment, Services, Software, Documentation & SuppliesEnsure personnel, equipment, services, software, documentation, and supplies required to restore a mission are understood and available_0d04db52-eddf-11e7-8f80-7cb0c751635620.2Lead TimeUnderstand lead time required to obtain major items and critical supplies_0d04df3a-eddf-11e7-8f80-7cb0c751635620.3Alternative SourcesExplore alternate sources for critical equipment and spares_0d04e20a-eddf-11e7-8f80-7cb0c751635620.4Configuration DataMaintain systems and software configuration data to avoid hampering restoral efforts_0d04e476-eddf-11e7-8f80-7cb0c751635620.5Population Protection_0d04e980-eddf-11e7-8f80-7cb0c751635621People & MovementsUnderstand numbers and locations of people in buildings and movement patterns _0d04ecdc-eddf-11e7-8f80-7cb0c751635621.1MovementImplement planning that avoids movement into or through threats and hazards_0d04ef48-eddf-11e7-8f80-7cb0c751635621.1.1Response EffortsAvoids hampering response efforts_0d04f33a-eddf-11e7-8f80-7cb0c751635621.1.2Community FacilitiesEnsure community facilities (clubs, athletic fields, malls) are not forgotten_0d04f600-eddf-11e7-8f80-7cb0c751635621.2EventsLimit special-event information and distribution_0d04f880-eddf-11e7-8f80-7cb0c751635621.3RationalizationAvoid "rationalizing away" threat/hazard risk_0d04fd58-eddf-11e7-8f80-7cb0c751635621.4High-Occupancy BuildingsAvoid siting high-occupancy buildings sited near public roads and installation perimeters_0d05014a-eddf-11e7-8f80-7cb0c751635621.5Planning & TrainingImplement and coordinate effective emergency planning and training_0d0503ca-eddf-11e7-8f80-7cb0c751635621.6Detect, assess, warn, direct, respond, shelter, evacuateContinuity of Operations_0d050816-eddf-11e7-8f80-7cb0c751635622Inadequate business process and impact analyses will not yield effective planningRequirements & RisksCOOP planning should be driven by critical mission requirements (recovery time and point objectives) and risk_0d050b5e-eddf-11e7-8f80-7cb0c751635622.1ImplementationCOOP planning should implement what needs to be done not what can be done_0d050dd4-eddf-11e7-8f80-7cb0c751635622.2Hazards, Threats & ImpactsCOOP planning should address likely hazards/threats and impacts_0d051180-eddf-11e7-8f80-7cb0c751635622.3an "all threats/hazards" approach creates gaps and inefficienciesResiliency & ResponseCOOP planning should balance resiliency and leverage response_0d051464-eddf-11e7-8f80-7cb0c751635622.4avoids inefficienciesStaffing, Resources, Exercise & SupportCOOP planning should be properly staffed, resourced, exercised and supported by leadership_0d0516e4-eddf-11e7-8f80-7cb0c751635622.5TrainingCOOP planning should train COOP planners/leadership_0d051acc-eddf-11e7-8f80-7cb0c751635622.6COOP PlannersCOOP LeadersCoordination & IntegrationCOOP programs must be coordinated and integrated within communities_0d051dba-eddf-11e7-8f80-7cb0c751635622.7CommunitiesDependencies & InterdependenciesDependencies and interdependencies need to be mapped_0d05203a-eddf-11e7-8f80-7cb0c751635622.7.1Requirements DevelopmentConduct business process and impact analyses_0d052580-eddf-11e7-8f80-7cb0c751635623Government COOP Requirements Development Resources & StructureModel enterprise structure and resources to link systems, architecture, and infrastructure to essential functions and tasks (BPA)_0d052a26-eddf-11e7-8f80-7cb0c751635623.1Threats & HazardsDetermine resource threats/hazards and probabilities (threat/hazard analysis)_0d052cce-eddf-11e7-8f80-7cb0c751635623.2VulnerabilitiesDetermine resource impacts (vulnerability assessment)_0d0530ac-eddf-11e7-8f80-7cb0c751635623.3RisksDetermine risk_0d0533a4-eddf-11e7-8f80-7cb0c751635623.4Risk = f(threat/hazard probability & impact) (risk assessment)CriticalityDetermine criticality measures (time, impact, etc.) that drive COOP planning requirements, mitigation alternatives, and strategies_0d053638-eddf-11e7-8f80-7cb0c751635623.52014-04-302017-12-30https://slideblast.com/a7-greg-gilbert_595570f21723ddc2b014f404.htmlOwenAmburOwen.Ambur@verizon.net