Risk Management is the process by which decision makers are provided with the necessary information to accept, reduce or offset risk. As a DoD risk management program, DCIP seeks to ensure the availability of networked assets critical to DoD missions. Activities include the identification, assessment, and security enhancement of assets essential for executing the National Military Strategy.
Risk Response activities encompass actions taken to remediate or mitigate risk, or reconstitute capability in the event of loss or degradation.
DCIP Risk Response Core Activities
DCIP Risk Response core activities are designed to use the information obtained from the DCIP Risk Assessment process to determine the proper courses of action. The core elements of Risk Response are Remediation, Mitigation, and Reconstitution.
Remediation: actions performed to lessen the identified vulnerabilities to DCAs. They include the following:
- Post-Assessment Recommendations. These recommendations for possible remediation of identified vulnerabilities will be reviewed by the DCA owners. DCIP will track the identified vulnerabilities along with remediation actions
Mitigation: actions taken in response to a warning or after an incident occurs and are intended to lessen the potentially adverse effects on a given military operation or infrastructure. Mitigation actions will be the responsibility of the DCA owner but will involve coordination with:
- The other U.S. Government entities and equivalent international authorities as authorized and appropriate;
- All the DoD Components or Defense Sector Lead Agents that operate or rely upon the DCA
Reconstitution: actions taken to restore infrastructure to pre-event capability and functionality. Such actions will be the responsibility of the DCA owner but will involve coordination with:
- The other U.S. Government entities and equivalent international agencies as authorized and appropriate;
- All the DoD Components that operate or rely upon elements of the Defense Sector
DCIP Assessment Training
Developing the assessment capability needed to analyze and assess risk and identify critical assets requires CIP-specific training. The DCIP Office is currently in the process of formalizing a DCIP Assessment training course, in conjunction with the West Virginia National Guard (WVNG).
This training seeks to utilize local National Guard assets to conduct site visits and assessments of non-DoD owned, commercial, and Defense Industrial Base assets. To this end, DCIP has employed a "train-the-trainer" concept using the WVNG, with the ultimate objective of establishing a nationally recognized, accredited, and funded schoolhouse program to teach DCIP methodology in support of DCIP objectives. WVNG trainers can then train subsequent DCIP Assessment team members.
Assessment training relies on mission and infrastructure experts to create course content. Courses include a DCIP overview, mission decomposition, and the study of twelve Supporting Foundational Infrastructure Networks (SFIN) areas (e.g. POL, electric power, communications, etc.). Assessors will be educated on the Standards, included in the Interim Implementation Guidance, that provide overall requirements for an agency or organization to meet, and the Benchmarks that provide question sets used to gauge if standards are being met.
Risk assessment is a systematic examination of risk using disciplined processes, methods, and tools. It provides an environment for decision making to continuously evaluate and prioritize risks and recommend strategies to remediate or mitigate those risks.
Risk Assessment Core Activities
The DCIP Risk Assessment core activities are focused on the process to provide DoD with timely and comprehensive information to make decisions to reduce the potential impact from intentional threats and non-intentional hazards.
The process seeks to enhance mission assurance through the identification of means to interrupt DCAs and missions due to their reliance upon supporting foundational infrastructures, such as electric power or communication systems.
It also seeks to catalog those DCAs, including those within the DIB, whose exploitation or destruction has the potential to threaten key aspects of national security.
The core elements of the DCIP Risk Assessment process are Criticality, Vulnerability, and Threats/Hazards. Each element must be individually considered and the interaction between the three fully understood to provide DoD with an accurate assessment of risk.
Criticality: Based upon the consequence of loss of an asset on: 1) aspects of national security and/or 2) DoD missions. It requires identifying and analyzing missions and supporting systems to identify Task Critical Assets (TCAs) and their dependency relationships on Supporting Infrastructure Critical Assets (SICAs). The consequence of the loss or degradation of these assets on the execution of Mission Essential Tasks (METs) and/or to elements of national security are the primary means of determining their criticality. In the Risk Assessment process, Criticality identifies the "consequence of loss" to DoD and the nation.
Vulnerability: The purpose of a DCIP Assessment is to analyze the system design and procedures for inherent vulnerabilities such as single points of service, assess the level of security of DCAs, and determine their susceptibility to various damage mechanisms. DTRA is currently tasked with conducting modular DCIP assessments on military installations while the National Guard is leading the effort on assessment of facilities outside these fence lines, including DIB facilities. More information on DTRA's assessment role can be found below. In the Risk Assessment process, Vulnerability identifies "potential means" to disrupt an asset.
Threats/Hazards: All DoD Components and Defense Sector Lead Agents shall make their DCIP Risk Management decisions based upon an all-hazards approach that looks not only at intentional threats, such as arson, sabotage, and hostile or terrorist attack, but also non-intentional hazards, such as accidents, weather events, and natural disasters. In the Risk Assessment process, Threats/Hazards identifies the "likelihood" that a vulnerability could be exploited.
The Defense Threat Reduction Agency (DTRA) is a combat support agency with recognized assessment expertise in performing a variety of assessments, including the anti-terrorism-focused Joint Staff Integrated Vulnerability Assessments (JSIVA) and the Balanced Survivability Assessments (BSA) of critical national theater systems and architectures.
DCIP has tasked DTRA with executing a mission-focused, modular DCIP assessment program to identify vulnerabilities of defense critical assets at selected DoD installations. The objectives of this assessment program are:
- to inform mission commanders of DCIP vulnerabilities that could impact mission assurance, along with mitigation and remediation recommendations to preclude adverse consequences; and
- to decrease impacts and disruptions on field commands by combing assessments where synergy has been demonstrated.
DTRA will assess Defense Critical Infrastructure with modular teams of functional experts attached to DTRA's JSIVA teams, leveraging the strengths of both JSIVA and DCIP assessors. Teams will incorporate experts relevant to the mission, infrastructures, and site being assessed. DCIP assessments will operate under the leadership of the JSIVA team chief at predetermined JSIVA locations nominated for DCIP assessments by the Combatant Commands that are coordinated, approved, and scheduled by J3 DDAT/HD. These DCIP assessments will utilize the interim draft DCIP Benchmarks, which support the interim draft DCIP Standards. This program will utilize DTRA's established JSIVA support structure, including the JSIVA Information System for tracking and analysis, and will benefit from the high-level entrée to command leadership extended to JSIVAs. DCIP-related data and mission analysis will be entered into the DCIP Data Management System.