UNITED24 - Make a charitable donation in support of Ukraine!


Appendix K

Vulnerability Assessment

After a commander has obtained a threat analysis, he proceeds to complete the analysis by conducting the vulnerability and criticality assessments. (This appendix will discuss only the VA.) This process considers a mission review and analysis of the installation, base, unit, or port in relation to the terrorist threat. The review should assess the cost of antiterrorism measures in terms of lost or reduced mission effectiveness. It should then assess the level of acceptable risk to facilities and personnel given the estimated erosion of mission effectiveness. Often the best operational method and routine may be the worst to counter potential terrorist activities. This review and analysis is performed routinely and particularly for deployment.


K-1. The installation, base, unit, or port assessment is derived from the results of the vulnerability and criticality assessments. The assessment provides the staff with the overall vulnerability to terrorist attack. The staff then develops the crisis-management plan, which addresses all terrorist threat levels regardless of the present level. The THREATCONs are then applied according to the local threat. The considerations are—

  • Vulnerability. The VA is a self-assessment tool used to evaluate its vulnerability to terrorist attack. The more vulnerable an installation, base, unit, or port is, the more attractive it becomes to terrorist attack.
  • Criticality. The criticality assessment identifies key assets and infrastructures located on and adjacent to the installation, base, unit, or port. These assets are normally symbolic targets that traditionally appeal to a specific terrorist group (such as headquarters buildings and monuments). It addresses the impact of the temporary or permanent loss of key assets or infrastructures to the ability of the installation, base, unit, or port to perform its mission. The staff determines and prioritizes critical assets. The commander approves the prioritized list. The assessment—
    • Selects key assets.
    • Determines whether critical functions can be duplicated under various attack scenarios.
    • Determines the time required to duplicate key assets or infrastructure efforts if temporarily or permanently lost.
    • Determines the vulnerability of key assets or infrastructures to bombs, vehicle crashes, armed assault, and sabotage.
    • Determines the priority of response to key assets and infrastructures in case of fire, multiple bombings, or other terrorist acts.
  • Damage. The damage assessment determines the ability of the installation, base, unit, or port to plan for and respond to a terrorist attack against key assets and infrastructures.
  • Recovery procedures. The recovery-procedures assessment determines the capability to recover from the temporary or permanent loss of key assets and infrastructures. Based on this assessment, the staff establishes recovery procedures to ensure the continued ability to perform the mission.


K-2. Specific security measures should be directly linked with THREATCON levels. These considerations are—

  • THREATCON Normal. This THREATCON level exists when a general threat of possible terrorist activity exists but warrants only a routine security posture.
  • THREATCON Alpha. This THREATCON applies when there is a general threat of possible terrorist activity against personnel and facilities (the nature and extent of which are unpredictable) and when circumstances do not justify full implementation of THREATCON Bravo measures. It may be necessary to implement measures from higher THREATCONs either resulting from intelligence or as a deterrent. The measures in this THREATCON must be capable of being maintained indefinitely.
  • THREATCON Bravo. This THREATCON applies when an increased and more predictable threat of terrorist activity exists. The measures in this THREATCON must be capable of being maintained for weeks without causing undue hardship, affecting operational capability, or aggravating relations with local authorities. While in Bravo, the installation should bring manning levels and physical-protection levels to the point where the installation can instantly transition to THREATCON Charlie or Delta.
  • THREATCON Charlie. The transition to THREATCON Charlie must be done on short notice. It is a result of an incident occurring or the receipt of intelligence indicating that some form of terrorist action against personnel and facilities is imminent. Charlie measures should primarily focus on manning adjustments and procedural changes. Security forces will usually enhance their security presence by acquiring additional manning or by adjusting the work-rest ratio (such as moving from a 3:1 to a 6:1 ratio). At Charlie, off-installation travel should be minimized.
  • THREATCON Delta. Since the transition to THREATCON Delta is immediate, Delta measures should primarily focus on manning adjustments and procedural changes. THREATCON Delta applies in the immediate area where a terrorist attack has occurred or when intelligence has been received that terrorist action against a specific location or person is likely. The security force's manning level is usually peaked in Charlie; therefore, Delta's additional manning will usually come from an augmentation force. Once in Delta, nonessential operations will cease in order to enhance the security and response posture. Normally, this THREATCON is declared as a localized condition.

K-3. With exception of THREATCON Normal, all THREATCON levels have certain measures associated with them. These measures are listed in JP 3-07.2, Appendix J, and AR 525-13.

Assessing Vulnerability

K-4. A VA addresses the consequences of terrorist attacks in terms of the ability of units, installations, commands, or activities to accomplish their assignments successfully, even if terrorists have inflicted casualties or destroyed or damaged DOD assets. The VA focuses on two broad areas—

  • Preventing and, failing that, substantially mitigating the effects of a terrorist act.
  • Maintaining emergency preparedness and crisis response.

K-5. The VA provides the commander with a tool to assess the potential vulnerability of an installation, base, unit, or port activity; but it is not a substitute for sound judgment. The VA must stand on its own and be supported by valid considerations. Typically, a small group of knowledgeable individuals develop the VA. The VA team consists of personnel with required areas of expertise. Some of these team members are the—

  • Assessment-team chief.
  • Physical-security specialist.
  • Structural engineer.
  • Infrastructure engineer.
  • Operations-readiness specialist.
  • Intelligence and/or counterintelligence specialist.

K-6. The functions and responsibilities of each team member are outlined in JP 3-07.2. The following paragraphs provide basic information regarding these areas:

  • The assessment-team chief's key responsibilities include overseeing the management, training, and performance of the vulnerability-team members; finalizing the assessment-team out briefing; and preparing the population dynamics and risk assessment.
  • The physical-security specialist is responsible for the security and safety of the installation, facility, and personnel.
  • The structural engineer examines a variety of potential terrorist weapon effects and structural responses. This function serves to better protect personnel from shocks and blasts by reducing damage through the technically appropriate use of standoff measures, hardening, blast shielding, and shatter-resistant window film (such as Mylar®) as described in Chapter 3. The structural engineer's main responsibility is threat and damage assessment from terrorist weapons estimates and suggestions for threat protection or damage-mitigation measures.
  • The infrastructure engineer examines protection against the effects of WMD, protection against terrorist-incident induced fires, and utility systems that can be used to minimize terrorist-incident casualties (including elements of power, environmental control, and life-support systems). The primary responsibilities include infrastructure security and fire, safety, and damage control.
  • The operations-readiness specialist examines plans, procedures, and capabilities for crisis response, consequence management, and recovery operations should a terrorist incident occur. The main responsibilities of this position include emergency-medical and individual-readiness assessments.
  • The intelligence and/or counterintelligence specialist has the primary responsibility of performing logical analyses and preparing possible conclusions regarding terrorist targets and target vulnerabilities. These are based on processed intelligence information and knowledge of terrorist capabilities and methods in view of US installation, facility, and personnel safety and security practices.

Conducting the Assessment

K-7. Upon its arrival, the assessment team provides an in briefing for the commander, staff, and designated technical point of contact. Site personnel should conduct a site-familiarization briefing and tour. Administrative activities may include establishing the team support area, setting up equipment, scheduling team and technical points of contact meetings and discussions, ensuring classified-material control, establishing a personnel locator, and organizing materials for the out briefing and site folder. Each assessment-team member conducts the assessment based on the specific responsibilities for each function within his area.

Post-assessment Activities

K-8. Within 30 days of the visit, a summary narrative report and an annotated briefing should be delivered to the installation commander. Follow-on assistance for the commander may be applicable in areas of technical characteristics of improvement options, cost estimates, and generic sources of materials and equipment.

Drills and Exercises

K-9. Multiechelon war gaming of possible terrorist attacks is the best test, short of an actual incident, to analyze the response of an installation, base, unit, or port. Drills and exercises test suspected vulnerabilities and antiterrorist measures. These exercises and drills also train the staff as well as reaction-force leadership and help maintain a valid threat assessment by identifying and adjusting to changing threat capabilities.

Join the GlobalSecurity.org mailing list