Physical Security Assessment Program

TABLE OF CONTENTS

 OVERVIEW

2.1 What is the purpose of this chapter?

A. This chapter establishes the program and policy for conducting physical security assessments of all U.S. Fish and Wildlife Service (Service)-operated facilities (both leased and owned).

B. Although the program is managed by the Chief, Office of Emergency Management and Physical Security (OEMPS), in the Headquarters National Wildlife Refuge System (NWRS) program, it is applicable to all Service locations.

2.2 What are the scope, authorities, and terms you need to know to understand this chapter? See 432 FW 1 for information about scope, authorities, and definitions of terms for all the chapters in Part 432, Physical Security.

2.3 What are the responsibilities related to physical security assessments? See Table 2-1.

Table 2-1: Responsibilities for Physical Security Assessments

FACILITY SECURITY LEVEL

2.4 What is a Facility Security Level (FSL)? The FSL is a categorization we make by analyzing several security-related facility factors, including mission criticality, symbolism, facility population, facility size, and threat to tenant agencies. The FSL serves as the basis for the implementation of countermeasures specified in Interagency Security Committee (ISC) standards. Each FSL corresponds to a level of risk, which then relates directly to a Level of Protection (LOP) and associated set of baseline security measures (countermeasures).

2.5 How is the FSL determined?

A. The responsible official(s) (see section 2.6) must follow these steps to determine a preliminary FSL:

(1) First, score the factors, giving each factor a point or points by using the table below.

(2) Add all the factors’ points you entered in the table above to obtain the TOTAL score.

(3) Using the total score, find the preliminary FSL in the table below.

B. The decision-making authority may make an “intangible adjustment” to the facility’s preliminary FSL by raising or lowering it by 1 if they can justify the adjustment. The justification must be in writing and accompany the FSL. See section 2.6D.

2.6 Who is the decision-making authority that determines the FSL?

A. For facilities owned or direct-leased by the Service, the OEMPS will make the final FSL determination in consultation with the FSO.

B. For single-tenant facilities leased through the General Services Administration (GSA), OEMPS will make the final FSL determination in consultation with the security organization (Federal Protective Service).

C. In multi-tenant facilities owned or leased by the Government, the tenants, through the Facility Security Committee, will make the FSL determination in consultation with the owning or leasing department or agency and the security organization responsible for the facility (e.g., Federal Protective Service).

D. At the discretion of the decision-making authority, the preliminary FSL may be raised or lowered one level. Intangible factors could include the potential for cascading effects or downstream impacts on interdependent infrastructure, costs associated with the reconstitution of the facility that would increase the FSL, or factors such as short duration of occupancy that could reduce the value of the facility in terms of investment, and thus reduce the FSL.

(1) The intangible factors should not be used to raise or lower the FSL in response to a particular threat act.

(2) The decision-making authority should document any intangible factors and the associated adjustment and retain this information as part of the official facility security records.

(3) Decision-making authorities must not use FSL intangible adjustments to reduce the baseline and necessary security criteria. If a facility cannot meet the necessary level of protection, risk acceptance may be necessary.

E. For facilities with multiple assets (e.g., multiple separate buildings), the FSL designation list must include a breakdown of the assets and their designations. If a single FSL is used, then the FSO and decision-making authority must consider each asset at the facility to hold the highest FSL achieved at that facility (i.e., campus).

F. Due to low inherent risk, facilities categorized as Very Low Risk (VLR – see 432 FW 1) do not carry an FSL designation nor do the ISC requirements apply.

2.7 When is an FSL determined?

A. The decision-making authority determines the initial FSL for newly leased or owned space as soon as practical after identifying a space requirement.

B. The decision-making authority must review the FSL at least as part of the regularly recurring risk assessment and adjust it as necessary. Major changes in the nature of the tenants should merit reconsideration of the FSL between regularly scheduled assessments and whether to adjust it.

PHYSICAL SECURITY ASSESSMENTS

2.8 What is the purpose of a physical security assessment?

A. The primary purpose of a physical security assessment is to evaluate the current physical security status of a Service-operated location and to identify if any additional physical security countermeasures are necessary to enhance the Service’s ability to safeguard employees, visitors, and property.

B. An assessment also identifies the overall risk to a particular facility based on evaluating credible threats, identifying vulnerabilities, and assessing consequences if countermeasures are not implemented. The assessment identifies the most practical physical protection measures for Service assets based on their FSLs. It assists Service managers in identifying critical assets necessary for mission accomplishment and analyzes the risks to those assets from Undesirable Events (UDE).

C. Assessment of UDEs helps to identify the necessary LOP required to adequately and economically safeguard the people, facilities, and resources for which the Service is responsible.

D. The objectives of physical security assessments are to:

(1) Identify minimum security standards required by the ISC,

(2) Provide Service management teams with a tool to design a physical security program or improve their program based on local needs,

(3) Allow the flexibility to customize the LOP to meet local risk conditions (necessary LOP),

(4) Obtain the maximum return possible from invested resources, and

(5) Serve as a basis for an asset-specific threat analysis.

2.9 How are physical security assessments carried out? This assessment program is Headquarters-driven and is overseen by the Chief, OEMPS. The Physical Security Program Manager administers the day-to-day operations of the assessment program.

A. Qualified Physical Security Assessors (Service staff or contractors) conduct the physical security assessments. See section 2.10 for assessor qualifications.

B. Assessors coordinate physical security assessments with the Physical Security Program Manager, the servicing GEMPS, DOs, and FSOs.

C. Federal Protective Service personnel may also conduct physical security assessments, which are typically required as a condition of a GSA lease.

2.10 What qualifications must a Physical Security Assessor have? Physical Security Assessors must possess all of the baseline competencies the ISC establishes in “Security Specialist Competencies: An Interagency Security Committee Guideline,” (current edition), as well as the following:

A. Must have a current U.S. Government Single Scope Background Investigation (SSBI).

B. Must have a current U.S. Government TOP SECRET (Tier 5) Personnel Security Clearance.

C. Must be a U.S. citizen.

D. Must complete the Physical Security Training Program (offered by the Federal Law Enforcement Training Center (FLETC)) or equivalent course work (e.g., Defense Security Service (DSS) Security Specialist Course).

(1) DSS security training:

     (a) Introduction to Physical Security (PY011.16),

     (b) Physical Security Planning and Implementation (PY106.16), and

     (c) Security Measures (PY103.16).

(2) Federal Emergency Management Agency (FEMA)/ Emergency Management Institute courses:

     (a) IS-1170: Introduction to the Interagency Security Committee (ISC),

     (b) IS-1171: Overview of Interagency Security Committee (ISC) Publications,

     (c) IS-1172: The Risk Management Process for Federal Facilities: Facility Security Level (FSL) Determination,

     (d) IS-1173: Interagency Security Committee Risk Management Process: Levels of Protection and Application of the Design Basis Threat Report,

     (e) IS-1174: Interagency Security Committee Risk Management Process: Facility Security Committees, and

     (f) IS-916: Critical Infrastructure Security: Theft and Diversion – What You Can Do.

(3) It is highly desirable for a Physical Security Assessor to hold the following certifications issued by the Center for Development of Security Excellence (CDSE), DSS:

     (a) A Physical Security Certification (PSC), and

     (b) A Security Fundamentals Professional Certification (SFPC).

2.11 What is the schedule for conducting physical security assessments?

A. After an initial baseline physical security assessment is conducted, there must be a recurring assessment every 5 years for facilities with FSLs I or II and every 3 years for facilities with FSLs III or IV.

B. The Physical Security Program Manager must also schedule physical security assessments:

(1) When a facility is in the pre-construction or acquisition phase, undergoing a major renovation, or immediately after personnel or assets initially occupy the facility;

(2) When a duty station permanently relocates to a new site or facility not operated or leased by GSA; or

(3) When no formal record exists of a prior assessment.

C. FSOs may decline to have assessors inspect assets that do not have any operational or mission support value (e.g., abandoned or decommissioned assets, vacant sheds). Vacant facilities run a high risk for unintended activities, so FSOs must identify these assets in the Facility Security Plan (FSP), and the FSO must inspect them on a regular or monthly basis to minimize risks.

2.12 What comprises a physical security assessment? Physical security assessments include:

A. Informal discussions with facility personnel (e.g., DO, FSO, law enforcement personnel, etc.);

B. Examination of the facility’s existing infrastructure components;

C. Examination of the facility’s physical security systems;

D. Examination of the facility’s operational procedures;

E. Preparation of a facility risk assessment; and

F. A review of physical security-related plans, previously conducted independent risk assessments, emergency operating procedures, maps, and other documents.

2.13 What is a risk assessment? A risk assessment is the process of evaluating credible threats and capabilities, identifying vulnerabilities, and assessing consequences through an analysis of the UDEs as defined by the ISC’s Design-Basis Threat Report. FSOs and other security personnel can then design risk-based facility countermeasures to minimize, monitor, and control the probability of a UDE from occurring and to reduce or eliminate the impact of such an event.

2.14 How is a risk assessment prepared?

A. The Physical Security Assessor prepares the risk assessment. The Assessor submits this report to the FSO and OEMPS as part of the Physical Security Assessment Report.

(1) Using local crime statistics and regional and national threats against Government facilities or Service employees, the assessor compares these threats against the current Design-Basis Threat (DBT) baseline. The assessor adjusts and documents any changes made from the DBT baseline, which is then reflected in the threat score for each UDE. The assessor also considers the target attractiveness. More common criminal acts (e.g., theft, assault, unlawful demonstrations, workplace violence, and vandalism) that historically occur frequently are given more consideration than acts of terrorism.

(2) After considering the baseline LOP (based on the FSL), the assessor considers how an adversary can exploit a weakness in the design or operation of the facility to launch a successful attack, based on any one of the UDEs, and sets a vulnerability score.

(3) The consequence score is based on the level, duration, and nature of the loss resulting from a UDE. The consequence score reflects heavily on the potential for loss of life and the mission criticality score from the FSL.

(4) The risk score is calculated for each of the UDEs. Threat x Vulnerability x Consequence = Risk Score.

(5) The UDEs with the highest risk score are annotated and will be the priority when implementing security countermeasures.

B. The FSO, in consultation with OEMPS, may decide to have an out-of-cycle risk assessment prepared independently of the physical security assessment based on changing populations, changing local conditions, immediate threats, increasing crime trends, or facility reduction or closure.

C. A Federal law enforcement official, the servicing GEMPS, the Physical Security Program Manager, ora Physical Security Assessor (when not assigned to conduct the physical security assessment) may prepare the independent risk assessment.

D. All risk assessments must be marked and handled as Controlled Unclassified Information (CUI) (marked as CUI//SP-PHYS) and safeguarded when in electronic or printed form or shared outside of the Service, in accordance with laws, regulations, and policy regarding the handling, storage, and disposition of CUI (see 32 CFR Part 2002).

E. The FSO must give a copy of any independent risk assessments to the DO, Service facility or property manager (if different from the FSO or DO), and the GEMPS.

F. For multi-tenant facilities that are occupied in part by the Service, the Facility Security Committee is responsible for preparing the risk assessment. In most cases, the FSO participates in the Facility Security Committee and should request a copy of the risk assessment from the committee.

2.15 What is the Physical Security Assessment Report?

A. A Physical Security Assessment Report is a document confirming the LOP countermeasures that are necessary for the facility. It includes a facility profile, a threat analysis, an assessment of the current physical security countermeasures and any identified vulnerabilities, a risk assessment (and copy of independent risk assessment, if done), and documentation of any deviation for physical security countermeasures that are not in compliance with ISC standards.

B. The assessor must give copies of the report to the DO and OEMPS, and copies must be provided to the Department of the Interior’s Office of Law Enforcement and Security upon request.

C. Physical Security Assessment Reports must be maintained at the station level for a minimum of 5 years.

D. Physical Security Assessment Reports must be marked and handled as CUI (marked as CUI//SP-PHYS) and safeguarded when in electronic or printed form or shared outside of the Service, in accordance with laws, regulations, and policy regarding the handling, storage, and disposition of CUI (see 32 CFR Part 2002).

IMPLEMENTING THE RESULTS OF ASSESSMENTS

2.16 How do DOs and FSOs implement countermeasure recommendations as the result of physical security assessments?

A. As determined by the physical security assessment, the necessary LOP (see 432 FW 1) has countermeasures that the DO, FSO, or Facility Security Committee must implement to meet ISC requirements. Countermeasures may have multiple corrective options, so we may refer to them as “countermeasure recommendations” (see 432 FW 1 for a definition).

B. Any deviations to countermeasure recommendations must be approved, and in rare instances may be waived, via the Physical Security Risk Mitigation/ Acceptance Justification Form (FWS Form 3-2502) process. The DO must complete the form and submit it to their servicing GEMPS for review and to the Regional Director for risk acceptance approval, if necessary.

(1) The form must describe alternative countermeasures to meet the intent of the standard using appropriate rationale and address the following parameters:

     (a) Summarize the countermeasure recommendation, including the UDE being addressed,

     (b) Identify the necessary LOP that the countermeasure recommendation would provide,

     (c) Summarize any alternative countermeasure planned in lieu of the recommended countermeasure, and

     (d) Identify the LOP the alternative countermeasure will provide.

(2) If the GEMPS does not concur with the proposed risk mitigations, the DO may request approval from the Regional Director, the Physical Security Program Manager, or as a last measure, the Physical Security Advisory Board (see 432 FW 1 for more information about the Board).

(3) The DO and the GEMPS must retain the Physical Security Risk Mitigation/Acceptance Justification Form until the next physical security assessment is conducted. 

(4) The Physical Security Risk Mitigation/Acceptance Justification Form expires when the next physical security assessment is conducted.

C. A DO may implement physical security countermeasures more stringent than those in the necessary LOP because of the criticality or value of the asset under consideration, analysis of local threats, identified vulnerabilities, or available security resources.

D. The DO and FSO must ensure that any implemented countermeasures are documented in the Facility Security Plan.