The following instruction is part of a series of “limited release” DoD doctrine publications that are not released to the public.
DoD Instruction O-3000.08: Balanced Survivability Assessments (BSAs)
- 18 pages
- For Official Use Only
- January 5, 2010; Incorporating Change 1, November 19, 2010
1. DOD BSA PROGRAM
a. The mission of DTRA is to safeguard the United States and its allies from weapons of mass destruction (WMD) (e.g., chemical, radiological, nuclear, and high-yield explosives) by providing capabilities to reduce, eliminate, and counter the threat and mitigate its effects. The BSA program is organized under the DTRA Combat Support Assessments Division.
b. BSAs are defined in the Glossary. BSA recommendations focus on operational processes and procedures, improved planning and analysis, low-cost procurement, and longer-term design changes.
c. BSAs are tailored to meet the needs of the customer, focus on continuity of specific mission areas, and revolve around measures that can be taken to improve mission assurance and survivability against an “all threats and hazards” approach (e.g., natural disasters, accidents or incidents, disruptive actions, hostile forces, malicious insiders, and WMD attack effects). Thus, Blue Team BSAs are not geographically oriented (e.g., an entire military base with multiple tenants or missions); however, Red Team BSAs may have a geographical orientation. BSAs provide multidisciplinary integration, broad applicability, and security and survivability support for systems, networks, architectures, infrastructures, and assets that support DoD MEFs, PMEFs, or the NEFs they support to ensure the continued and enduring operation of our nuclear command and control functions, and the assurance of global C4I and other critical national and defense capabilities and resources.
d. BSAs shall be a tool in DoD Components’ integrated risk management plans and processes. Mission-focused, multidisciplinary BSAs complement other joint, Service, or Combatant Command assessments that may be focused on a single discipline or area such as antiterrorism and force protection (AT/FP) or IA.
e. DTRA’s role in DoD integrated vulnerability assessments (IVA) includes the use of BSAs in support of mission assurance system and architecture characterizations at the strategic national level. BSAs should also be called upon to assist Combatant Commands in mission decomposition. In this role, BSAs should be considered for an integrated assessment approach to systems, networks, architectures, infrastructures, and assets that are deemed DCAs or Tier I TCAs. The BSAs use an “all threats and hazards” approach to debilitating events and a team of diverse subject matter specialists to support the Department of Defense in assessing defense critical infrastructures as part of Reference (k). The approved way-ahead for DoD vulnerability assessments concluded that addition of the BSA capability to the IVA and an associated mission decomposition process is essential, in conjunction with modified Joint Staff integrated vulnerability assessments and a self-assessment capability, to meet the assessment requirements of the Department’s critical infrastructures and assets. These changes form the basis of the new DoD assessment program to better serve commanders in the field while allowing responsible DoD entities to execute their mission assurance responsibilities as outlined in current policy issuances.
f. An infrastructure’s criticality, as determined through the DoD mission-based CAIP (see Reference (ab)), vetted against likely threats and hazards as determined through an enhanced threat and hazard assessment should determine where BSAs are best employed for DCIP assessments. To facilitate DCIP mission assurance assessments, current DCIP assessment benchmarks and standards (ASD(HD&ASA) Memorandum (Reference (af))), shall guide the BSA team. The Defense Critical Infrastructure Program (DCIP) Security Classification Guide (Reference (ai)) guides the marking, processing and handling of related DCIP information. The resulting assessment report shall be focused to provide installation commanders and/or asset owners the necessary inputs for preparing appropriate risk decision packages to meet the requirements of Reference (k).
g. Systems, networks, architectures, infrastructures, and assets that support critical command and control, nuclear command and control, nuclear weapons surety, and high-containment BSAT biosurety, per References (a) through (g), shall undergo BSAs. Responsible commanders or directors shall consider requesting a follow-on Blue Team BSA after a period of 5 years has passed or after major configuration or mission changes.
h. Systems, networks, architectures, infrastructures, and assets that support DoD MEFs, PMEFs, or the NEFs they support will undergo periodic BSAs, when requested by responsible commanders or directors. BSAs on those defense critical infrastructure assets identified as DCAs or Tier 1 TCAs may occur at least every 5 years or within 1 year of major configuration or mission changes.
i. BSAs nominally consist of three phases: pre-assessment, assessment, and post-assessment. The timelines and specific activities in each of these phases vary between Blue Team and Red Team BSAs. Sections 2 and 3 of this enclosure provide details about these differences.
j. Upon request, DTRA provides its customers post-BSA continuing technical support, that is, a capability to “reach back” and access its subject matter specialists to address follow-on issues that may arise.
4. DTRA RED TEAM BSA METHODOLOGY
a. (FOUO) The Red Team BSA program is a DoD effort that emulates threats ranging from a foreign intelligence service to a well-funded terrorist group or a capabilities-based threat. While the senior leadership and limited, designated trusted agents in the assessed organization are aware of these assessments, the majority of the assessed organization’s personnel are not made aware of the assessment. Red Team BSAs provide an “outside looking in” perspective. Red Team members are provided no insider knowledge of the elements of the architecture, organization, or system being assessed. Nominally, a Red Team BSA team consists of a Government lead, a mix of DTRA contractors, requisite administrative support, and tailored augmentation from DTRA’s Red Team DoD partners.
b. (FOUO) A DTRA Red Team BSA effort is typically a system-wide or architecture-wide vulnerability assessment of an organization. Each Red Team BSA is requested by a DoD Component or other Government activity. The Secretary of Defense or Deputy Secretary of Defense approves Red Team BSAs of missions or organizations external to the Department of Defense, while the Director, DTRA, approves those internal to the Department of Defense. These efforts can last from several weeks to many months. Knowledge of these efforts is strictly limited to senior leadership, trusted agents, and white cell controllers within assessed entities.
c. (FOUO) During the pre-assessment phase, DTRA educates the customer on the Red Team BSA process and develops assessment objectives, ground rules, and timelines. DTRA conducts final coordination with its partners for requisite team augmentation or support and establishes appropriate safety and security controls and procedures. DTRA obtains legal approvals from appropriate authorities and develops detailed ground rules to ensure that real-world integrity of assessed operational systems and safety of all personnel is not compromised.
d. (FOUO) During the assessment phase, team members identify and assess organization components and assets, identify mission vulnerabilities, and exploit them in accordance with the pre-approved ground rules and legal reviews. The team conducts collection efforts to emulate hostile intelligence operations. The resulting information is integrated to provide target assessments and to revise collection requirements. The team then evaluates and validates, through demonstration, physical and electronic vulnerabilities identified during the targeting process.
e. During the post-assessment phase, analyses are completed and a detailed briefing and written report are provided to the assessment requestor within approximately 60 days after completion of the assessment phase of the BSA. DTRA provides follow-on continuing support, when requested, to assist in the implementation of recommendations or in the technical review of design and development of new architectures, equipment, processes, or procedures.