Security Vulnerability Assessments

SVA Overview


The Security Vulnerability Assessment (SVA) is used to identify a level of protection that is necessary to adequately mitigate identified risks from critical infrastructure assets.

The Division of Homeland Security and Emergency Management’s Critical Infrastructure and Key Resources (CIKR) planning team uses this process to identify specific security countermeasures designed to protect a community’s continuity of operations, critical assets, population, and visitors.

The first step to the community assessment process begins with the identification of critical assets within the community. The SVA team works through the infrastructure taxonomy provided by the National Infrastructure Protection Plan (NIPP) to identify which assets should be included in the report.

Through historical research, open source data mining, and working directly with the individual asset owner/operators the SVA team is able to gather CIKR asset and interdependency data. The asset information is then entered into the Automated Critical Asset Management System (ACAMS)*, which is a secure, online database and database management platform that allows for the management of CIKR asset data; the cataloguing, screening and sorting of this data; the production of tailored infrastructure reports; and the development of a variety of pre- and post-incident response plans useful to strategic and operational planners and tactical commanders.

Following the data collection phase of the SVA, the team conducts physical “on-site” surveys documenting security countermeasures already in place in the following categories:

• Site Security Criteria Site perimeter, site access, exterior areas and assets, and parking.
• Structure Security Criteria Structural hardening, façade, windows, and building systems.
• Facility Entrance Security Criteria Employee and visitor pedestrian entrances and exits, loading docks, and other openings in the building envelope.
• Interior Security Criteria Space planning and security of specific interior spaces.
• Security Systems Criteria Intrusion-detection, access control, and closed-circuit television camera systems.
• Security Operations and Administration Criteria Security management and personnel, plans, and training.

Through the assessment process and review the SVA team will assign each asset a baseline Level of Protection, or LOP, based off of the asset’s mission, symbolism, threat history, accessibility, recognizability, recoverability, population, proximity to other assets, and vulnerability scores.

During the review and reporting phase the team first decides whether there are additional risks that should be considered in establishing the baseline level of protection (LOP) t}at is required. Second, they determine whether the countermeasures associated with the LOP provide an adequate level of protection to address those risks. Customization of the recommended protective measures may fluctuate relating to the risks identified throughout the assessment. The existing LOP is then compared to the necessary LOP to determine if it adequately addresses the threat(s), or if vulnerabilities exist that need to be addressed (see figure 1). If the existing LOP equates to the necessary LOP, current countermeasures should be maintained and tested on a regular basis. Conditions at the facility should be monitored for changes that may impact the effectiveness of countermeasures or the needed LOP. If the existing LOP does not sufficiently address the risks, shortfalls must be identified and countermeasures to recommendations to address those vulnerabilities will be included in the final report.

This process helps to ensure that the level of protection recommended to CIKR facilities, their employees, and visitors is commensurate with the level of risk.

Figure 1: Existing LOP Compared to Necessary LOP.

  Level of risk versus protection chart

Once the SVA team delivers the final report to the community or individual asset owner, the decision to implement the included recommendations to mitigate the risks, or to accept the risks, is that of the asset owner/operator. However, the report will include any additional level of protection allowing the asset owner/operator’s flexibility to decide what level of protection may be achievable.

For information on requesting a Security Vulnerability Assessment please contact the SVA Team through the contact information given below.

* All information collected by the SVA Team entered into ACAMS is secured under the Protected Critical Infrastructure Information (PCII) Program. The Protected Critical Infrastructure Information (PCII) Program is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. Additional information on the programs can be obtained in the links section or from directly from or DHS&EM staff.

Technical Assistance

SVA Links

SVA Contacts

  • General Planning Point of Contact
  • Bryan Wuestenberg - Emergency Management Specialist III/Critical Infrastructure-Key Resource Planner - 428-7032
  • George Mayberry - Public Health Liaison - 428-7034
  • Robert Gordon - Cyber-Security Liaison - 428-7041
  • Vacant - Emergency Management Spec. II - 428-7084