• Reaffirm/validate the threat agents and scenarios for continued study
• Identify and visit representative customer operations and facilities
• Assess threat agent impacts on customer employees, patrons, and operations

Reaffirm/Validate Threat Agent/Scenarios

During this initial portion of the Vulnerability Assessment, the working group validates the expected impacts from the threat-agent scenarios of greatest concern. These impacts are based on Threat Assessment data, a review of customer operations, professional judgment, and previous visits to customer facilities.

Identify and Visit Representative Customer Operations and Facilities

The working group identifies several representative customer facilities. These facilities are visited to gather operational information needed to support the assessment of generic, non–site-specific impacts of the scenario-based terrorist attacks.

Assess Threat Agent Impacts Upon Customer Employees, the Public, and Customer Operations

Several vulnerability assessment approaches are considered for each project, including the Department of Defense’s Joint Service Integrated Vulnerability Assessment and more recent variations used in support of critical infrastructure protection. These types of assessment typically include both in-briefs and out-briefs to facility management, initial identification of known problems and priorities, review of appropriate security planning documents, interviews with operational staff, and facility walkthroughs. However, given sensitivities of customer workers, the working group may adopt a much less intrusive approach, one that focuses on general characteristics of customer operations with the objective of identifying generic vulnerabilities. A typical approach includes the following steps:

• Walk process flows, assess equipment, and identify operations that either cause/enhance or moderate/inhibit the expected impacts
• Observe general facility layout that could worsen/moderate the expected impact
• Consider heating, ventilation, and air conditioning (HVAC) designs and other items pertaining to air movement in a facility
• Consider the influence of maximum shift size, floor space, time to process, and planned detection or protection measures on expected impacts

The information gathered from the facility visits is used to develop a generic vulnerability assessment based on the threat agent scenarios for representative operations and facilities. It is also used to determine the expected impacts from the scenario-based terrorist attacks. Vulnerabilities are identified and the resulting potential impacts from attacks are evaluated.