Sandia tests new security assessment tool with help from real communities

By this fall Sandia’s security experts will be adding to their list of risk-assessment tools a scientific methodology for making entire communities more resistant to terrorism.

The new Community Vulnerability Assessment Methodology (CVAM) will join a family of other Sandia-developed VAMs for government buildings, dams, power transmission systems, chemical plants, and water distribution systems that already have helped plug gaps in the nation’s security apparatus.

The VAMs have been created in Security Systems & Technology Center 5800, drawing on expertise gained from Sandia’s years as the lead DOE lab for nuclear facility security.

CVAM has been in the works for more than two years, since long before Sept. 11, says project leader Gloria Chavez (5845). The project is funded by the National Institute of Justice’s Office of Science and Technology.

CVAM is being developed as part of a Memorandum of Understanding between Sandia and Public Technologies, Inc., a nonprofit technology organization of the National League of Cities, the National Association of Counties, and the International City/County Management Association.

Training the trainers

Seven metro areas soon will have benefited from the development and testing of the new methodology, says Gloria.

Some two years ago Sandia began collaborating with community leaders in Sterling Heights, Mich., north of Detroit, to begin developing a prototype assessment process. Developmental assessments of Bismarck, N.D., and Dade County (Miami), Fla., followed.

Early this month, Sandia began pilot testing the CVAM prototype in a joint project with Hennepin County, Minn. (the Minneapolis-St. Paul area). More pilot tests are planned for this fall with Tucson, Ariz., Norfolk, Va., and Rochester, N.Y.

By October, says Gloria, Sandia should have CVAM copyrighted.

The Labs likely would license the methodology to security training firms and train their trainers in its use. The security firms, then, would put the tool into the hands of hundreds of communities nationwide via their own train-the-trainer workshops, during which local community leaders and security professionals learn to conduct the vulnerability assessments themselves.

"We use the train-the-trainer method because we don’t have the resources to conduct all of the training needed to reach all the interested communities," says Gordon Smith, Manager of Public Safety Technologies Dept. 5845.

Identifying targets

The CVAM process requires a community’s leaders to first identify 10 to 20 facilities they feel are potential security targets, either because of their symbolic value or because of the possibility of severe consequences if an attack were successful.

Then CVAM takes the leaders, step-by-step, through a scientific risk-assessment process that helps them define threats, analyze consequences, and evaluate the effectiveness of current security measures.

After this risk assessment process is complete, the CVAM user has quantitative risk values for each facility to help prioritize where to spend scarce security funding.

Following this rigorous, consistent process typically reveals security vulnerabilities the community didn’t know it had, says Gloria, as well as potential security improvements for known vulnerabilities.

Taking expertise to local level

To kick off the Hennepin County pilot assessment, Gloria, Ray Page (5845), Skip Metcalf, and Jimmy Woods (both contractors) ran a five-day workshop in early August for local officials, during which the Sandians provided training on the VAM process and helped the officials prioritize critical facilities.

The Sandia team then conducted assessments of four facilities from Hennepin’s list of targets. Local officials participated in the assessments and will conduct assessments on their own of the remaining facilities.

The lists of facilities identified by communities are sensitive, says Gloria, but they typically include medical facilities, financial institutions, tourist attractions, gathering places, corporate offices, infrastructures, hazmat facilities, transportation centers (such as ports or railyards), and educational institutions.

"This training will bring some of the security expertise available at the national level to bear on public safety issues at the county and city levels," says Hennepin County Department of Corrections Planning Director Fred LaFleur, who also heads the County’s readiness group.

Consistent analyses

The real value of CVAM, says Gloria, is that it provides a consistent method of analyzing and prioritizing real security risks, identifying which facilities have the greatest threat potentials, and assigning appropriate resources to correcting vulnerabilities.

"It’s a tool to improve security before an attack occurs, not a response tool," she says. "But how effective it is depends on how thoroughly communities look at their facilities."