EPRM is the approved application for Air Force Antiterrorism and IDRMP assessments; effective 1 July 2019 all such assessments are to be entered in EPRM.
AFI 31-101 directs the designation of an approved automated Integrated Defense Risk Management Process (IDRMP) application to facilitate the ID risk management process. In June 2018, the "DoD Antiterrorism" module of EPRM was fielded at several Air Force installations to evaluate its ability to satisfy IDRMP requirements. AF/A4S identified many changes that were incorporated into the current IDRMP module.
Please refer to the NOTAM and respective documents below for more information.
Web Training: Available Now
E-mail email@example.com for details.
FREQUENTLY ASKED QUESTIONS:
ATFP or IDRMP
Which assessment type do I choose, ATFP or IDRMP?Within the module, there are two options from which you can select in the profile section:• Select IDRMP to include all risk based questions and to satisfy the annual DoD (DoD 2000.16 vol. 1; AT Standards 3-6) and AFI requirement (31-101 & 10-245) to do a risk analysis of an installation, expeditionary location or a special event.• Select DoD AT/FP to include all of the risk based components (i.e. all of IDRMP) with the compliance items necessary to satisfy the annual risk assessment requirements and the DoD 2000.16 requirement for a 3-year AT program review/assessment (AT Standard 31).What do I select if I’m only doing an annual risk assessment?Select “IDRMP” to satisfy annual risk assessment requirements.What do I select if I’m doing a 3-year review?You should select DoD ATFP in order to satisfy both 2000.16 and AFI 31-101 annual requirements for a risk assessment and 3-year requirements for a program review (AT Standard 31).I originally selected IDRMP, but would like to change to ATFP, is that possible?Yes, if you select IDRMP you can always go back and change your selection to DOD ATFP which will add the necessary/additional compliance questions to address DOD 2000.16 Standard 31 while preserving the responses from the IDRMP assessment.I completed an ATFP assessment in EPRM before this new ‘ATFP or IDRMP’ objective was added, do I need to go back and do another assessment using this objective?No, it is unnecessary to go back and re-do assessments; the previously completed assessments are valid as that was the approved objective at the time of use.I’m confused why ‘ATFP or IDRMP’ is one assessment type in EPRM.In the last year DoD has aligned their process with IDRMP. Because of that, A4S is aligning their policies regarding IDRMP with DoD. The intent is to have one single process in the future.Not every location that has a need to do an IDRMP risk assessment requires an annual AT assessment for DoD. However, of the installations that do, it should be one process and both should be addressed by selecting 'DOD ATFP'.
Tracking Vulnerabilities in EPRM
Do I have to start an assessment to track my vulnerabilities and remediations? Yes, you have to complete an assessment to track your vulnerabilities.For any vulnerability question (i.e. benchmark) for which the answer is ‘no’ (i.e. ‘not satisfied’), the assessor uses the comment field(s) to document the vulnerability.In the analysis section all ‘no’ answers feed a list of possible remediations.• Assessor can add them to the plan of action, assign it to an individual for completion, calculate the ‘revised’ risk that will result from remediation, and track its status. When remediation is complete, it will also provide updated risk scores for the installation.Is there a way for me to enter a vulnerability without starting an assessment?No, you have to complete an assessment to track your vulnerabilities.In the previous AT vulnerability management system (CVAMP), all vulnerabilities ‘should’ have been associated with a local or HHQ assessment. However, in practice, many commands would put in ‘ad hoc’ observations/vulnerabilities. Those entries, though somewhat useful, were of limited value at HHQ because they could not be viewed in the context of the other protections that were in-place and the totality of the risk resulting from that vulnerability.Now, when an assessment is entered, commands will document the protections in-place and those that are not by responding to the list of relevant DoD Benchmarks (like with ForcePRO). For those protections that are not in-place (i.e. the benchmark is not being met), commands can propose mitigation. All vulnerabilities will thereby be associated with the DoD benchmark to which they are most closely related, for tracking and reporting purposes. Enforcing the need to address vulnerabilities as part of an overall assessment, allows each vulnerability to be viewed more completely within the context of the risk (asset/threat/vulnerability) at the installation.Is there a process for documenting emerging (ad hoc) vulnerabilities?Yes, between the annual risk assessments, vulnerabilities may arise that were not identified in the previous assessment. Document those vulnerabilities by updating the last assessment by adding the newly identified vulnerability:1. Make a copy of the last assessment.2. Navigate to the ‘conduct assessment section, and identify the benchmark that is most closely related to the vulnerability3. Mark the benchmark ‘no’ (i.e. ‘not satisfied’) then use the ‘comment’ field(s) to document the vulnerability.4. Lock the assessment.5. In the analysis & remediation section, add the vulnerability (benchmark) to your plan of action, assign it to an individual for completion, and track its status. Upon remediation completion, the system will also provide updated risk scores for the installation.
Is the MAAP assessment capability available in EPRM?For MAAP assessments, the Joint Staff is in the process of developing a separate module that executes the very specific MAA process. (Expected fielding date is late summer 2019.)• When fielded, the module will be used for a more comprehensive assessment (all benchmarks) of the identified Task Critical Assets (TCA) and Task Assets (TA) on the installation for their MAA assessments.• Training and guidance will be provided to MAA teams when the module is fielded• We do not anticipate Installation-level use of the MAA moduleWho needs to do a MAAP assessment?Currently, MAAP assessments are not an installation-level responsibility and are conducted by Service/CCMD/Joint MAA teams
Interagency Security Committee (ISC) Assessments
What is the ISC module?The ISC module is very similar to the DoD ATFP/IDRMP module, but it has the necessary modifications to make it ISC compliant, which includes a separate set of benchmarks, a Facility Security Level (FSL) calculation, and DHS baseline threat preload.Is EPRM ISC compliant?Yes, EPRM is certified to be an ISC compliant tool to do risk assessments of off-base facilities to DHS' ISC standardsDo I have to follow ISC standards?DoDI 2000.12 change 3, requires use of the ISC standards for some DoD facilities. Specifically paragraph 4.o., says: "Unit commanders or civilian managers and directors responsible for DoD elements occupying leased facility space, or space in buildings owned or operated by the U.S. General Services Administration (GSA) not located on DoD property, WILL COMPLY with the applicable Federal Interagency Security Committee standards..."When completing an ISC assessment, why is selecting ‘no’ to a threat not an option?The ISC Design Basis Threat (DBT) dictates that all threats will apply. You are to confirm the rating of the threat. If you deviate from the DBT rating you have to justify the reason (normally based on a local assessment) by adding a comment.
How do I know if my asset is a Task Critical Asset (TCA)?There are two ways to determine what the TCAs are on your installation.1. Within the system, when you look at the hierarchy if your installation has any TCAs that were imported from the authoritative database (SMADS) they will already be listed with their tier level. To find them, you can search SMADS on the hierarchy either as the node manager (“Node Management”) or on the screen that comes up right after you select “Start Assessment”.2. Consult with the installations operations department which will have access to the list of TCAs in either SMADS or AF-CAMs. You will typically find the POC for the systems to be the Critical Asset Risk Management (CARM) program manager who also has access to Critical Asset Identification Process (CAIP) documents.What are the things called “TCAs” or “SMADS” in my hierarchy?Task Critical Assets (TCAs) and Task Assets (TAs) are assets that are related to specific missions and are nominated and approved at the Service and Joint Staff level. In preparation for the Mission Assurance Assessment Module (MAA) those TCAs/ TAs have been added to the EPRM hierarchy from the Strategic Mission Assurance Data System (SMADS). These items are for the MAA module and should be left as is.
Copyright © 2020 Alion Science & Technology. All rights reserved.