Lesson 5: Understanding Levels of Protection

At the end of this lesson, you will understand the various Levels of Protection and be able to define risk acceptance and describe the necessary documentation.

Download Lesson Summary

Baseline Level of Protection
  • The baseline LOP is the degree of security provided by the set of countermeasures for each Facility Security Level (FSL) that must be implemented unless a deviation (up or down) is justified by a risk assessment.
  • Implementing appropriate countermeasures for mitigating vulnerabilities should reduce risk to an acceptable level, identified in Appendix B: Countermeasures.
  • Appendix B also describes the process to customize the LOP for a specific facility based on the assessed risk.
Risk Management Process LOP

The Risk Management Process flow chart outlines the proper steps to arrive at a baseline LOP. It also details the process for assessing risk and its impact on the LOP.

Click on image for a larger version.

Click on chart to launch a detailed version.
The figure displays a diagram of the Risk Management Process. Section 4.0 is the FSL Determination and is located at the top center of the graphic. An arrow goes down to 5.1.1 Identify Baseline LOP. An arrow goes down to 5.1.2 Identify and Assess Risks. An arrow goes down to 5.1.3 Risks = Baseline LOP? If no, red arrow goes to the right to 5.1.4 Determine LOP Necessary to Meet Risk. Another arrow then goes down and to the left to 5.1.5 Existing LOP is sufficient? If yes from 5.1.3, green arrow goes down to 5.1.5 Existing LOP Is Sufficient? If yes from 5.1.5, green arrow goes to the left that reads Maintain Existing LOP. If no from 5.1.5, red arrow goes down to 5.1.6 Necessary LOP Available? If no from 5.1.6, red arrow goes to the right to 5.1.7 Determine Highest Available LOP. An arrow then goes down from 5.1.7 to 5.1.8 Is Risk Acceptable? If no from 5.1.8, red arrow to the right goes to 5.1.9 Alternate Locations Available? If yes from 5.1.9, a green arrow goes up to Evaluate Alternate Locations and then back to 5.1.1 Identify Baseline LOP to start the process over again. If no from 5.1.9, red arrow goes to the left to 5.1.10 Risk Acceptance. If yes from 5.1.8, a green arrow also goes down to 5.1.10 Risk Acceptance. An arrow goes to the left to 5.1.11 Achievable Immediately? Returning to 5.1.6, if yes from 5.1.6, then a green arrow also goes from 5.1.6 to 5.1.11 Achievable Immediately? If no from 5.1.11, red arrow goes to the left to 5.1.12 Plan for Delayed Implementation. Another arrow goes down to Implement Interim Countermeasures and then 5.1.13 Implement Permanent Countermeasures. If yes from 5.1.11, a green arrow goes down to 5.1.13 Implement Permanent Countermeasures.
LOP Process: Assessed Risk

Since we previously established the FSL of our facility as a level III and the baseline level for a level III is medium, then we must now either stay with the baseline or conduct an assessment. In our case, the security organization conducted a risk assessment and found that the threat of robbery and vandalism were high and the threat of assault was very high. However, the threat of a Vehicle-Borne Improvised Explosive Device (VBIED) and workplace violence were low.

The graphic shown consists of a line chart titled Examples of Undesirable Events. The left axis is titled Level of Risk/Protection and ranges from 0 to 5. The horizontal axis lists a series of threat types including Arson, Assault, VBIED, Kidnapping, Robbery, Vandalism, and Workplace Violence. The chart legend includes Baseline represented by a solid Navy line, FSL represented by a green dashed line, and Threat represented by a red dotted line. The values of the Baseline and FSL for all threats listed in 3 shown by 2 straight horizontal lines (a solid navy line and a dashed green line) across all threat types. The values of Threat for all threat types showing a zig zagging red dotted line with values as follows: Arson = 3, Assault = 5, VBIED = 2, Kidnapping = 3, Robbery = 4, Vandalism = 4, and Workplace Violence = 2.
Necessary Level of Protection
  • The assessed risk may indicate a necessary LOP that differs from the baseline LOP. 
  • The necessary LOP is the degree of security determined to be needed to mitigate the assessed risks at the facility.
  • By determining the appropriate countermeasures applicable to the assessed risks and identifying changes from the baseline LOP, the necessary LOP can be developed.
LOP Process: Necessary

With the specific risk levels identified we now know what Level of Protection is necessary to mitigate them. The necessary LOP takes precedence over the baseline established by the Facility Security Level.

The graphic shown consists of a line chart titled Necessary LOP. The left axis is titled Level of Risk/Protection and ranges from 0 to 5. The horizontal axis lists a series of threat types including Arson, Assault, VBIED, Kidnapping, Robbery, Vandalism, and Workplace Violence. The chart legend includes Baseline represented by a solid Navy line, FSL represented by a green dashed line, Threat represented by a red dotted line, and Necessary represented by a blue dash-dot line. The values of the baseline and FSL for all threats listed in 3 shown by 2 straight horizontal lines across all threat types. The values of Threat and Necessary are equal for all threat types showing 2 parallel zig zagging lines with values as follows: Arson = 3, Assault = 5, VBIED = 2, Kidnapping = 3, Robbery = 4, Vandalism = 4, and Workplace Violence = 2.
Deviation from the Baseline Level of Protection
A table from Appendix A with the baseline level of protection highlighted for a level III facility. Highlighted are the security criterion for Access to Non-Public Areas, Use signage, stanchions, counters, furniture, knee walls, etc., to establish physical boundaries to control access to nonpublic areas, as well as the security criterion for Security of Critical areas, Install electronic access control and IDS to control and monitor access into critical areas. An arrow points left and says assessed risk is lower than typical level III; select lower LOP. An additional arrow points right and says "Assessed Risk is higher than "typical" level III facility; select a higher LOP".
In this example, if the assessed risk is lower than the typical Level III facility, a lower Level of Protection is selected. If the assessed risk is higher than a “typical” Level III facility, then a higher Level of Protection is selected.
LOP Process: Necessary vs. Baseline

Unmitigated risk and waste can be negated by determining the necessary LOP according to a risk assessment.

Existing LOP
  • Once the existing LOP is mapped against all the other determinations, it creates a picture of how resources can or should be adjusted to meet the necessary LOP.
  • Note that the necessary LOP takes precedence over the baseline LOP.
If there is an existing LOP for the facility, it can be mapped against all the other determinations. This will create a picture of how resources can or should be adjusted to meet the necessary LOP. Note that the necessary LOP takes precedence over the baseline LOP.
Achievable LOP

If the FSC has determined that the necessary LOP cannot be implemented, the highest achievable LOP must be identified.

Identifying the highest achievable LOP may require an iterative process. First, the countermeasures included in the next lower LOP must be examined.

If it is determined that they are achievable, then that level might be accepted. If not, the examination is repeated with the next lower LOP. This approach minimizes the amount of risk that might be accepted.

Facility-specific conditions will dictate the achievable LOP in each situation.

There is no restriction identifying how many levels below the necessary LOP is acceptable. Regardless of site conditions, the LOP implemented may never be less than Level I – Minimum. 

A table from Appendix A indicating how to determine the highest achievable level of protection. The Level IV High column is highlighted with a text box on top reading "If the necessary LOP is not achievable". An arrow points from the Level IV column to the Level III column and reads "Is This". An second arrow points from the Level III column to the Level II column and reads "Or this?".
Highest Achievable LOP and Risk

When a lower Level of Protection is determined, the  difference between the protection afforded by the necessary countermeasures and the reduced protection afforded by the achievable countermeasures is the risk that must be accepted.

This is why it is important to use the iterative process described previously to minimize the amount of risk to be accepted as much as possible.

Any risk that is accepted must be documented. The project documentation must clearly reflect any reason why the necessary countermeasures cannot be achieved.

A table from Appendix A indicating how to determine risk acceptance when the necessary level of protection is not achievable. The Level IV - High Column is highlighted with an arrow pointed to the Level II column which reads "the necessary LOP was not achievable. The highest achievable LOP is selected. Below the graphic is a text box highlighting both Level IV column and Level II column and reads "the difference between the necessary LOP and the achievable LOP is risk that must be accepted".
Customized LOP

The customized LOP is the final set of countermeasures developed as the result of the risk-based analytical process. In some cases your customized LOP will require you to accept risk.

Risk Acceptance
ISC defines risk acceptance as the explicit or implicit decision not to take an action that would affect all or part of a particular risk.
  • The acceptance of risk is an allowable outcome of applying this risk management process.
  • In some cases, accepting risk is unavoidable.
  • It is extremely important to completely document the rationale for accepting risk.
  • Per the RMP, a facility's risk acceptance documentation must be submitted to department/agency headquarters for their awareness. 

Though made every day in government, the decision to accept risk is not one to be taken lightly. The threat to Federal facilities is very real, and the decision to accept risk can have very real consequences. For that reason, it is critical that decision makers obtain all the information they deem necessary to make a fully informed decision.

Multiple competing requirements, standards, and priorities cannot always be reconciled. All budgets have some limitation. Political and mission requirements cannot be ignored. It is extremely important to completely document the rationale for accepting risk, including alternate strategies considered or implemented, and opportunities in the future to implement the necessary LOP.

See Appendix F for an example of how the acceptance of risk might be documented.

Click here to access Appendix F

Lesson 5 Summary
  • The baseline LOP is the degree of security provided by the set of countermeasures for each FSL that must be implemented unless a deviation (up or down) is justified by a risk assessment.
  • As a result of the risk assessment, the identified risk then leads to the necessary LOP.
  • The necessary LOP matches the assessed risk.
  • If the FSC has determined that the necessary LOP cannot be implemented, the highest achievable LOP must be identified.
  • The customized LOP is the final set of countermeasures developed as the result of the risk-based analytical process.
  • In some cases your customized LOP will require you to accept risk.
  • The acceptance of risk is an allowable outcome of applying this risk management process. In some cases, accepting risk is unavoidable.
  • It is extremely important to completely document the rationale for accepting risk.