Colorado Cyber TTX attack AAR After Action Report ESF 18
1. MILE HIGH DICE
CYBERSECURITY DOMAIN TABLETOP EXERCISE
Mile High DICE FY-2015
Denver Interagency Continuity Exercise (DICE),
A Cybersecurity Seminar and Tabletop Exercise
November 13, 2014
After Action Review
November 20, 2014
Cybersecurity Is Not An Information Technology Issue;
It’s A Leadership Issue!
3. UNCLASSIFIED
After Action Review Mile High DICE
Handling Instructions
1. The title of this document is the Mile High DICE FY-2015 Cybersecurity Domain Table Top
Exercise (TTX) After Action Review (AAR).
2. The information gathered in this AAR is UNCLASSIFIED. The control of information is
based more on public sensitivity regarding the nature of the exercise than on the actual
exercise content.
3. All exercise participants should use appropriate guidelines to ensure the proper control of
information within their areas of expertise and protect this material in accordance with
current agency-specific directives.
4. Public release of exercise materials to third parties is at the discretion of FEMA Region VIII
and the Colorado Federal Executive Board (CFEB).
5. For more information, please consult the following points of contact (POCs):
Exercise Sponsor
Gay Page
Executive Director
Colorado Federal Executive Board
PO Box 25567
Denver Federal Center
Bldg 810 Room 5014
Lakewood CO 80225
303 202 4588
gpage@colorado.feb.gov
www.colorado.feb.gov
Exercise Coordinator/Officer
Michael D. Brinkman
Regional Continuity Manager
303-235-4982
michael.brinkman@fema.dhs.gov
FEMA Region VIII
Denver Federal Center, Building 710
Denver, CO 80228
i
4. UNCLASSIFIED
After Action Review Mile High DICE
CONTENTS
Handling Instructions ..............................................................................................i
Executive Summary ................................................................................................1
Exercise Overview...................................................................................................3
Participating Organizations ....................................................................................4
Number of Participants...........................................................................................4
Exercise Design Summary ................................................................................................ 5
Analysis of Objectives ....................................................................................................... 7
Conclusion .......................................................................................................................... 9
Appendix A: Recommendations...................................................................................A-1
Appendix B: Participant Feedback Form ................................................................... B-1
Appendix C: Acronyms.................................................................................................C-1
Appendix D: Glossary of Terms...................................................................................D-1
ii
5. UNCLASSIFIED
After Action Review Mile High DICE
Executive Summary
The Mile High Denver Interagency Continuity Exercise (DICE) Cybersecurity Domain was
comprised of two components: a training session and a continuity tabletop exercise (TTX)
focused on Cybersecurity. The purpose of this event is to provide a forum for interagency
coordination and improvement of continuity plans – this year focus is cybersecurity, increasing
awareness of cyber risks that may impact the performance of essential functions.. The exercise
relied on the Homeland Security Exercise and Evaluation Program (HSEEP) building block
approach, where some agencies examined their COOP plan or annex, and other agencies, with
less robust plans, could learn from the presenters, and each other, how to build their expertise.
Mile High DICE Cybersecurity Domain established a learning environment for all players to
focus on improving understanding of a response concept, identifying opportunities or problems,
and achieving a change in attitude. At the TTX portion of the exercise, agency representatives
were seated at tables, based on their agency, with a facilitator to encourage discussion, while a
selected member of their group acted as a scribe to capture their lessons learned.
Mile High DICE Cybersecurity Domain focused on the following objectives:
1. Increase organizational awareness about the importance of incorporating Cybersecurity
into continuity planning
2. Discuss and examine the challenges, issues and best practices associated with
Cybersecurity
3. Discuss how Essential Functions will continue through a Cybersecurity emergency and
the planning required to perform those functions
4. Identify solutions or alternative actions to cyber challenges, gaps or vulnerabilities in
organizational continuity plans and procedures
The exercise was conducted on November 13, 2014 at the United States Department of Justice,
Bureau of Prisons’ National Corrections Academy, 11900 East Cornell Avenue, Aurora, CO
80014, between 8:00 AM and 4:00 PM.
Overall, Mile High DICE Cybersecurity Domain successfully provided a learning environment
that presented an opportunity for agencies to review their cybersecurity plans and procedures,
interact with other agencies, and reinforce the need for robust continuity planning, training, and
exercises.
This report will analyze the exercise results, identify strengths to be maintained and built upon,
identify potential areas for further improvement, and support development of corrective actions.
1
6. UNCLASSIFIED
After Action Review Mile High DICE
Major Strengths
The major strengths identified during this exercise are as follows:
• The exchange of ideas, networking opportunities and lessons learned.
• Use of recent and relevant Continuity and cybersecurity examples.
• The effective relationship between critical infrastructure and the private sector with
cybersecurity programs.
• Identifying common challenges with cybersecurity.
Primary Areas for Improvement
Opportunities for improvement were identified throughout the exercise. The primary areas for
improvement, including recommendations, are as follows:
Observation 1: Presenters were the best choice as effective tactical experts to discuss the
important issues of cybersecurity.
Issue: Cybersecurity is a unique topic that excited individuals, but the presenters at time
spoke in terms that were way above the audience’s knowledge base.
Recommendation: In knowing the audience, presenters should be advised to use non-
expert (or layman’s) terms. Speakers were briefed of the target audience composition.
• Emergency Preparedness Counsel members should make attempts to view a
speaker’s presentation prior to DICE to discern if it is a good fit for audience and
subject.
• Consider using a panel discussion to help convey technical information.
Observation 2: More time is needed for the tabletop exercise.
Issue: Mile High DICE FY-2015 is an opportunity to provide a summary of the major
changes in Continuity directives and policies. These updates can be reviewed and
addressed during exercises, assisting with Corrective Action Planning.
Recommendation: Allow more time for exercise play.
• Consider a 3 hour TTX for FY-2016.
• Limit outbriefs to ½ the tables. Mix it up, ask if anyone has something to add
• Allow time for Facilitator wrap up at tables
2
7. UNCLASSIFIED
After Action Review Mile High DICE
Exercise Overview
Exercise Name
Mile High (Denver Interagency Continuity Exercise) DICE, FY-2015, Cybersecurity
Domain
Type of Exercise
Training and lessons learned seminar, followed by a tabletop exercise (TTX)
Exercise Date
November 13, 2014
November 20, 2014 After Action Review
Duration
One Day
Location
United States Department of Justice
Bureau of Prisons National Corrections Academy
11900 East Cornell Avenue, Aurora, CO 80014
Sponsors
Colorado Federal Executive Board (CFEB)
Federal Emergency Management Agency (FEMA), Region VIII
Mission
Continuity of Operations/Essential Functions/Cybersecurity
Scenario Type
Cyber-attack on the organization’s network systems
3
8. UNCLASSIFIED
After Action Review Mile High DICE
Participating Organizations
Participating Agencies & Organizations
Anticus International Corp.
CACI International Inc.
Chertoff Group
City of Colorado Springs
City & County of Denver
Coalfire Systems, Inc.
Colorado Federal Executive Board
Colorado National Guard
Dept of Agriculture – Office of Chief Information Officer
Dept of Agriculture – Grain Inspection, Packers & Stockyards Administration
Dept of Commerce – National Institute of Standards and Technology
Dept of Commerce – National Oceanic and Atmospheric Administration
Dept of Commerce – National Telecommunications & Information Administration
Dept of Defense - Defense Contract Management Agency
Dept of Defense - Defense Coordinating Element
Dept of Defense - Defense Health Agency
Dept of Defense – North American Aerospace Defense Command & Northern Command
Dept of Homeland Security - Citizen & Immigration Services
Dept of Homeland Security - Federal Emergency Management Agency
Dept of Homeland Security - Federal Protective Service
Dept of Homeland Security - Transportation Security Administration
Dept of Interior - National Park Service
Dept of Interior - Office of Natural Resource Revenue
Dept of Interior - US Geological Survey
Dept of Justice - Bureau of Prisons
Dept of Transportation – Federal Highway Administration
Environmental Protection Agency - National Enforcement Investigations Center
General Services Administration
National Archives & Records Administration
National Transportation Safety Board
Poudre Fire Authority
Selective Service System
Social Security Administration
State of Colorado - CO Dept of Public Safety
State of Colorado - Dept of Labor & Employment
State of Colorado - Division of Emergency Management
University of Colorado - Colorado Springs
Number of Participants
37 Agencies & Organizations 158 Registrations
108 Participants on site 90 Participant Feedback Forms
4
9. UNCLASSIFIED
After Action Review Mile High DICE
Exercise Design Summary
Purpose
The purpose of this event is to provide a forum for interagency coordination and improvement of
continuity plans – this year’s focus is the Cybersecurity domain, increasing awareness of cyber
risks that may impact the performance of essential functions.
Exercise Purpose and Objectives - TTX
1. Increase organizational awareness about the importance of incorporating Cybersecurity
into continuity planning.
2. Discuss and examine the challenges, issues and best practices associated with
Cybersecurity.
3. Discuss how Essential Functions will continue through a Cybersecurity emergency and
the planning required to perform those functions.
4. Identify solutions or alternative actions to cyber challenges, gaps or vulnerabilities in
organizational continuity plans and procedures.
Exercise Scenario - TTX
Your organization’s IT staff has informed leadership that they have detected a highly
sophisticated cyber-attack on the organization’s network systems. In response to the attack and
with leadership approval, the IT team has disconnected all internet and email access to include
shared folders and wireless access. Incoming emails have also been blocked.
IT is assessing the current damage and providing leadership with regular reports. The team is
also working on protecting systems from future attacks. At this time, IT is uncertain if any
information was stolen and if sensitive or classified information has been compromised. But
there is a chance that several essential records stored on the primary server were corrupted. At
this point, leadership has been informed that it will take a few days to sort things out, secure
systems and get them back online.
5
10. UNCLASSIFIED
After Action Review Mile High DICE
Exercise Schedule – Training/TTX
Time Session Comments
8:00 am Registration Participants sign in
8:30 am Welcome Opening comments
• Jim Gray, Director, Bureau of Prisons – National Corrections
Academy
• Doug Gore, Deputy Regional Administrator, FEMA Region VIII
• Gay Page, Executive Director, Colorado Federal Executive Board
8:45 am Introductions Agency leads introduce members
9:00 am The Cyber
Universe and
You!
Mr. Mark Weatherford
Principal, Chertoff Group & former Deputy Undersecretary,
DHS Cybersecurity
10:15 am Networking Break
10:30 am Challenges &
Threats in the
Cloud
Mr. Rick Dakin
Chief Executive Officer, Co-Founder and Chief Security Strategist,
Coalfire - Independent Information Technology Audit and
Compliance Leadership
12:00 pm Lunch On your Own
1:00 pm Overview of
NIST
Cybersecurity
Framework
Ms. Donna Dodson
Associate Director and Chief Cybersecurity Advisor of the Information
Technology Laboratory (ITL) and the Chief Cybersecurity Advisor for
the National Institute of Standards and Technology (NIST)
1:45 pm Networking Break
2:00 pm Discussion Based
Exercise
Participants will be divided into groups (primarily by agency) and guided
through a discussion of issues related to Cybersecurity
4:00 pm Adjourn
6
11. UNCLASSIFIED
After Action Review Mile High DICE
Analysis of Objectives
This section of the report reviews the performance of the exercised objectives, activities, and
tasks. Observations are organized by objective, followed by a summary and corresponding
observations and recommendations.
OBJECTIVE 1: INCREASE ORGANIZATIONAL AWARENESS ABOUT THE
IMPORTANCE OF INCORPORATING CYBERSECURITY INTO CONTINUITY PLANNING
Observation: Successful
Analysis:
Participants in this training and exercise event were provided with a schedule designed
with multiple briefings and a discussion based exercise to encourage interaction at all
levels. Presentations were specifically designed to raise awareness of Cybersecurity,
challenges affiliated with cybersecurity, and the potential to improve individual plans.
Discussion:
Given that the basic premise of a cyber-attack, it is imperative that agencies place an
emphasis in their COOP planning efforts working with IT on security and compliance
assessments.
Recommendations:
1. Agencies should actively address any deficiencies and/or train and test the
effectiveness of their emergency plans under a variety of conditions.
2. Agencies should ensure that they have the right individuals on their Continuity
Working Group when developing and reviewing their COOP plans.
OBJECTIVE 2: DISCUSS AND EXAMINE THE CHALLENGES, ISSUES AND BEST
PRACTICES ASSOCIATED WITH CYBERSECURITY
Observation: Mixed, mostly successful
Analysis:
Executive Order (EO) 13636 requires the development of a Cybersecurity Framework
that develops voluntary critical infrastructure cybersecurity program and proposes
incentives as well as identifying gaps.
Discussion:
Mile High DICE Cybersecurity Domain was an opportunity to provide a summary of the
common challenges with cybersecurity as the threat increases. Overview of the EO
proved challenging during the FY-2015 DICE since agencies wanted to review best
practices and lessons learned from agencies that have dealt with this threat.
Recommendations:
1. Agencies should review Executive Order 13636 that provides a set of standards,
methodologies, procedures, and processes that align policy, business, and
technological approaches to address cyber risks.
7
12. UNCLASSIFIED
After Action Review Mile High DICE
OBJECTIVE 3: DISCUSS HOW ESSENTIAL FUNCTIONS WILL CONTINUE THROUGH A
CYBERSECURITY EMERGENCY AND THE PLANNING REQUIRED TO PERFORM THOSE
FUNCTIONS
Observation: Successful
Analysis:
Members have an increase organizational awareness about COOP and individual roles
and responsibilities.
Discussion:
There is room for improvement in training staff on ways around limited communication,
such as limited internet access and phone service.
Recommendations:
1. More training with the ERG staff and non-ERG members is needed. Agencies also
need to train backup ERG personnel on their roles and responsibilities during
Continuity operations. Create detailed checklists and decision matrices for notice and
no notice events.
OBJECTIVE 4: IDENTIFY SOLUTIONS OR ALTERNATIVE ACTIONS TO CYBER
CHALLENGES, GAPS OR VULNERABILITIES IN ORGANIZATIONAL CONTINUITY
PLANS AND PROCEDURES
Observation: Mixed, mostly successful
Analysis:
Not all agencies present had prepared adequately for cybersecurity.
Discussion:
Smaller organizations and larger organizations’ smaller field offices may not have the
same access and plans to support secondary continuity locations as larger organizations
or offices.
Recommendations:
1. Agencies must develop annexes to their COOP plans that include threats associated
with cybersecurity.
2. Agencies should review the Federal Risk and Authorization Management Program
(FedRAMP), a government-wide program that provides a standardized approach to
security assessment, authorization, and continuous monitoring for cloud products and
services.
8
13. UNCLASSIFIED
After Action Review Mile High DICE
Conclusion
Based on the participant feedback forms, Mile High DICE, FY-2015 Cybersecurity Domain
training and lessons learned session relative to Cybersecurity and Continuity planning tabletop
exercise (TTX) was a success. On a scale of 1 to 5, the overall rating for this year came in at 4.6.
Participants were able to evaluate their plans against the scenario, take lessons learned from each
other, and find areas to improve their continuity programs.
Observations or areas for improvement for the next event include:
• Increase the awareness of government, business and not-for profit organizations of the
requirement to incorporate continuity planning into everyday business.
• Discuss the planning required to perform those Mission Essential Functions (MEFs) that
must continue through an emergency.
• Recognize the critical functions of our organizations’ Information Technology
components in continuity planning.
9
14. UNCLASSIFIED
After Action Review Mile High DICE
Appendix A: Recommendations
Below is a consolidated list of the recommendations previously presented in the AAR, a result of exercise Mile High DICE Cybersecurity
Domain:
Table A.1 Recommendations
Objective Recommendations
Increase organizational
awareness about the
importance of
incorporating
Cybersecurity into
continuity planning.
1. Agencies should actively address any deficiencies and/or train and test the
effectiveness of their emergency plans under a variety of conditions.
2. Agencies should ensure that they have the right individuals on their Continuity
Working Group when developing and reviewing their COOP plans.
Discuss and examine the
challenges, issues and best
practices associated with
Cybersecurity.
1. Agencies should review Executive Order 13636 that provides a set of standards,
methodologies, procedures, and processes that align policy, business, and
technological approaches to address cyber risks.
Discuss how Essential
Functions will continue
through a Cybersecurity
emergency and the
planning required to
perform those functions.
1. More training with the ERG staff and non-ERG members is needed. Agencies also
need to train backup ERG personnel on their roles and responsibilities during
Continuity operations. Create detailed checklists and decision matrices for notice
and no notice events.
Identify solutions or
alternative actions to
cyber challenges, gaps or
vulnerabilities in
organizational continuity
plans and procedures.
1. Agencies must develop annexes to their COOP plans that include threats associated
with cybersecurity.
2. Agencies should review the Federal Risk and Authorization Management Program
(FedRAMP), a government-wide program that provides a standardized approach to
security assessment, authorization, and continuous monitoring for cloud products and
services.
A-1
15. UNCLASSIFIED
After Action Review Mile High DICE
Appendix B: Participant Feedback Form
Assessment Factor
Strongly
Disagree
Strongly
Agree
The Training and Exercise event was well structured and organized. 1 2 3 4 5
The design was conducive to group discussion. 1 2 3 4 5
The featured Speaker’s presentation was helpful in understanding
key concepts for Cybersecurity.
1 2 3 4 5
The tabletop discussion helped provide an examination of your plan
and procedures for Cybersecurity.
1 2 3 4 5
The Case Studies provided in the Participant Handbook helped
provide insight on the challenges with Cybersecurity.
1 2 3 4 5
This event was valuable for helping provide information for the
development of refinement of your Continuity Plan.
1 2 3 4 5
Note: The figures below are based on 90 feedback form submissions
1. The Training and Exercise event was well structured and organized?
90 responses
3 (3.3%) 1 (1.1%) 6 (6.7%) 34 (37.8%) 46 (51.1%)
Strongly
Disagree
Strongly
Agree
2. The design was conducive to group discussion?
90 responses
3 (3.3%) 1 (1.1%) 11 (12.2%) 25 (27.8%) 50 (55.6%)
Strongly
Disagree
Strongly
Agree
3. The featured Speaker’s presentation was helpful in understanding key concepts for
Cybersecurity?
81 responses
5 (6.3%) 2 (2.5%) 10 (12.3%) 28 (34.5%) 36 (44.4%)
Strongly
Disagree
Strongly
Agree
B-1
16. UNCLASSIFIED
After Action Review Mile High DICE
4. The tabletop discussion helped provide an examination of your plan and procedures for
Cybersecurity?
88 responses
3 (3.4%) 2 (2.3%) 9 (10.2%) 35 (39.8%) 39 (44.3%)
Strongly
Disagree
Strongly
Agree
5. The Case Studies provided in the Participant Handbook helped provide insight on the
challenges with Cybersecurity?
84 responses
3 (3.6%) 1 (1.2%) 16 (19%) 31 (36.9%) 33 (39.3%)
Strongly
Disagree
Strongly
Agree
6. This event was valuable for helping provide information for the development of
refinement of your Continuity Plan?
89 responses
3 (3.4%) 1 (1.1%) 11 (12.4%) 35 (39.3%) 39 (43.8%)
Strongly
Disagree
Strongly
Agree
B-2
17. UNCLASSIFIED
After Action Review Mile High DICE
46
7. Please provide any other comments or recommendations regarding this event that may
help in the development of future events.
Format:
• Excellent Speakers and Great participant handbook. The information will be used to
improve COOP plans and develop future cybersecurity exercises.
• There needs to be more time for exercises and less for speakers.
• Reduce the number of out briefs, at some point they lose value and the interest of people.
• COOP/Exercise were knowledgeable, some topics more relevant than others, but overall
worth hearing.
• Presentations were a bit high level, our requirements and responsibilities are somewhat
lower.
• This training was more relevant to policy makers. No working in the IT or computer
field wasn’t applicable to some individuals jobs.
• It would have been helpful to provide more focus on potential solutions, resources and
best practices. Felt that too much time was spent reviewing the complexity of cyber
security. More info about what to do about it would be great.
• Combining two agencies at one table made it difficult to address questions during the
exercise.
• If possible make interspace the guest speakers in with the group discussions. The guests
were great; it was just a lot to take in one right after another.
• Great event for collaboration, review and lesson learned.
DICE Stats
(Nov 2014)
Overall = 4.7
Highest = 4.9 ONRR
Lowest = 4.3 DCMA
Overall = 4.7
Highest = 4.9 Design (conducive for group discussion)
Lowest = 4.3 Speaker’s
B-3
18. UNCLASSIFIED
After Action Review Mile High DICE
• Provide these quarterly.
• Ken Hudson did a terrific job hosting, moderating and keeping DICE on point and on
time.
Speakers
• Some of the guest speakers were dry and technical.
• For individuals who are not technical, some of the speakers were hard to follow and
understand. Less technical people are in the audience and needed more explanation of
cyber procedures.
• Amazing expertise, great that we were given the opportunity to hear from top level
experts. (Several similar type comments)
• Need longer Q&A with speakers.
• Outstanding topic, less technical and more “lay person” information would be helpful
from a decision making standpoint.
• Knowing your audience, some of the speakers were definitely geared towards IT folks
rather than non-IT members making it hard to understand.
Materials
• It would be good if a network list was provided to the attendees.
• Hope that attendees can receive e-copies of the PowerPoint presentations; will they be
available on the CFEB website?
• Excellent Speakers and Great participant handbook. The information will be used to
improve COOP plans and develop future cybersecurity exercises.
Venue
• Great location, comfortable room, utilizing resources at all levels (i.e. screens and
microphones).
TTX / Facilitators
• Appreciate the facilitators diving in to keep conversation and thinking going during the
exercise.
• A few of the questions during the exercise dealt with physical destruction rather than
cybersecurity, making it somewhat confusing.
• Group discussion was excellent with the exercise.
• TTX exercises and discussions are always very helpful; more time for table discussions
would have been useful.
• More time on TTX and one less speaker. (Several similar comments)
• The group discussions and exercise scenario did not flow as well as expected.
Outcomes
• Response plans are strong, but need to work on how to avoid, mitigate, and minimize
effects of cyber disruptions.
• Great reminder of work that needs to be done no only with our agency, but partner
agencies too.
• Agencies would like to conduct similar exercise, who do we contact to explore this?
• Previously did not consider Fed RAMP as a tool to help improve cyber security policy.
B-4
19. UNCLASSIFIED
After Action Review Mile High DICE
Appendix C: Acronyms
Table C.1 Acronyms
Acronym Meaning
AAR After Action Report
CFEB Colorado Federal Executive Board
COOP Continuity of Operations
DICE Denver Interagency Continuity Exercise
ERG Emergency Relocation Group
FEMA Federal Emergency Management Agency
HSEEP Homeland Security Exercise and Evaluation Program
NCP National Continuity Programs
POC Point of Contact
TTX Table Top Exercise
C-1
21. UNCLASSIFIED
After Action Review Mile High DICE
Appendix D: Glossary of Terms
This glossary explains some generic terms used in exercise planning, and those used during the
development, conduct, and observation of the Mile High DICE FY-2015. Terms are listed
alphabetically.
After Action Report (AAR) - A comprehensive assessment of the exercise prepared by the
Evaluation team. It includes a summary of the exercise scope, scenario, participants, and play.
Most importantly, it contains an analysis of the achievement of each exercise objective. It may
also include an assessment of the exercise management process including the planning, control,
and observation of the exercise. This report is developed from the comments and observations
recorded by Evaluators during and after the exercise. It identifies deficiencies, problems, and
issues that require corrective action.
Controller - Controllers plan and manage exercise play, set up and operate the exercise incident
site, and possibly take the roles of individuals and agencies not actually participating in the
exercise (i.e., in the Simulation Cell [SimCell]). Controllers direct the pace of exercise play and
routinely include members from the exercise planning team, provide key data to players, and
may prompt or initiate certain player actions and injects to the players as described in the Master
Scenario Event List (MSEL) to ensure exercise continuity. The individual controllers issue
exercise materials to players as required, monitor the exercise timeline, and monitor the safety of
all exercise participants.
Continuity of Operations (COOP) - Continuity of Operations, as defined in the National
Security Presidential Directive-51/Homeland Security Presidential Directive-20 (NSPD-
51/HSPD-20) and the National Continuity Policy Implementation Plan (NCPIP), is an effort
within individual executive departments and agencies to ensure that Primary Mission Essential
Functions (PMEFs) continue to be performed during a wide range of emergencies, including
localized acts of nature, accidents and technological or attack-related emergencies.
Corrective Action Program (CAP) - The formal program that supports the identification and
resolution of requirements for corrective action and the formal, appropriate integration of
corrective action into interagency Continuity of Operations community. Managed by NCP with
assistance from the CAP Review Board, the CAP ensures the continuing evolution and
refinement of the Federal Executive Branch Continuity of Operations capability.
ENDEX - The end of the exercise. This term refers to the formal conclusion of the exercise. No
player activity occurs after this time.
Emergency Relocation Group - Personnel identified as essential to the accomplishment of
agency essential functions. These personnel are expected to relocate to an agency’s continuity
site upon activation of the agency COOP plan.
Controller/Evaluator Handbook - A document that establishes how the Evaluation effort will
be managed. It includes the overarching objectives and a copy of all Evaluation forms.
Data Collectors - Individuals who record their own as well as participants' observations during
the exercise. They note the actions taken by participants and maintain a chronology of those
D-1
22. UNCLASSIFIED
After Action Review Mile High DICE
actions. Their responsibility is to provide an assessment of how well the objectives were
accomplished. Data Collectors may also be Controllers and/or Evaluators.
Evaluator - Chosen for their expertise in the functional areas they will observe. Evaluators
measure and assess performance, capture unresolved issues, and analyze exercise results.
Evaluators passively assess and document participants’ performance against established
emergency plans and exercise evaluation criteria, in accordance with HSEEP standards.
Exercise Planning Team - The exercise director, the deputy exercise director, and the senior
controller. These are the senior personnel at the exercise location who oversee the actions of the
Evaluators, controllers, and interagency response cell members.
Exercise Objectives - The specific actions to be performed or the capabilities to be
demonstrated by exercise participants. Developed early in the planning effort, effective exercise
objectives will ensure that participants know what is to be accomplished, who will do it, under
what conditions and finally to what measurable standard. Objectives are the basis for the
assessment/observation effort.
Exercise Plan (EXPLAN) - The comprehensive plan for the exercise. The EXPLAN provides
all exercise participants with pertinent information: the lead-in scenario, participants, points of
contact, exercise objectives, assumptions, responsibilities, and administrative and security
information. It is developed from the approved Concept and Objectives Paper that contains the
approved exercise objectives.
Inject - Injects are MSEL entries that controllers must simulate—including directives,
instructions, and decisions. Exercise controllers provide injects to exercise players to drive
exercise play towards the achievement of objectives. Injects can be written, oral, televised,
and/or transmitted via any means (e.g., fax, phone, e-mail, voice, radio, or sign).
Master Scenario Events List, MSEL - The MSEL is a chronological timeline of expected
actions and scripted events to be injected into exercise play by controllers to generate or prompt
player activity. It ensures all necessary events happen so that all objectives can be met.
Players - Exercise participants who respond in a realistic manner to the scenario events. They
do so by using the plans, procedures, and equipment on which they have been trained. In other
words, they demonstrate their ability to carry out their mission. Also referred to as responders in
exercises.
Scenario - A sequential, narrative account of a hypothetical incident or accident. The scenario
provides the catalyst for the exercise and is intended to introduce situations that will inspire
responses and thus allow demonstration of the exercise objectives.
STARTEX - The start of the exercise. This term refers to the formal beginning of player
activity.
Trusted Agent - Trusted agents are the individuals on the exercise planning team who are
trusted not to reveal the scenarios details to players prior to the exercise being conducted.
D-2