CALL title banner
Handbook 11-07
December 2010

Appendix J

Operations Security

Operations security (OPSEC) in the military is usually approached from the point of view of deploying to or operating within a combat zone. Because of this, many definitions and concepts of OPSEC, when applied to a domestic incident, may seem belligerent or even paranoid. As an open society, the United States demands open access to information, especially when dealing with a serious incident. This has to be balanced against the need to protect our forces as well as citizens.

OPSEC is a subset of information operations (IO). While IO has an offensive piece best suited to combat, there is defensive IO that protects and defends friendly information, command and control systems, and information systems. Effective defensive IO assure friendly commanders an accurate common operational picture based not only on a military perspective, but also on nonmilitary factors that may affect the situation (Field Manual [FM] 3-13, Information Operations (IO): Doctrine, Tactics, Techniques, and Procedures).

Joint Publication (JP) 3-13.3, Operations Security, describes OPSEC as "a methodology that denies critical information to an adversary. Unlike security programs that seek to protect classified information, OPSEC measures identify, control, and protect generally unclassified evidence that is associated with sensitive operations and activities." This is critical information.



Critical Information

Critical information is information important to the successful achievement of U.S. objectives and missions, or which may be of use to an adversary of the United States. Critical information consists of specific facts about friendly capabilities, activities, limitations (includes vulnerabilities), and intentions needed by adversaries for them to plan and act effectively so as to degrade friendly mission accomplishment. Critical information is information that is vital to a mission that if an adversary obtains it, correctly analyzes it, and acts upon it will prevent or seriously degrade mission success. Critical information can be classified information or unclassified information. Critical information can also be an action that provides an indicator of value to an adversary and places a friendly activity or operation at risk. The term "critical information" has superseded the term "essential elements of friendly information (EEFI)" according to FM 3-13, EEFI now refers to critical information phrased in the form of a question to protect classified and sensitive information.



Sensitive Information

Sensitive information is information requiring special protection from disclosure that could cause compromise or threat to national security or to an Army organization, activity, family member, Department of the Army civilian or Department of Defense contractor. Sensitive information refers to unclassified information while sensitive compartmented information refers to classified information. Examples that may be deemed sensitive include but are not limited to: personal information; structuring; manning; equipment; readiness; training; funding; sustaining; deploying; stationing; morale; vulnerabilities; capabilities; administration and personnel; planning; communications; intelligence, counterintelligence, and security; logistics; medical; casualties; and acquisition plans.



Operations Security Defined

Army Regulation 530-1, Operations Security, defines OPSEC as a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to:

a. Identify those actions that can be observed by adversary intelligence systems.
b. Determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries.
c. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

So what threats exist for DOD forces providing defense support to civil authorities within the United States?

Domestic threats: Domestic adversaries are not as readily identifiable because they are part of the local population. They may not have a formal intelligence collection service but they will have the advantage of detailed knowledge of the area and the people where they live and operate. The information domestic adversaries seek and obtain is readily available as open-source and unclassified information.

Criminals: The criminal threat is not as readily identifiable. Criminals will collect open-source and unclassified information that is publicly available; information they can obtain through means such as money or coercion, and information they can obtain from insiders in the unit or organization they target. The supporting criminal investigative unit may be able to assist both in identifying crime-conducive conditions that increase the risk of compromise of critical information and in mitigating or eliminating the criminal threat.

Hackers: A hacker is a highly skilled computer programmer who specializes in computer and network systems security. Some hackers apply their skills for legitimate uses; others have malicious intent motivated by ideology, criminal intent, revenge, thrill-seeking, or bragging rights. Malicious hackers can easily obtain information on computer systems and networks and have the skills to penetrate through sophisticated defenses. Hackers are extremely difficult to identify because they are able to remain hidden and anonymous through the vast expanse of the Internet. For these reasons, critical and sensitive information on publicly accessible Internet websites are easy targets for hackers and must not be posted on unclassified computers and networks.

Insiders: The insider threat consists of personnel who work inside the unit or organization. Insiders constitute the most dangerous threat because they have access to information for which they are cleared and because they can perform critical actions within the organization. Insiders who pose a threat are also very difficult to identify if they have taken steps to keep their collection activities unnoticed. For these reasons, sensitive and critical information should only be shared with personnel who need to know.

Internet: In recent years, the Internet has become a growing source of open-source information for adversaries of the United States. Websites, especially personal websites of individual Soldiers (including blogs and pages on other social media sites), have the potential of posing significant vulnerability. Other forms of open-source information include public presentations, news releases from units or installations, organizational newsletters (both for official organizations and unofficial organizations, such as alumni or spouse support groups), and direct observation.

Social media: Sites such as Twitter and Facebook can become sources of information dissemination - accurate or inaccurate - to Soldiers, family, and the public faster than the chain of command does. News sources may also pose a threat; with 24-hour news services constantly demanding data, inaccurate, incomplete, and out-of-context stories can run almost instantly.

Terrorists: Terrorist actions range from gaining unauthorized access to command and control systems to physical attacks against commanders and decision makers. Terrorist groups have been identified as using commercial information systems - especially computer bulletin boards - to pass intelligence and technical data across international borders.

Methods of attack (FM 3-13) can include:

  • Unauthorized access, either through insiders gaining physical access or through firewalls being penetrated.
  • Malicious software (computer viruses, logic bombs, bypass programs, Trojan horses, etc.).
  • Electromagnetic deception (manipulative, simulative, and/or imitative electromagnetic deception).
  • Electronic attack (jamming, electromagnetic pulse, directed energy attacks).
  • Physical destruction.
  • Perception management (misinformation, deception, propaganda, etc.).

The Center for Army Lessons Learned has actively collected observation, insights, and lessons learned (OIL) in three major domestic operations: The G-8 Summit in 2004, hurricanes Katrina and Rita in 2005, and Operation Jump Start in 2006. In each of the three operations, credentialing of personnel has been noted as a finding. At the G-8 Summit, the U.S. Secret Service developed a common credentialing process. This process started two months before the event and continued until two days before the president's arrival. All agencies and personnel involved in the event required credentialing by the Secret Service. This process was important as a final check to verify the trustworthiness of personnel and to establish a common basis for trust between agencies.

Problems with this process included:

  • The lead time required to get credentials. Personnel added to the task force in the last couple of weeks were less likely to receive the credentials due to the length of time it took the Secret Service to process them. The Secret Service took a minimum of 48 hrs to process credentials with the proper information clearance verification and digital picture.
  • Some personnel were disqualified from credentialing and thus from participation because of the results of recent Secret Service checks. In some cases, people had recent or outstanding arrests or warrants. In other cases, the Secret Service seemingly obtained incorrect information that led to refusal to issue credentials. Georgia Army National Guard (GANG) officials ran independent checks on soldiers who believed they were refused based on false information and in some cases verified that the information the Secret Service had was false. The request for credentials was resubmitted.
  • Very limited contact between GANG and Secret Service representatives. Because of the limited contact GANG personnel had with the Secret Service credentials representative, coordination was more difficult as was resolving issues related to credentials refused or missing.

This challenge resurfaced in Operation Jump Start when CBP required clearances from Guard personnel separate from their DOD security clearances. The lesson "take ways" from this experience are:

  • Identify and forward the names of Soldiers who will need credentials as early in the process as possible.
  • Develop a process allowing Soldiers who were initially disqualified to be re-evaluated and resubmitted. This should include running independent police checks.
  • Personnel from out-of-state and from other components should be notified of credentialing requirements early.


Operations Security Planning Considerations (JP 3-13.3)

1. The commander plays the critical role. OPSEC planning guidance must be provided as part of the commander's IO planning guidance to ensure that OPSEC is considered during the development of friendly courses of action (COAs).

2. OPSEC is an operations function, not a security function. OPSEC planning is performed by the operations planners. The planners are assisted by the organization's OPSEC officer and appropriate planners from other staff elements. Intelligence support, as early as possible in the planning process, is particularly important in determining the threat to friendly operations and assessing friendly vulnerabilities.

3. Joint task forces (JTFs) should establish a fully functional IO cell. The JTF staff (including the IO cell and OPSEC officer) develops IO plans that are passed to all elements of the JTF.

4. Planning must focus on identifying and protecting critical information. Denying all information about a friendly operation or activity is seldom cost effective or realistic.

5. The ultimate goal of OPSEC is increased mission effectiveness. By preventing an adversary from determining friendly intentions or capabilities, OPSEC reduces losses to friendly units and increases the likelihood of achieving mission success.

6. OPSEC is one of the factors considered during the development and selection of friendly courses of action. COAs will differ in terms of how many OPSEC indicators will be created and how easily those indicators can be managed by OPSEC measures. Depending upon how important maintaining secrecy is to mission success, OPSEC considerations may be a factor in selecting a COA.

7. OPSEC planning is a continuous process. During all phases of an operation, feedback on the success or failure of OPSEC measures is evaluated based on measures of effectiveness and the OPSEC plan is modified accordingly. Friendly intelligence and counterintelligence organizations, communications security (COMSEC) monitoring, and OPSEC assessments are the primary sources for feedback information and are continuous throughout the OPSEC planning process.

8. The public affairs officer participates in OPSEC planning to provide assessments on the possible negative effects of media coverage and all other public release of information by members of the command and for the coordination of OPSEC measures and public affairs ground rules to minimize those effects. The public affairs office (PAO) ensures that the media pool, media clearances, media releases, and authorization of video transmissions are within established OPSEC measures. The PAO also ensures the command (internal) information program addresses OPSEC and ground rules for the release of information (officially or unofficially) by military members through the internet and other communications mediums subject to public access or monitoring. See JP 3-61, Public Affairs, for more details.

OPSEC process

The five-step OPSEC process includes:

  • Identification of critical information.
  • Analysis of threats.
  • Analysis of vulnerabilities.
  • Assessment of risk.
  • Application of appropriate OPSEC measures.

For detailed explanations of the OPSEC process, see Chapter 3 of FM 3-13.



Physical Security

Physical security consists of protective measures to deny unauthorized personnel access to specific areas, facilities, material, or classified information.

  • By denying access, physical security measures can be an OPSEC measure. However, physical security measures can become compromised (for example, personnel routinely and predictably leaving a facility unattended, easily seen sensors, changing military police patrols at set times, reacting predictably to alarms and being careless or lazy in implementing physical security measures).
  • OPSEC can support physical security by identifying those actions and information that would be indicators that an adversary could exploit.


Force Protection

Force protection consists of actions taken to prevent or mitigate hostile actions against all DOD personnel (Service members, DOD civilians, DOD contractors, and family members), resources, facilities and critical information. Force protection does not include actions to defeat the adversary or protect against accidents, weather, or disease. OPSEC plays a vital role in the following ways:

  • OPSEC can identify indicators of routine actions observable by a terrorist that represent vulnerability both in a tactical environment and in garrison.
  • OPSEC can assist in determining measures to negate effective terrorist collection of information needed for planning.
  • OPSEC can identify indicators and recommend OPSEC measures to protect possible or existing vulnerabilities in protective measures.
  • OPSEC can assist traditional security disciplines in ensuring their protective measures are in the right place at the right time.
  • OPSEC develops critical information that identifies what must not be allowed to appear in the public domain to prevent collection by a terrorist.

An example of force protection would be actions taken by JTF Zia during Operation Jump Start in New Mexico. Army National Guard Soldiers deployed to the southwest U.S. border initially were housed in local hotels with no security. Local gangs had been identified as possible adversaries, so the JTF commander instituted force protection requirements that included removing uniforms as soon as returning to the hotel and traveling in groups of at least four Soldiers. Later, a forward operating base was built, and Soldiers were centrally housed with 24-hour security.



Communications Security (AR 530-1)

Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. (Note: This is different from the joint definition (from JP 6-0) of "The protection resulting from all measures designed to deny unauthorized persons information of value that might be derived from the possession and study of telecommunications, or to mislead unauthorized persons in their interpretation of the results of such possession and study.")

An example of COMSEC is from the National Guard's weapons of mass destruction civil support teams (WMD CST). These specialized units arrive on an incident scene with their own robust communications suite, capable of operating on military or civilian first responder communications networks. Per FM 3-11.22, Weapons of Mass Destruction-Civil Support Team Operations, December 2007, the commander has the discretion to determine whether or not encryption should be used during WMD-CST response operations. (Note: According to AR 25-2, Information Assurance, WMD-CSTs are not required to be encrypted when conducting activities with civil agencies.)



Computer security

Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.



References

AR 530-1, Operations Security (OPSEC), 19 April 2007.

FM 3-13, Information Operations (IO): Doctrine, Tactics, Techniques, and Procedures, 28 November 2003.

FM 3-11.22, Weapons of Mass Destruction-Civil Support Team Operations, December 2007.

JP 3-13, Information Operations, 13 February 2006.

JP 3-13.3, Operations Security, 29 June 2006.

JP 3-57, Civil-Military Operations, 8 July 2008.

 


 

Last Reviewed: May 18, 2012

 
          |   Privacy and Security Notice   |     |   Accessibility Help   |   External Link Disclaimer   |   No Fear Act   |
 
|   U.S. Army   |   Tradoc   TRADOC   |   iSALUTE   | Ft. Leavenworth   |   Site Map   |   FOIA   |   USA.GOV   |   This is an official U.S. Army Site   |