Operations Security (OPSEC)
From SARMA Common Knowledge Base Project
| Please edit the contents of this page |
 Release status: DRAFT | |
|---|---|
| Revision ID: | 1663 |
| Revised: | 7-28-2008 |
| Revision History: | Click Here |
| Direct Link To This Page: | |
Contents |
[edit] History
On January 22, 1988, President Ronald Reagan signed National Security Directive Decision (NSDD) 298, which established an Operations Security (OPSEC) program for all Federal Government Agencies. The NSDD provides:
“Security programs and procedures already exist to protect classified matters. However, information generally available to the public as well as certain detectable activities reveal the existence of, and sometimes details about, classified or sensitive information or undertakings. Such indicators may assist those seeking to neutralize or exploit U.S. Government actions in the area of national security. Application of the operations security (OPSEC) process promotes operational effectiveness by helping prevent the inadvertent compromise of sensitive or classified U.S. Government activities, capabilities or intentions.”
The OPSEC process originated in the United States Military in the late 1960’s during the Vietnam War. The military suspected the enemy was obtaining knowledge of upcoming military operations. A review of classified information regarding these operations failed to reveal any breaches in security. By instituting the OPSEC process on the sensitive but unclassified information in a program originally named “purple dragon”, the military realized a dramatic increase in mission effectiveness. Since then and with the signing of NSDD 298, OPSEC programs have been established throughout the military and civilian government agencies.
[edit] Key Participants
[edit] Purple Dragon
Modern history attributes the creation of OPSEC to a Vietnam-era team established by the Commander-in-Chief, Pacific, and given the code name "PURPLE DRAGON." The following is an excerpt from THE GREAT CONVERSATION: THE ORIGINS AND DEVELOPMENT OF THE NATIONAL OPERATIONS SECURITY PROGRAM by Ronald A. Samuelson - Date of Publication April 1991 (Not copyrighted but permission from the author granted)
In the spring of 1967, at the bar in the Officers' Club at Camp H.M. Smith, Hawaii, the site of the Headquarters of Admiral U.S. Grant Sharp, Commander-in-Chief, Pacific (CINCP AC), four of my associates were exercising the dice cup and discussing subjects that seize men's minds at such times. They also addressed the question, "What are we going to call ourselves?" They were, in fact, continuing an extended discussion about naming a new branch to which they would be assigned that was going to be established within the Operations Directorate of the CINCP AC staff. "Purple Dragon," the name that had thus far been applied to their activities, was considered inappropriate for a staff element. Respectable functional titles were the rule of the day. "Purple Dragon," in fact, was a rather exotic, unclassified nickname from a Joint Chiefs of Staff repertoire that was applied to the one-time "survey" that they and a number of other persons had just completed. The Purple Dragon survey addressed retaining the element of surprise vis-à-vis the Rolling Thunder missions (which provides our linkage to the events on that Sunday in 1965 of which I've already spoken), and two other air operations that were subsequently begun in southeast Asia, the B-52 "Arc Light" operations, and unmanned drone operations.
What do you call a new organization whose mission would be to continue to perform Purple Dragon-type surveys, i.e. an activity to identify actual or probable sources of enemy advance knowledge of our intentions? There was no problem in agreeing on the inclusion of the term "operations," since military operations was what it was all about. But then what would follow? The most appropriate candidates were "Operations Analysis," "Operations Assessment," and "Operations Effectiveness." Each had its merits. The Purple Dragon methodology was analytic; and yes, it did involve an assessment to determine the extent to which we were denying critical information to the enemy; and, ultimately, it was concerned with improving our operational effectiveness.
But neither "Operations Analysis" nor "Operations Assessment" sounded unique among the welter of titles within the Department of Defense, and "Operations Effectiveness" (which, to a man, we considered the most accurate term) just didn't seem to grab one's imagination. But worse than that, the language of the Department of Defense is not English. It is a strange mixture of familiar sounds interspersed with other sounds that are called acronyms. And was the Department of Defense ready for acronyms that would be derived from Operations Assessment or Operations Analysis? Thus these terms were rejected. What about "Operations Security?" It makes a nifty acronym that can be stated clearly by even the most fuzzy-tongued speaker. But where did "security" come from? Was this choice due to a profound and searching intellectual discourse on the part of the conversants at the bar in the Camp H.M. Smith Officers' Club? Hardly. Between rolls of the dice for the next round of drinks, the sole civilian in the crew thought it would be a neat idea if the name of his employer was included in the title of this new branch on the CINCP AC Staff. His employer was the National Security Agency, and the middle name of his employer followed nicely after "operations." Indeed, it did make a rather good acronym, but Robert "Sam" Fisher was motivated less by the appropriateness of the title than by the fact that inclusion of "security" would increase the chance that he, a communications security specialist, would be assigned to it. At some time in the foggy discourse, the prospective chief of the new branch, Air Force Colonel Jim Chance, grunted approvingly.
And thus it came to pass that "Operations Security" was born at the bar in a saloon in Hawaii.
Editorial Note: The official term is Operations Security, it is NOT Operational Security. The latter term is often associated with cyber-security but there is no such approved term in the Joint military dictionary.
[edit] The Interagency OPSEC Support Staff (IOSS)
IOSS was created to support the National OPSEC Program by providing tailored training, assisting in program development, producing multimedia products and presenting conferences for the defense, security, intelligence, research and development, acquisition and public safety communities. Its mission is to help government organizations develop their own, self-sufficient OPSEC programs in order to protect U.S. programs and activities.
[edit] The OPSEC Professionals Society (OPS)
OPS was established in March 1990 to further the application of Operations Security (OPSEC) as a professional discipline and to foster the highest standards of professionalism and competence among its members. The Society mission extends beyond just our members, as we attempt to help organizations understand and enable proper application of this mission-enhancing discipline.
The Society established the OPSEC Certified Professional (OCP) program to recognize individuals who meet the highest standards of the OPSEC profession. A network of OCP mentors is available to guide OCP candidates through the process of certification. Those who meet the criteria and maintain their certification are authorized to annotate “OCP” after their name.
The Society created the OPSEC Associate Professional (OAP) level of recognition in 2004 to recognize those members who did not meet the OCP certification standard, but had met specific levels of experience and formal education in the OPSEC discipline. OAP was created to stimulate on-going pursuit of the OCP certification. For more information, review the OCP portions of the website, then contact the Professional Standards Committee Chair at jdsaul1@verizon.net or opssociety@comcast.net.
The Society has four publications: The OPSEC Journal, the OPS Mindset (new,) the OPS News, and the OPS Flash (new). The Society also maintains a "members only" secure portal with dynamic collaboration tools and library.
Enhancing professionalism requires interaction with other professionals. The Society seeks to host seminars, workshops, and publications where members may pursue ideas, increase professional development, and improve or expand their knowledge of OPSEC issues and applications.
[edit] The Operations Security Professional's Association
OSPA- The Operations Security Professional's Association (OSPA) is a tax exempt Non-profit organization dedicated to improving awareness of Operations Security procedures, as well as building cohesion amongst its members. OSPA members work together behind the scenes to further the discipline that is OPSEC, as well as creating and sharing information on a wide range of subjects, such as information security, OPSEC briefings, Security Briefings, OPSEC program management and more.
OSPA has a collaborative structure to encourage peer development and sharing on an international scope across government, law enforcement, business, and academia, and is dedicated to providing relevant, accurate and timely information and resources for all OPSEC Professionals worldwide.
[edit] Links to Information About
The OPSEC Professional Society (OPS)
The Interagency OPSEC Support Staff (IOSS)
National Security Decision Directive 298
The Operations Security Professional's Association (OSPA)
[edit] Methodology
The OPSEC process involves five steps:
- Identification of Critical Information; identifying the information that if divulged could inadvertently compromise an operation. This normally includes the facts about an operation that would reveal the operations intentions and capabilities.
- Threat Analysis; enables OPSEC practitioners to assume the existence and perspective of an adversary. One aspect of threat analysis is to identify the person or persons who may be attempting to obtain information. The other aspect addresses the method used in collecting the information.
- Vulnerability Analysis; having assessment teams review the organization’s activities to determine if a group or individual is revealing any plans associated with its strategy, personnel, or infrastructure.
- Risk assessment; determines whether or not an adversary is capable of gathering and exploiting the information.
- Countermeasures; any measures taken to prevent the unforeseen release of unclassified but sensitive information.
OPSEC is a process used to identify and deny critical information (specific information about capabilities and/or intentions) from adversaries who seek to exploit such information for their advantage and our disadvantage. The OPSEC process involves systems, threat and vulnerability analyses, risk assessment, and cost-effective countermeasure planning. Its results include improved understanding of:
- the specific items deemed critical to the mission
- indicators of that information
- countermeasures that protect this information from the adversary, and
- an analytical basis for these decisions, if the process is applied properly.
OPSEC differs from traditional security because it is based on analysis from an adversary’s perspective, “What does the adversary need?”
While modern OPSEC originates from military operations, we can also apply the discipline to protect critical economic, technological, and business proprietary information from adversaries who seek to exploit such information to their benefit. The process is applicable to government, supporting industry, public sector essential services, and private sector activities. On a personal level, it also supports privacy, asset protection, and safety.
