The OPSEC Process

The OPSEC Process

OPSEC is a five step, iterative process designed to that assists an organization in identifying information requiring protection, determining the methods that may be employed to compromise that information, and establishing effective countermeasures to protect it.

When formally applied, OPSEC is generally conducted in a sequential manner. However, emergency and dynamic situations may require certain steps be conducted out of sequence.

1. Identify Critical Information

Critical information is a specific fact about friendly (that is, non-adversarial) intentions, capabilities, and activities that is needed by adversaries to plan effectively. If Critical Information is obtained, the adversary would be able to cause friendly mission failure or other mission degradation.
The first step of the OPSEC process is a Critical Information List (CIL), which is a record of critical information. This list is to be approved at the command or leadership level of an organization. Usually, this information represents the core secrets of an organization, and can vary from one organization to the next.

2. Analyze The Threat

Once the critical information is identified, the next step is to determine the individuals or groups that represent a threat to that information. There may be more than one adversary, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.
The primary sources for this information would be intelligence support, law enfocement or, for contractors under the National Industrial Security Program, the Defense Security Service.
A properly-completed threat assessment documents the adversaries, their intent, the information they already may already possess, their capability and intent to collect critical information, and their potential courses of action.

3. Analyze The Vulnerabilities

In this phase, the analyst will "Think like the wolf"- that is, they will view their organization from an adversary's perspective. The vulnerabilities of the organization must be thoroughly explored, especially in terms of physical safeguards, network/electronic safeguards and personnel training will be investigated.
An indicator is a detectable action and open source information that can be interpreted or aggregated by an adversary to determine critical information.
A vulnerability is when a security shortcoming exists that may allow an adversary to collect critical information or identify indicators in support of their decision-making processes.
A vulnerability analysis is the friendly examination of processes, projects, and mission to identify any inherent, natural or self-induced vulnerabilities.

4. Assess The Risks

For each vulnerability, the threat must be matched. At this point, each vulnerability is assigned a risk level. This is an unmitigated risk level, meaning that any corrective factors are not included in the analysis. The risk matrix is as follows:

  • An adversary has demonstrated their ability to exploit an existing vulnerability and the resulting impact would be irreparable; hazard consequence would be catastrophic. Critical
  • There is no doubt an adversary could exploit an existing vulnerability and the resulting impact would be serious enough to consider cancellation of a mission; hazard consequence would be major. high
  • It is probable an adversary could exploit an existing vulnerability and the resulting impact would be damaging; hazard consequence would be no higher than major. medium high
  • It is possible an adversary could exploit an existing vulnerability and the resulting impact would be manageable; hazard consequence would be no higher than moderate. medium
  • It is unlikely an adversary could exploit an existing vulnerability and the resulting impact would be negligible; hazard consequence would be no higher than minor. medium low
  • It is improbable an adversary would exploit an existing vulnerability and the resulting impact would be insignificant; hazard consequence would be no higher than insignificant. low

The risk level assigned to a vulnerability helps to "triage" the protection of data.
For additional OPSEC rating defitions, see OPSEC Ratings Definitions

5. Apply The Countermeasures

Beginning with high-risk vulnerabilities, a plan is put in place to mitigate the risk factors. All possible countermeasures are considered, and could include additional hardware, training or outside contractors. The most important element of this step is to develop a plan to lower or eliminate the risk, or remove the threat's access to the resource.
Countermeasures are selected based on mission priorities and available resources. Commanders or senior leaders determine which countermeasures are to be implemented based on the risk and likelihood of exploitation.
Countermeasures also must be continuously monitored to ensure they remain effective and relevant. Threats change, as do the methods they may entail or the vulnerabilities effecting an organization. It's important to review the countermeasures to ensure that they are protecting critical information against the right threats at the right time.

The laws of OPSEC

  1. If you don't know the threat, how do you know what to protect? Although specific threats may vary from site to site or program to program, employees must be aware of the actual and postulated threats. In any given situation, there is likely to be more than one adversary, although each may be interested in different information.
  2. If you don't know what to protect, how do you know you are protecting it? The "what" is the critical and sensitive, or target, information that adversaries require to meet their objectives.
  3. If you are not protecting it (the critical and sensitive information), the adversary wins! OPSEC vulnerability assessments, (referred to as "OPSEC assessments" -- OA's -- or sometimes as "Surveys") are conducted to determine whether or not critical information is vulnerable to exploitation. An OA is a critical analysis of "what we do" and "how we do it" from the perspective of an adversary. Internal procedures and information sources are also reviewed to determine whether there is an inadvertent release of sensitive information

In short, Know the threat,
                  know what to protect
                                        and protect it!