Name: Jacquet Lewis
Industry: BAE Systems: Information Assurance, Certification and Accreditation, INFOSEC
Practices OPSEC in: US
Works With: Active Duty/Guard/Reserve plus DOD Contractors and Civilians
How often do you review in-place countermeasures for effectiveness?
Do you have other duties besides OPSEC and what percentage of time is devoted to OPSEC?
Yes, until recently I was the certification and accreditation (c&a) poc for the US Army Materiel Command. Currently I am working on NIST c&a for the federal government (DHS, Treasury, TSA, Justice, FBI, etc).
How often to you perform Open Source reviews against your site/location/mission/organization?
Do you feel that having a well established network of OPSEC contacts is important? Why or why not?
Yes. I have maintained a lot of my Air Force contacts and developed new ones in the Army, Navy/Marine Corps.
What is the toughest part of implementing OPSEC at your job station? How have you overcome these challenges?
With the Army, it was getting civilian employees to understand the threat to the country and to their livelihood by not being OPSEC/INFOSEC conscience. Active duty military and most DoD Contractors have a good idea of OPSEC and its impact. The civilian workers (GS types) have a totally different attitude to the whole issue and need constant reminding.
How did you become interested in OPSEC?
After 22 years in the Air Force doing OPSEC, it had not only become a way of life, but a good job skill to use to maintain employment in the IT industry.
Do you feedback your survey results to the general populace through OPSEC awareness? (demonstrate and educate)
With the Army, we produced a daily OPSEC/threat focused on Army IT assets. This was loosely based on the Early Bird type of report. We also held monthly VTC’s that covered security, certification and accreditation, good computing practices. This VTC was attended by not only the Army Materiel Command, but the Army in general, other service branches, and even other contractors on Army contracts.
What has worked for you when attempting to gain leadership support for the OPSEC program?
If we could find something in the open-source world and show that the Army also could be affected, it had a huge impact. One thing that always got attention was that as a MACOM, the Army Materiel Command IT infrastructure accounted for 14% of the total Army IT footprint, yet through education, briefings, VTC’s, OPSEC “fairs” and attending conferences and preaching OPSEC, Army Materiel Command had the lowest rate of intrusion, malicious software, in the entire Army.
How do you promote an OPSEC/Security “Culture” at your site?
We always remind people to not go to questionable websites (we block quite a few), not to leave their computers unattended without locking, always maintaining situational awareness of what’s going on around you, even if you are in your office. Another problem up here in the DC area is leaving your laptop in your car overnight, visible. Countless cars are broken into and laptops stolen just because a thief can see it and it’s an easy target.
What type of mass OPSEC awareness has worked for you?
Well practicing it for 20+ years active duty and now almost 10 in the civilian world, it has become a way of life. I do it a second nature. I assess my information daily and protect it against exploitation. Shred all those free credit card offers, don;t throw them in the trash. Don’t leave things exposed. Situational Awareness id the key. Keep it at all times and your threat footprint will be minimal.
From where do you receive your OPSEC awareness material?
Interagency OPSEC Support Staff (IOSS), OSPA, Military branch OPSEC Support Element, DOE, Any I can get my hands on!
Have you personally written a Critical Information List? How did you distribute the information to concerned parties/groups?
Yes. We called them EEFI in the old days. Sit down and think of things that are important to you, then they are probably important to the bad guys. Personal and professional information.
What method for creating Critical Information Lists works best for you?
What has worked for you for giving OPSEC training?
One time I walked through a facility before I was to give a briefing and listened to the conversations coming from the cube rows, then during the briefing I worked some of that info into my presentation. A credit card # and info somebody gave over the phone without regard to who was listening in cube land can make a big impact on that person when you feed it back to them later in a briefing.
Do you have any tips for conducting Open Source (OSINT) Reviews?
The only drawback with OSINT is the validity of the information you get. It’s hard to check out sometimes and you just have to go with it. Scan websites, magazines, watch TV news. One great source is How It’s Made on the discovery channel. These little vignettes do the analysis work for you. Think like a bad guy and go after information like a bad guy and you will reap a goldmine of OSINT information. Be careful though you might cross the line between OSINT and classified!
Do you have any advice for new OPSEC professionals?
Learn all you can, read all you can. Little pieces of information you can stow away in your mind, on a yellow sticky (a beautiful mind?) will all fall together someplace down the road. There is no such thing as worthless information, people just want you to believe there is.
Do you have any thoughts on OPSEC in non-government, non-military settings?
Most IT/defense contractors have very good OPSEC programs. They are required to by DoD regulations. The IT systems they use that process DoD or federal information have to meet those same standards.
Do you have any other advice for your OPSEC peers?
You are never too old to forget OPSEC. You better have good OPSEC when your time comes to retire for good!
Do you have any amusing/exciting/interesting OPSEC anecdotes or examples to share?
When I was at Strategic Air Command (SAC), we used to monitor OSINT sources 2 weeks before, during, and 2 weeks after a major exercise called Global Shield. One year we got so much information 2 weeks out, that we convinced the SAC general to let us give the pre-exercise deployment briefing. We got up on stage at the base theater and briefed B-52 and tanker pilots and missile crews on their roles and what days they were supposed to play in the exercise. When we finished the SAC commanding general got on the stage and started yelling at them for talking over non-secure phones, talking in the BX and commissary, the O and NCO clubs on base, and in general in the surrounding town when talking to their neighbors. He explained that the briefing they had just received came from “spies” that had no pre- knowledge of the exercise and had gotten all that information from their big mouths and sloppy OPSEC! You could have heard a pin drop in that theater!