The President has signed a National Security Decision Directive (NSDD) to establish a National Operations Security Program.
Security programs and procedures already exist to protect classified matters. However, information generally available to the public as well as certain detectable activities reveal the existence of, and sometimes details about, classified or sensitive information or undertakings. Such indicators may assist those seeking to neutralize or exploit U.S. Government actions in the area of national security. Application of the operations security (OPSEC) process promotes operational effectiveness by helping prevent the inadvertent compromise of sensitive or classified U.S. Government activities, capabilities, or intentions.
The operations security process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures. The process begins with an examination of the totality of an activity to determine what exploitable but unclassified evidence of classified activity could be acquired in light of the known collection capabilities of potential adversaries. Such evidence usually derives from openly available data. Certain indicators may be pieced together or interpreted to discern critical information. Indicators most often stem from the routine administrative, physical, or technical actions taken to prepare for or execute a plan or activity. Once identified, they are analyzed against the threat to determine the extent to which they may reveal critical information. Commanders and managers then use these threat and vulnerability analyses in risk assessments to assist in the selection and adoption of countermeasures.
OPSEC thus is a systematic and proved process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive Government activities.
Indicators and vulnerabilities are best identified through detailed OPSEC planning before activities start. They may also be identified during or after the conduct of routine functional activities by analyzing how functions are actually performed and the procedures used. Planning and analysis proceed from the adversary’s perspective. To assist in OPSEC planning and analysis, OPSEC planning guidance must be developed jointly by those most familiar with the operational aspects of a particular activity together with their supporting intelligence elements.
OPSEC planning guidance should take account of those aspects of an activity that should be protected in light of U.S. and adversary goals, estimated key adversary questions, probable adversary knowledge, desirable and harmful adversary appreciations, and pertinent intelligence threats. OPSEC planning guidance should also outline OPSEC measures to complement physical, information, personnel, signals, computer, communications, and electronic security measures. OPSEC measures may include, but are not limited to, counterimagery, cover, concealment, and deception.
In the OPSEC process, it is imortant to distinguish between analysis of threat and vulnerability, on the one hand, and implementation, on the other. Recommendations on the use of OPSEC measures are based on joint operational intelligence analyses, but ultimate decisions on implementation are made by commanders, supervisors, or program managers who detemine the aspects of a program or actitity to be protected. The decision maker with ultimate responsibility for mission accomplishment and resource management must have complete authority for determining where and how OPSEC will be applied.
Each Executive department and agency assigned or supporting national security missions with classified or sensitive activities shall establish a formal OPSEC program with the following common features:
Agencies with minimal activities that could affect national security need not establish a formal OPSEC program; however, they must cooperate with other departments and agencies to minimize damage to national security when OPSEC problems arise.
Heads of Executive departments or agencies with national security missions shall:
Further, they shall advise the National Security Council (NSC) on OPSEC measures required of other Executive departments and agencies in order to achieve and maintain effective operations or activities. In this connection, the Joint Chiefs of Staff shall advise the NSC of the impact of nonmilitary U.S. policies on the effectiveness of OPSEC measures taken by the Armed Forces, and recommend to the NSC policies to minimize any adverse effects.
Consistent with previous Directives, the SIG-I has responsibility for national OPSEC policy formulation, resolution of interagency differences, guidance on national level OPSEC training, technical OPSEC support, and advice to individual Executive departments and agencies. The National Operations Security Advisory Committee (NOAC), as part of the SIG-I structure and functioning under the aegis of the Interagency Group for Countermeasures (Policy), will:
The Director, National Security Agency, is designated Executive Agent for interagency OPSEC training. In this capacity, he has responsibility to assist Executive departments and agencies, as needed, to establish OPSEC programs; develop and provide interagency OPSEC training courses; and establish and maintain an Interagency OPSEC Support Staff (IOSS), whose membership shall include, at a minimum, a representative of the Department of Defense, the Department of Energy, the Central Intelligence Agency, the Federal Bureau of Investigation, and the General Services Administration. The IOSS will:
Nothing in this directive: