Operations Security and Document Reviews

By Cynthia Smith, OPSEC Program Manager

Scenario: you are a newly appointed Operations Security (OPSEC) Manager and your Director hands you an unclassified document and asks for an OPSEC review. You smile and think, “Great, now what?” Here is one method for conducting a thorough review for Department of Defense documents.

Do your homework.

Read the document through and then call the individual who wrote the document. Ask them to give you some background on the document. Ask questions that will provide you with the information you will need to conduct a thorough review. You should review the document with this information in mind. A sampling of questions you might ask are:

  • What is the author’s intent (i.e., why did they write the document)?
  • Will this document be publicly released, if so how (i.e., press release, posting on a government website, etc.)?
  • Does the document contain any FOUO or sensitive/restricted information?
  • Is the topic of the document of great interest to the public?
  • Does your section have a Critical Information List (CIL), or Essential Elements of Friendly Information (EEFI) List if so, obtain a copy of their list?
  • Does your section have any sensitive information that is not addressed in their unit or section CILs/EEFIs?

Reviewing the Document.

Review the section and the organization CILs/EEFIs, print them for use during the review. Make sure you understand the information that needs to be protected. This may sound obvious but there are times when you may be asked to review technical material or material that you simply don’t have a background in or expertise with.

Read the document, make note of anything that bothers you or strikes you as not right. Read the document again, going section by section. If/when you come to a section that bothers you, refer to the CILs/EEFIs. Does the section contain information addressed in the CILs/EEFIs? Does it cross the line, is it too specific? Do not disregard your “gut-feeling” if something really bothers you and it’s not listed in a CILs/EEFIs, go back and discuss it with the person responsible for the document and tell them your concerns.

If the document will be placed on a DoD website ensure it complies with SECDEF guidance for website content. This includes verifying a valid mission need to disseminate the information to be posted, limiting details and ensuring the removal all personally identifying information of DoD personnel in accordance with the Freedom of Information Act (FOIA) and other DoD policy guidance.

Additional Considerations.

Does the document contain information of great interest to the general public? Do you suspect the document might be requested under the FOIA? Be aware that the probability of a FOIA request many increase if the document concerns a topic of high public interest. You can not bar a document from release based upon concerns with a possible/probable FOIA request. If it does contain this type of information, you should review the document as if it will be publicly released or placed on a DoD website.

Does the document contain any of the following types of information: Caveats barring release of information (i.e., attorney-client privileged information, pre-decisional, sensitive but unclassified, etc.). Does it contain technology information controlled by State Department’s International Traffic in Arms Regulation (ITAR) or Military Critical Technology List (MCTL)? Does it contain any proprietary information or other business sensitive information concerning acquisitions or contracts not currently available? Does it contain any Base Realignment and Closure (BRAC) relocation information intended For Official Use Only (FOUO) or other OPSEC information on DoD operations?

If you suspect that the “unclassified” document you were asked to review contains classified information you should take steps to protect the document in accordance with DoD 5200.1-R requirements. Do not disseminate the document via non-secure means, contact the author of the document and your organization’s security personnel for further guidance and clarification. Additionally ensure you do not discuss the portions you suspect are classified using non-secure communications such as email or phone calls.

Some useful links.