This is one from the archives. Guest blogger Rick Millikan is a member of OSPA, a Major in the US Army and an all-around good guy. Enjoy!
Its been said that Operations Security (OPSEC) is everyones responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The I in OPSEC can be viewed from several angles.
The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No I here.
To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no I in this step.
The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no I in this step.
To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the Staff, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no I in this step, either.
The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no I in this step.
Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no ”I” in the last step of OPSEC, either.
OPSEC is everyones responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is good at the unit. OPSEC is a team effort. So, the ”I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.
In all actuality, everyone is the “I” in OPSEC. Your careless words or the they aren’t listening to this phone call attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyones responsibility. Do your part to keep sensitive information from the adversary.
There is a saying that goes something like, I am but one, but I am one. The adversary only has to be right once. We have to be right all the time. The “I” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you.
Be the I in OPSEC!
Richard E. Millikan, MAJ, USAR
Chief, OPSEC Assessments Joint OPSEC Support Center (JOSC)