An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Jan. 13, 2023

The OPSEC cycle explained

By DCMA Information Security

January is “National Operations Security Awareness Month,” and this week’s focus is the OPSEC cycle. Per National Security Presidential Memorandum (NSPM)-28, “The National Operations Security Program,” the intent is for OPSEC to be a repetitive cycle, not a single process.

“We need to think about OPSEC awareness as more than training and hanging some awareness posters throughout the office,” said Charles Vadnais, DCMA Central Region OPSEC specialist. “We now live our everyday lives well into the Information Age — an age defined by an abundance of information meshed with technology making information readily available. This presents unique challenges when it comes to safeguarding our nation’s information.” 

The purpose of OPSEC is to prevent adversaries from obtaining sensitive information that can be used maliciously. This is done by identifying Critical Information and Indicators, known as CII, and implementing safeguards for protection. OPSEC methodology operates by a never-ending analytic and objective process cycle.

Vadnais explains the six steps below:

  1. Identification of CII: During this initial step, seek to identify information valuable to an adversary which could compromise agency success and hinder its ability to complete the mission and national security objectives. Information could be related to DOD activities or Defense Industry Base intentions, capabilities or limitations, which can give our adversaries a military, political, diplomatic, economic or technological advantage. Information or activities identified in this step are captured in a CII list.  These are made available to agency personnel to help understand what must be safeguarded. Here are some questions to help identify CII information:
    1. Is an organization involved in activities the adversary may observe that would indicate or provide sensitive information? 
    2. Can an adversary profit financially from information personally controlled or readily observable activities an organization is involved in? 
    3. Is information transmitted, disseminated or disposed of in the proper method to prevent its unauthorized disclosure or loss to adversaries?
  1. Threat Analysis:  Next, identify potential adversaries and their associated capabilities and intentions to collect, analyze and exploit CII. When conducting a threat assessment, be as objective as possible. Use reliable sources and sound judgment when determining the threat. Remember, a threat exists when an adversary has the intent, capability and opportunity to collect critical information and observe indicators. The threat rating of an adversary is based on those three elements. To help identify the threat and the potential collection capabilities, some basic questions are posed:
    1. Who is the adversary? 
    2. What is the adversary’s intent, capability and goals? 
    3. What are the adversary’s tactics? 
    4. What information could the adversary already know? 
    5. What CII is already exposed and is known by the adversary? 
  1. Analysis of Vulnerabilities:  Identified vulnerabilities exist when adversaries are capable of collecting CII, analyzing it, and then potentially acting to impact friendly objectives. Reviewing friendly activities and information operations can reveal shortfalls and weaknesses that adversaries can exploit. These vulnerabilities must be captured and analyzed to determine the effect on the agency’s overall effectiveness.
  1. Assessment of Risk:  Risk assessment involves the evaluation of risks to CII, its proneness to intelligence collection and the anticipated severity of loss. Determining the adversary’s ability to exploit weaknesses in safeguarding that can lead to the exposure of CII and the potential impact it would have on the agency’s mission. The senior leader’s determination of the level of acceptable risk is a key element of the OPSEC Cycle. It provides justification for the use of countermeasures. Once the level of risk is determined, cost, time and effort of implementing OPSEC countermeasures to mitigate risk must be considered. The senior leader will determine the appropriate countermeasures to employ to safeguard the CII and mitigate risks.
  1. Apply Countermeasures:  Countermeasures are intended to prevent an adversary from successfully obtaining CII. Countermeasures should be applied when the level of risk is determined to be unacceptable and are implemented to mitigate risk or to reduce risk to a more acceptable level. Countermeasures are not “risk-avoidance” measures. The senior leader responsible for the security environment must carefully consider cost and effectiveness versus the potential loss of CII leading to the degradation of the agency mission and overall nation’s security.
  1. Periodic Assessment of Effectiveness: The OPSEC Cycle is considered a never-ending, repetitive exercise to review organizations’ efforts to protect information and prevent adversaries from being successful in their information collection activities. Regardless of the medium where the information resides: print, electronic data on the internet, agency databases, electronic mail, and, in some cases, on personal electronic devices. OPSEC awareness for the individual DCMA employee means being aware of the information accessed daily and understanding the most mundane information may be golden in the hand of adversaries.

“The desired output of the OPSEC Cycle is the CII list, coupled with identified countermeasures used to frustrate our adversaries’ collective objectives,” said Vadnais. “When working through the OPSEC Cycle, it is key to use the adversary’s perspective because to help identify the critical information and indicators, and those vulnerabilities associated with our information, which we may overlook because we are not using the right mindset. We need to know what information the adversary, competitor or enemy needs to negate our mission efforts — this allows us to effectively implement the OPSEC Cycle.”  

To be effective, OPSEC must be a collective effort of various subject matter experts, divisions and offices.

“If we limit the OPSEC cycle involvement to only a few people, we miss out on so many perspectives which are necessary to making these OPSEC efforts effective,” said Vadnais. “Organizing an OPSEC working group at appropriate levels, such as a Contract Management Office can be very effective in covering down on our operations in the field.”

Questions?  Reach out to the DCMA Operations Security team: dcma.lee.hq.list.information-security@mail.mil.