An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Jan. 19, 2023

OPSEC: Do you know what CIIL indicates?

By DCMA Information Security

Operations Security means denying adversaries the ability to collect, analyze, and exploit information which could be used to degrade national security.

The DCMA OPSEC Program’s goal is to prevent inadvertent disclosure, loss or compromise of critical information or indicators, known as CII.

“We achieve this through continually identifying and analyzing CII, vulnerabilities, risks and external threats,” said Julio Estrada, Western Region OPSEC specialist. “We then devise and apply countermeasures to safeguard the information. These steps are always followed by continual assessment of their effectiveness and making adjustments as needed to reinforce safeguards, which contribute to a never-ending OPSEC cycle.”

Identifying CII is the first step of an effective OPSEC cycle and critical information is the first part of CII. Information is considered critical when it can be used by an adversary to cause harm to the nation. It can be classified or unclassified and could represent one piece of a larger puzzle.

“CII requires proper safeguarding, dissemination controls and disposition to prevent the unauthorized disclosure or loss and compromise,” said Estrada. “Failure to properly safeguard CII can adversely affect our nation’s security, the Defense Industry Base, the DCMA mission, other federal agencies’ programs or operations, and individual’s privacy and personal information. All of which may be of use to our adversaries.”

Indicators are the second part of CII and can be friendly actions or activities readily evident to adversaries. These actions or activities reveal friendly information which can be directly related to operations, activities, policies, standards and risk mitigation actions.

“CII can be open-source information, postures, preparations and other perceivable information related to the agency that an adversary can detect or obtain and interpret to derive friendly CII,” said Estrada. “Knowing the risks, reducing your vulnerabilities and taking the correct countermeasures will help to keep you and your critical information safe.”

By applying an adversarial perspective, coupled with inside knowledge of organizational practices, policies and procedures, employees can determine the CII resident in organizations and programs.

“Effectively executing OPSEC is not an individual effort but rather a team effort,” said Estrada. “Subject matter experts from multiple disciplines and directorates must be involved in rendering the OPSEC cycle and developing the organizational CII. This approach ensures we are considering all aspects and areas and fully identifying at risk CII.”

Workforce communication is essential to understanding what information must be protected and how to protect it. The CII identified during the OPSEC cycle results in a list called the Critical Information and Indicators List, or CIIL for short. The CIIL is made available to all members assigned to the organization, and contractors within the DIB. This ensures everyone is aware of the CII and safeguarding requirements.

“The purpose of the CIIL is to provide guidance to all DCMA personnel on incorporation of OPSEC practices and procedures into daily activities as a continuous, disciplined habit critical to the success of the mission,” said Estrada.

The goal of the agency OPSEC program is to continuously improve the CIIL, which already encompasses a majority of the organization.

“Improvement means each executive directorate, regional command, contract management office, and center are working to develop individual CIILs, derived from the agency level CIIL,” said Estrada. “Our personnel working with contracts delegated to DCMA must always ascertain and obtain the CIIL or OPSEC requirements directly associated with the individual contracts to help identify and protect CII.”

DCMA organizations located on military installation, or in federal facilities as a tenant, should reach out to the host OPSEC point of contact and request their CIIL.

Always remember, OPSEC support is provided by the DCMA Security OPSEC team. For more information, email the team at