OPSEC measures are as varied as the vulnerabilities they address
By Lee Porterfield
We all have a responsibility to protect ourselves and others within our military communities. One way to reduce vulnerabilities is by using operations security measures to safeguard mission-related details from those who seek to use that information against us.
OPSEC measures vary by command and mission, so there is not a one-size-fits-all checklist for every situation. There are, however, some common practices to eliminate or reduce information from being carelessly released to unintended sources.
Train, and then train some more
— Ensure new personnel, including service members, civilians and contractors, receive an OPSEC orientation within 30 days of arrival.
— Ensure annual refresher training is completed by all personnel.
— Ensure an OPSEC briefing is provided on deployments and redeployments.
— Ensure unit managers and officers, and those whose duties include operating and maintaining publicly accessible media, receive advanced OPSEC and related training.
Protect information from start to finish
— Properly mark, store, share, transmit, review, transport and destroy information according to its classification level, in accordance with Army Regulation 380-5, Information Security and related guidance.
— Encrypt and digitally sign critical or sensitive information when disseminated by email within Army information systems.
— Digitally sign all emails with an active hyperlink and/or attachment.
— When encryption is not an option, use a secure transfer site, such as the DoD Secure Access File Exchange, https://safe.apps.mil/.
— Ensure government conversations, phone calls, web postings, blogs, social media comments or public releases are approved prior to being disclosed.
Practice OPSEC in meetings
— Notify attendees of the classification or sensitivity of meetings and any personal electronic device restrictions and/or information release requirements. PED levels are designated zero for no PEDs allowed, one for specified PEDs are allowed and two for all PEDs are allowed.
— Ensure each person attending the meeting has the appropriate access and need to know.
— Prevent sensitive information and security badges from being photographed or copied.
— Provide secure storage for personnel to secure PEDs, in meetings where PEDs are restricted.
— Ensure notes taken during the meeting are properly marked, handled, collected or maintained by authorized personnel and/or destroyed afterwards.
— Inspect the area at the conclusion to ensure no sensitive information has been left behind.
Use OPSEC measures on temporary duty
— Travel in civilian clothes whenever possible.
— Do not carry luggage, including briefcases, which identifies your Defense Department affiliation.
— Use a passport or other identification instead of military orders when possible.
— Do not discuss assignments, duties or reason for travel unless absolutely necessary (e.g., with security, customs or immigration personnel.)
— Monitor conversations and phone calls in public places.
— Do not use public or personal computers for government business.
Review social media measures
— Take a close look at all privacy settings on unit and personal social media pages.
— Do not reveal sensitive information, to include controlled but unclassified information, or CUI, about your unit such as mission schedules, briefings and event locations.
— Geo-tagging is a feature that reveals your location to other people within your network. Consider turning off the Global Positioning System function of your smart phone in all appropriate circumstances.
— Closely review all Army-related photos before they go online.
— Make sure to talk to family about operations security and what can and cannot be posted or discussed.
— Avoid mentioning rank, unit locations, deployment dates, names or equipment specifications and capabilities unless authorized for public release.
— If you would not want it made public, do not post it, even on private sites.
— Ensure all official information posted to the public domain is approved for release through your command, public affairs and OPSEC officers.
Establish a visitor control system
— Establish a visitor control system to coordinate and control all visits.
— Provide escorts for visitors and vendors who need access to restricted areas.
— Ensure escorts know proper escort procedures, limitations of disclosure and other applicable controls involved in the visit.
— Properly store information when visitors are present.
Use communications security measures
— Do not discuss or transmit sensitive information over wireless unsecure devices such as cell phones.
— Control distribution of sensitive, but unclassified information in accordance with distribution markings, limiting distribution to personnel with a need-to-know.
— Limit mission-related email to only official DoD accounts.
— Log off computer and remove Common Access Card when away from work area.
— Prohibit unauthorized hardware or software on Army systems.
— Limit use of personally owned devices, to include mobile devices, to only those documents that are approved for public release. Do not download For Official Use Only or other distribution-restricted documents and files to your personally owned devices. This includes emailing the documents and files to a commercially owned email account.
— Do not process DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers).
— Encrypt wireless connections and use encrypted wireless connections where available when traveling.
Practicing OPSEC measures brings peace of mind knowing you are doing your part to protect the mission. Call the OPSEC office at 573.563.2402 or the Antiterrorism Office at 573.563.5507/5041 for more information.
(Editor’s note: Porterfield is an Antiterrorism/Force Protection operations specialist.)