“That’s not OPSEC.”  The scene is day one of an OPSEC assessment.  This is my first time out with this team so I’m still trying to feel out how they go about the process.  While the team is in the badge office waiting for badges I notice there is a computer screen with red ”SECRET” stickers top and bottom facing the gathered group at the customer service desk.  Mind you, we’re not the only ones there trying to gain facility access.  Among those waiting with us were gardeners, janitors, plumbers and other  uncleared day workers.  So, I turn to one of the senior members of the team and mention that we should identify this in our report and was told; “That’s not OPSEC.”  While I didn’t want to get deep into what is and isn’t “OPSEC” I did mention that I thought we had a responsibility to the office supervisor to tell him that he should turn that screen around, and keep it turned around, so that uncleared couldn’t possibly see potentially “SECRET” information.  I was told in no uncertain terms that this was not “OPSEC” and therefor not our responsibility.  The Assessment Chief later corrected this problem but the individual in question never once waivered from his stance.

     So what is OPSEC?  Is anything OPSEC?  A strong case can be made that every item in an OPSEC Assessment report can be traced back to requirements of some other security program.  The scenario above was clearly a Computer Security issue but it is also an Information Security issue.  FOUO in the trash? - Information Security.  Not locking your computer screen when you leave your desk? - Computer Security.  Privacy Act info in the recycle? - Information Security.  Allowing people to piggyback into the facility? - Physical Security.  Organization member talking about sensitive information during a speech at a conference or putting sensitive information in a professional publication? - Information Security.  Talking around sensitive or classified on the phone or email? - Communications Security, Computer Security, Information Security.  Cell phone in a secure area? - Physical Security.  Public release of new product or emerging technology? - Information Security, Personnel Security.  Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

     There are many more examples I could give but hopefully you get the point.  On the other hand, did you think of instances that weren’t covered by my examples?  What about always marshaling convoy vehicles at the same time in the same place?  What about using the same routes?  What security program covers mission or business indicators?  Who is the security rep responsible when your unit doesn’t have a program in place to change its call-signs?  What program to you call on to stop the intel dissemination capabilities of the spouses club? 

     I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team.  Bottom line: Our job is to make our unit or company more secure.  And we don’t do this by arguing over weather a vulnerability, indicator or security violation is OPSEC or not.  See a problem - fix a problem.

One last thought - if you see me at the National Conference and I hear you say “That’s not OPSEC” - you owe me a cold one.

Keep the faith!

Revelator