OPSEC Plan (Rev 1, 4/21/08)
Operations Security
(OPSEC)
Plan
For
Subcontract No. *
Name:*
Date: *
Ensure Proper Classification of Document When Complete
INTRODUCTION
OPSEC is a systematic and proved process by which CONTRACTOR and its supporting subcontractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive LANL activities. The principles of OPSEC are easy to remember.
· What information do you want to protect?
· Who wants your information?
· How is your information vulnerable?
· What is the risk for your information?
· How can you protect your information?
The OPSEC process is most effective when fully integrated into all planning and operational processes. The OPSEC process involves five steps: (1) identification of critical information, (2) analysis of threats, (3) analysis of vulnerabilities, (4) assessment of risk, and (5) application of appropriate countermeasures.
SCOPE
This plan will provide information designed to show all Subcontract Workers what information needs to be protected, what the threat is, what the potential vulnerabilities are, what to do with the risk, and what countermeasures can be applied to prevent information loss.
This plan is applicable to all Subcontract Workers.
DEFINITIONS
Critical Program Information (CPI):
Critical Program Information is information concerning sensitive activities, whether classified or unclassified, which is vitally needed by adversaries or competitors for them to plan and act effectively. CPI is information about intentions, capabilities, or activities that must be protected from loss to keep an adversary from gaining a significant military, economic, political, or technological advantage.
The process to identify critical information begins with an examination of the totality of the activities involved in performance of this subcontract (hereinafter referred to as the “Project”) to determine what exploitable but unclassified evidence of classified or sensitive activity is vulnerable to adversary acquisition in light of the known capabilities of potential adversaries. Such evidence is usually derived from openly available data. Certain “indicators” may be pieced together or interpreted to discern critical information. Indicators commonly stem from the routine administrative, physical, or technical actions taken to prepare for or execute the Project.
Indicators:
Indicators are sources of information that, if exploited by an adversary or competitor, could reveal critical program information. An indicator can be identified by asking the question, “If I were an adversary or competitor, where would I go to obtain critical program information?”
Indicators are detectable actions that can be heard, observed, or imaged. Obtained by an adversary, they could result in adversary knowledge or actions harmful to friendly intentions. They include such things as personnel or material actions and movements that can be observed, public release conversations or documents, and habitual procedures when conducting a given type of operation or test. All detectable indicators that convey or infer critical information must be identified and protected if determined vulnerable.
Threat Analysis:
Threat Analysis is a process in which information about a threat or potential threat is subjected to systematic and thorough examination in order to identify significant facts and derive conclusions.
Threat analysis is an examination of an adversary’s technical and operational capabilities, motivation, and intentions to detect and exploit security vulnerabilities.
When considering a threat, one must look at the CPI and the Project in general and look at that information as an adversary would. A determination will need to be made as to who would want this technology, who would want to discredit this Project, who would like to cause harm to the Project participants, or who would like to do other nefarious activities directed at the Project. Once the adversary (ies) is/are established, an analysis also needs to be done on capabilities, access, determination, etc.
Analysis of Vulnerabilities:
Analysis of vulnerabilities is a systematic evaluation process in which qualitative and/or quantitative techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a safeguards and security system to protect specific targets from specific adversaries and their acts.
Determining vulnerabilities involves a systematic analysis of how the Project is actually conducted by the primary and supporting Project team members. The Project must be viewed as an adversary might view it. Actions and things that can be observed or other data that can be interpreted or pieced together to derive critical information must be identified. These potential vulnerabilities must be matched with specific threats.
Once it is determined what an adversary needs to know and where that information is available, it is necessary to determine if it is possible for the adversary to acquire and exploit the information in time to capitalize on it. If so, vulnerability exists.
Risk Assessment:
Risk assessment is an evaluation of potential threats against a safeguard and security interest and the countermeasures necessary to address potential vulnerabilities. It is a five-step process that provides the decision-maker with a firm foundation upon which to make an informed decision. During a risk assessment, the value of the information, analysis of the threat, and determination of the information’s vulnerability are conducted. Following the completion of these three activities, a determination of the risk rating is made and countermeasures are considered and implemented, as necessary.
Risk assessment is essentially the process of balancing vulnerability against the threat, then deciding if the resultant risk warrants applications of countermeasures. The determination of risk is a demanding step in the OPSEC Process. It requires a degree of subjective decision making based on the best estimate of an adversary’s intentions and capabilities.
Included in the assessment of an adversary’s capability is not only his ability to collect the information but also his capability to process and exploit (evaluate, analyze, interpret) in time to make use of the information. In order to complete the risk assessment, it is necessary to combine this information (i.e., the possibility of the adversary exploiting the information, with the resultant impact on the Project). This process should result in a list of recommendations along with an estimate of the reduced impact upon the operation as achieved through their application. The decision maker can then weigh the cost of recommended OPSEC countermeasures in terms of resources and operational effectiveness against the impact of the loss of critical program information.
Application of Appropriate Countermeasures:
A countermeasure is anything that effectively negates an adversary’s ability to exploit vulnerabilities. The most effective countermeasures are simple, straightforward, procedural adjustments that effectively eliminate or minimize the generation of indicators. Following a cost-benefit analysis, countermeasures are implemented in priority order to protect vulnerabilities having the most impact on the Project, as determined by the appropriate decision maker.
RESPONSIBILITIES
CONTRACTOR and SUBCONTRACTOR shall jointly perform the OPSEC Five-Step Process for this Project.
CONTRACTOR is responsible to develop a list of CPI and associated Indicators for this Project.
CONTRACTOR and SUBCONTRACTOR are responsible to look at the vulnerabilities associated with this Project.
SUBCONTRACTOR is responsible to determine the risk for all potential vulnerabilities and to implement any recommended countermeasures.
SUBCONTRACTOR is responsible to complete an OPSEC plan for this Project.
All Subcontract Workers are responsible for reading this OPSEC Plan when finalized.
CRITICAL PROGRAM INFORMATION
The CPI for this Project is: [If working at a LANL site or LANL leased space, insert TA and type of clearances workers will have below. If work is at Subcontractor’s site insert CPI’s]
· *
INDICATORS
The indicators for this Project are: [If work is at a LANL site or LANL leased space, insert the words “Indicators are already identified in LANL scope of work and associated CPI’s.” If work is to be performed at Subcontractor’s site, list all known indicators and associate them with individual CPI.]
· *
THREAT
The threat for this Project is: [If work is at a LANL site or LANL leased space, insert the words “Threats have been identified in LANL scope of work.” If work is to be performed at Subcontractor’s site, list all known threats to the subcontractor, along with potential adversaries.]
· *
VULNERABILITIES
The ways that information is vulnerable for this Project: [If work is at a LANL site or LANL leased space, insert these words under the last bullet: “Those vulnerabilities associated with LANL’s regular operating threat statement.” If work is to be performed at Subcontractor’s site list any additional ways that information is vulnerable at Subcontractor’s site.]
· Use of email between Project participants;
· Talking in public places;
· Recycle bins;
· Trash;
· Procedures;
· Web Pages (if applicable);
· *
RISK
The following vulnerabilities are acceptable risks: [If work is at a LANL site or LANL leased space, insert the words “Those risks identified in LANL scope of work and risk assessment.” If
work is to be performed at Subcontractor’s site, list subcontractor’s site vulnerability and state why it is acceptable.]
· *
The following vulnerabilities will be countered: [If work is at a LANL site or LANL leased space, insert the words “Those vulnerabilities identified in LANL scope of work and risk assessment.” If work is to be performed at Subcontractor’s site, list vulnerability countermeasure to be taken.]
· *
CONCLUSION
By following the OPSEC Five-Step process this Project has identified what it is that needs to be protected, what the threat is, what the vulnerabilities are, what the risk is, and what countermeasures need to be developed to protect any and all information associated with the Project. By doing so, the Project team will have effectively mitigated any potential information loss.
Subcontract No. * Date * Rev. No. * Page 1 of 5