Interagency OPSEC Support Staff
National Security Decision Directive 298
   IOSS Home -- About Us  


National Operations Security Program

The President has signed a National Security Decision Directive (NSDD) to establish a National Operations Security Program.

Objective

Security programs and procedures already exist to protect classified matters. However, information generally available to the public as well as certain detectable activities reveal the existence of, and sometimes details about, classified or sensitive information or undertakings. Such indicators may assist those seeking to neutralize or exploit U.S. Government actions in the area of national security. Application of the operations security (OPSEC) process promotes operational effectiveness by helping prevent the inadvertent compromise of sensitive or classified U.S. Government activities, capabilities, or intentions.

OPSEC Process

The operations security process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures. The process begins with an examination of the totality of an activity to determine what exploitable but unclassified evidence of classified activity could be acquired in light of the known collection capabilities of potential adversaries. Such evidence usually derives from openly available data. Certain indicators may be pieced together or interpreted to discern critical information. Indicators most often stem from the routine administrative, physical, or technical actions taken to prepare for or execute a plan or activity. Once identified, they are analyzed against the threat to determine the extent to which they may reveal critical information. Commanders and managers then use these threat and vulnerability analyses in risk assessments to assist in the selection and adoption of countermeasures.

OPSEC thus is a systematic and proved process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive Government activities.

Application

Indicators and vulnerabilities are best identified through detailed OPSEC planning before activities start. They may also be identified during or after the conduct of routine functional activities by analyzing how functions are actually performed and the procedures used. Planning and analysis proceed from the adversary’s perspective. To assist in OPSEC planning and analysis, OPSEC planning guidance must be developed jointly by those most familiar with the operational aspects of a particular activity together with their supporting intelligence elements.

OPSEC planning guidance should take account of those aspects of an activity that should be protected in light of U.S. and adversary goals, estimated key adversary questions, probable adversary knowledge, desirable and harmful adversary appreciations, and pertinent intelligence threats. OPSEC planning guidance should also outline OPSEC measures to complement physical, information, personnel, signals, computer, communications, and electronic security measures. OPSEC measures may include, but are not limited to, counterimagery, cover, concealment, and deception.

In the OPSEC process, it is imortant to distinguish between analysis of threat and vulnerability, on the one hand, and implementation, on the other. Recommendations on the use of OPSEC measures are based on joint operational intelligence analyses, but ultimate decisions on implementation are made by commanders, supervisors, or program managers who detemine the aspects of a program or actitity to be protected. The decision maker with ultimate responsibility for mission accomplishment and resource management must have complete authority for determining where and how OPSEC will be applied.

Policy

A National Operations Security Program is Hereby Established

Each Executive department and agency assigned or supporting national security missions with classified or sensitive activities shall establish a formal OPSEC program with the following common features:

  • Specific assignment of responsibility for OPSEC direction and implementation.
  • Specific requirements to plan for and implement OPSEC in anticipation of and, where appropriate, during department or agency activity.
  • Direction to use OPSEC analytical techniques to assist in identifying vulnerabilities and to select appropriate OPSEC measures.
  • Enactment of measures to ensure that all personnel, commensurate with their positions and security clearances, are aware of hostile intelligence threats and understand the OPSEC process.
  • Annual review and evaluation of OPSEC procedures so as to assist the improvement of OPSEC programs.
  • Provision for interagency support and cooperation with respect to OPSEC programs.

Agencies with minimal activities that could affect national security need not establish a formal OPSEC program; however, they must cooperate with other departments and agencies to minimize damage to national security when OPSEC problems arise.

Action

Heads of Executive Departments and Agencies Assigned or Supporting National Security Missions

Heads of Executive departments or agencies with national security missions shall:

  • Establish organizational OPSEC programs;
  • Issue, as appropriate, OPSEC policies, procedures, and planning guidance; and
  • Designate departmental and agency planners for OPSEC.

Further, they shall advise the National Security Council (NSC) on OPSEC measures required of other Executive departments and agencies in order to achieve and maintain effective operations or activities. In this connection, the Joint Chiefs of Staff shall advise the NSC of the impact of nonmilitary U.S. policies on the effectiveness of OPSEC measures taken by the Armed Forces, and recommend to the NSC policies to minimize any adverse effects.

Chairman, Senior Interagency Group for Intelligence (SIG-I)

Consistent with previous Directives, the SIG-I has responsibility for national OPSEC policy formulation, resolution of interagency differences, guidance on national level OPSEC training, technical OPSEC support, and advice to individual Executive departments and agencies. The National Operations Security Advisory Committee (NOAC), as part of the SIG-I structure and functioning under the aegis of the Interagency Group for Countermeasures (Policy), will:

  • Advise the SIG-I structure on measures for reducing OPSEC vulnerabilities and propose corrective measures;
  • As requested, consult with, provide advice, recommend vulnerabilities and propose corrective measures;
  • On an ad hoc basis, chair meetings of representatives of two or more Executive departments or agencies having competing interests or responsibilities with OPSEC implications that may affect national security interests. Analyze the issues and prepare advisory memoranda and recommendations for the competing agencies. In the event NOAC fails to resolve differences, it shall submit the issue, together with its recommendation, to the SIG-I for resolution, which may recommend a meeting of the Policy Review Group (PRG) to consider the issue.
  • Bring to the attention of the SIG-I unsolved OPSEC vulnerabilities and deficiencies that may arise within designated programs and activities of the Executive branch; and
  • Specify national level requirements for intelligence and counterintelligence OPSEC support to the SIG-I.

Director, National Security Agency

The Director, National Security Agency, is designated Executive Agent for interagency OPSEC training. In this capacity, he has responsibility to assist Executive departments and agencies, as needed, to establish OPSEC programs; develop and provide interagency OPSEC training courses; and establish and maintain an Interagency OPSEC Support Staff (IOSS), whose membership shall include, at a minimum, a representative of the Department of Defense, the Department of Energy, the Central Intelligence Agency, the Federal Bureau of Investigation, and the General Services Administration. The IOSS will:

  • Carry out interagency, national level OPSEC training for executives, program managers, and OPSEC specialists;
  • Act as a consultant to Executive departments and agencies in connection with the establishment of OPSEC programs and OPSEC surveys and analyses; and
  • Provide an OPSEC technical staff for the SIG-I.

Nothing in this directive:

  • Is intended to infringe on the authorities and responsibilities of the Director of Central Intelligence to protect intelligence sources and methods, nor those of any member of the Intelligence Community as specified in Executive Order No. 12333; or
  • Implies an authority on the part of the SIG-I Interagency Group for Countermeasures (Policy) or the NOAC to examine the facilities or operations of any Executive department or agency without the approval of the head of such Executive department or agency.

 


Printable PDF Version - NSDD 298

 

 Last Modified: July 15, 2003 Privacy & Security Modified By: Webmaster