Security Clearances and Operations Security

FacebookXPinterestEmailEmailEmailShare
Digital forensics professional at a computer.

OPSEC is the shorthand term for operations security. OPSEC is not a specific category of information. Rather, it is a process for identifying, controlling and protecting generally unclassified information that, if it becomes known to a competitor or adversary, could be used to our disadvantage.

OPSEC focuses on identifying and protecting information that might provide a competitor or adversary with clues to our plans or capabilities, and thereby enable the competitor or adversary to thwart a planned operation or activity.

Related: Search for security clearance jobs.

The OPSEC process is applied to a wide variety of situations in a competitive or adversarial environment. If you have ever given a surprise party or attempted to make your house look lived in while you were away, by arranging for someone to pick up your newspapers or installing a light timer, you have practiced OPSEC.

The following are just a few examples of things that, under certain circumstances, might provide clues that tip off a competitor or adversary to your plans or capabilities:

  • Supply and equipment orders
  • Transportation plans
  • Mission-specific training
  • Changes in communication patterns
  • Leaders' travel
  • Inspection results

OPSEC is used by government agencies and contractors in the development and acquisition of new equipment, in intelligence collection, by warfighters at all levels, by crime fighters in many roles, as well as by private enterprise -- all to supplement traditional security measures for protecting potentially exploitable information.

The OPSEC process is a risk management instrument that enables the manager or commander to view an operation or activity from the perspective of an adversary. The key feature of this approach is to look at our own methods and activities from the adversary's viewpoint by putting ourselves in an adversary's shoes and asking the question: "What information do I need to know to thwart the other side's intentions and actions, and what are the paths to the information I need?"

The OPSEC process traditionally involves five interdependent phases.

The first identifies critical information. That is, what are we trying to protect? Is it a single set of data relating to the timing (or other details) of a military operation? Or might it be a whole process embedded within an acquisition program? Or perhaps the patterns or profile of an undercover police officer? In each of these examples, data needs to be kept from someone (an opposing force, a foreign government, a foreign competitor or a criminal).

Related: Does your resume pass the 6-second test? Get a FREE assessment.

This leads to the second element -- an analysis of the threat. Who wants or needs our critical information? Who is our adversary (not necessarily an enemy)? An integral part of this phase is the identification of how our adversary might collect our information. Would they be likely to review open-source literature, send corporate or state-sponsored spies to infiltrate or seek out the data, or use technical means such as eavesdropping, photographing, etc.?

OPSEC considers a variety of potential adversaries -- ranging from the active (target or enemy or main competitor), to the passive (sympathizer or someone who supplies data to the active adversary), to the inadvertent (someone who accidentally gives away information) -- all of whom warrant recognition, assessment and resolution of the particular level and type of threat they pose.

The third phase looks at vulnerabilities, direct and indirect, surrounding our operation. We look at how the activity actually works, rather than how people think it works. We study the chronology and timing of events, along with the flow of information, to ascertain which adversary would be interested in what data, and how they would obtain them. Are there things that we do to give away our data directly, or are there certain signs that would lead a prudent adversary to deduce our data (indicators or clues)? We consider the magnitude of the vulnerabilities, as well as the impact of the loss of our data. In other words, how big is the problem, and how bad is it?

At this stage, the manager evaluates the risk to their operation or activity, asking: "Does the possible loss of information about my operation or activity warrant taking steps to reduce or (hopefully) negate the adversary's potential efforts to thwart my operation or activity?" The costs associated with fixing the vulnerability are weighed against the cost of the loss of the data, keeping in mind the likelihood of our data being lost as well as the impact such loss would entail. One method to reach a reasonable conclusion of the practicality of solution(s) might be to multiply the estimated loss in dollars, by the impact of risk, by the likelihood of risk. The solution, in dollars, must then be less expensive for the solution to be feasible.

Related: Discover your perfect career path and get customized job recommendations based on your military experience and vocational interests with Military.com's Military Skills Translator + Personality Assessment.

Countermeasures, finally, are the solutions that a manager employs to reduce risks to an acceptable level, whether by eliminating indicators or vulnerabilities, disrupting the effective collection of information, or by preventing the adversary from accurately interpreting the data. Countermeasures are dictated by cost, timing, feasibility and the imagination of the personnel involved. The most effective tend to be simple, straightforward and inexpensive procedural adjustments that fit the solution to the need. Countermeasures are instituted in rank order to protect the vulnerabilities having the most impact (in dollars, lives, mission failure, etc.). Multiple countermeasures, enacted together, often provide a synergistic effect that compounds the benefits without unduly raising the cost level.

While OPSEC is not a cure-all, it is a vital, easy-to-use tool that ideally is instituted at the very onset of an activity. If the personnel involved develop an "OPSEC mindset," effectiveness is enhanced and mission success is more likely. OPSEC is neither difficult nor time-consuming; instead, it can easily become a "matter-of-course" process.

Related: For the latest veteran jobs postings around the country, visit the Military.com Job Search section.

The Next Step: Find the Right Veteran Job

Whether you want to polish up your resume, find veteran job fairs in your area, or connect with employers looking to hire veterans, Military.com can help. Sign up for a free Military.com membership to have job postings, guides and advice, and more delivered directly to your inbox.

Story Continues

Most Recent Security Clearance Job Posts

  • WTRS - Maintenance Lead (Technician 4)
    HII Mission Technologies Division - Ft. Bragg, NC - Requisition Number: 19677 Required Travel: 0 - 10% Employment Type: Full Time/Hourly/Non-Exempt Sec...
  • Software / Embedded Systems Engineer
    Leidos - San Diego, CA, 92121 - Description Leidos Maritime System Solutions (MSS) is seeking a Software / Embedded Systems Engineer to work as part of a development team in a f...
  • Process and Knowledge Manager
    Peraton - Arlington, VA - Responsibilities The Department of State's Bureau of Diplomatic Security, Directorate of Cyber and Technology Security, Office of Cyber Monitoring and Op...
  • Business Analyst
    Zachary Piper LLC - Quantico, VA, 22134 - Zachary Piper Solutions is seeking a Business Analyst to join a long-term DoD program supporting the Department of the Navy located in Qua...
View More