Calvert Systems
Operations Security (OPSEC) Plan
Change Record
Rev.
Date
1.0 Beta 8/3/16
Originator
Description
Allison Myers
New – Required for Contract
2
Calvert Systems
Operations Security (OPSEC) Plan
INTRODUCTION
Operations Security (OPSEC) is a systematic and proven process by which Calvert Systems Engineering,
Incorporated dba Calvert Systems (“Calvert”), as a subcontractor on this contract, can deny to potential
adversaries information about capabilities and intentions by identifying, controlling and protecting
generally unclassified evidence of the planning and execution of sensitive contract support activities. The
principles of OPSEC are easy to remember.
• What information do you want to protect?
• Who wants your information?
• How is your information vulnerable?
• What is the risk for your information?
• How can you protect your information?
The OPSEC process is most effective when fully integrated into all planning and operational processes.
The OPSEC process involves five steps: (1) identification of critical information, (2) analysis of threats,
(3) analysis of vulnerabilities, (4) assessment of risk, and (5) application of appropriate countermeasures.
SCOPE
This plan is specifically intended to educate Calvert employees about OPSEC and clearly state their
obligations in protecting Calvert information and systems. It identifies what information needs to be
protected, what the threat is, what the potential vulnerabilities are, what to do with the risk, and what
countermeasures can be applied to prevent information loss.
This plan is applicable to all Calvert employees and OPSEC training is conducted annually.
DEFINITIONS
Critical Program Information (CPI):
Critical Program Information is information concerning sensitive activities, whether classified or
unclassified, which is vitally needed by adversaries or competitors for them to plan and act effectively.
CPI is information about intentions, capabilities, or activities that must be protected from loss to keep an
adversary from gaining a significant military, economic, political, or technological advantage.
The process to identify critical information begins with an examination of the totality of the activities
involved in performance of subcontractor tasking (hereinafter referred to as the “Project”) to determine
what exploitable but unclassified evidence of classified or sensitive activity is vulnerable to adversary
acquisition in light of the known capabilities of potential adversaries. Such evidence is usually derived
from openly available data. Certain “indicators” may be pieced together or interpreted to discern critical
information. Indicators commonly stem from the routine administrative, physical, or technical actions
taken to prepare for or execute the Project.
Indicators:
Indicators are sources of information that, if exploited by an adversary or competitor, could reveal critical
program information. An indicator can be identified by asking the question, “If I were an adversary or
competitor, where would I go to obtain critical program information?”
Indicators are detectable actions that can be heard, observed, or imaged. Obtained by an adversary, they
could result in adversary knowledge or actions harmful to friendly intentions. They include such things
as personnel or material actions and movements that can be observed, public release conversations or
documents, and habitual procedures when conducting a given type of operation or test. All detectable
indicators that convey or infer critical information must be identified and protected if determined
vulnerable.
3
Calvert Systems
Operations Security (OPSEC) Plan
Threat Analysis:
Threat Analysis is a process in which information about a threat or potential threat is subjected to
systematic and thorough examination in order to identify significant facts and derive conclusions.
Threat analysis is an examination of an adversary’s technical and operational capabilities, motivation, and
intentions to detect and exploit security vulnerabilities.
When considering a threat, one must look at the CPI and the Project in general and look at that
information as an adversary would. A determination will need to be made as to who would want this
technology, who would want to discredit this Project, who would like to cause harm to the Project
participants, or who would like to do other nefarious activities directed at the Project. Once the adversary
(ies) is/are established, an analysis also needs to be done on capabilities, access, determination, etc.
Analysis of Vulnerabilities:
Analysis of vulnerabilities is a systematic evaluation process in which qualitative and/or quantitative
techniques are applied to detect vulnerabilities and to arrive at an effectiveness level for a safeguards and
security system to protect specific targets from specific adversaries and their acts.
Determining vulnerabilities involves a systematic analysis of how the Project is actually conducted by the
primary and supporting Project team members. The Project must be viewed as an adversary might view
it. Actions and things that can be observed or other data that can be interpreted or pieced together to
derive critical information must be identified. These potential vulnerabilities must be matched with
specific threats.
Once it is determined what an adversary needs to know and where that information is available, it is
necessary to determine if it is possible for the adversary to acquire and exploit the information in time to
capitalize on it. If so, vulnerability exists.
Risk Assessment:
Risk assessment is an evaluation of potential threats against a safeguard and security interest and the
countermeasures necessary to address potential vulnerabilities. It is a five-step process that provides the
decision-maker with a firm foundation upon which to make an informed decision. During a risk
assessment, the value of the information, analysis of the threat, and determination of the information’s
vulnerability are conducted. Following the completion of these three activities, a determination of the risk
rating is made and countermeasures are considered and implemented, as necessary.
Risk assessment is essentially the process of balancing vulnerability against the threat, then deciding if the
resultant risk warrants applications of countermeasures. The determination of risk is a demanding step in
the OPSEC Process. It requires a degree of subjective decision making based on the best estimate of an
adversary’s intentions and capabilities.
Included in the assessment of an adversary’s capability is not only his ability to collect the information
but also his capability to process and exploit (evaluate, analyze, interpret) in time to make use of the
information. In order to complete the risk assessment, it is necessary to combine this information (i.e., the
possibility of the adversary exploiting the information, with the resultant impact on the Project). This
process should result in a list of recommendations along with an estimate of the reduced impact upon the
operation as achieved through their application. The decision maker can then weigh the cost of
recommended OPSEC countermeasures in terms of resources and operational effectiveness against the
impact of the loss of critical program information.
Application of Appropriate Countermeasures:
A countermeasure is anything that effectively negates an adversary’s ability to exploit vulnerabilities.
The most effective countermeasures are simple, straightforward, procedural adjustments that effectively
eliminate or minimize the generation of indicators. Following a cost-benefit analysis, countermeasures
4
Calvert Systems
Operations Security (OPSEC) Plan
are implemented in priority order to protect vulnerabilities having the most impact on the Project, as
determined by the appropriate decision maker.
STEPS IN THE OPSEC PROCESS
1. Identify Critical Information - Critical information is information about DoD activities, intentions,
capabilities, or limitations that an adversary seeks in order to gain a military, political, diplomatic,
economic, or technological advantage. Such information, if revealed to an adversary, may prevent or
degrade mission accomplishment, cause loss of life, or damage friendly resources.
a. Critical information will vary based on the organization’s role within the Department of
Defense. Critical information in operational organizations is often easy to recognize, however
in support or administratively focused organizations, critical information may be more
difficult to identify. When going through the process of identifying critical information, be
sure to consider all functional areas within the organization. The organization’s
administrative staff may have valuable information that should also be assessed for its
criticality.
b. Critical information is best identified by the individuals responsible for planning and
executing the organization’s mission. Using an adversarial approach and asking what
information an adversary would want to know about the mission is a helpful method when
trying to identify what information is critical. The questions an adversary may ask are called
“essential elements of friendly information.” The answers to those questions are the critical
information.
c. Critical information is information that the organization has determined is valuable to an
adversary. If obtained, this information will either impact the success of the organization or
improve the likelihood of an adversary meeting their goals. For example:
i. Military operations: The adversary learns of the time and location of a planned
attack. As a result, losing the element of surprise could lead to significant casualties.
ii. Acquisition: The adversary learns of a new missile in the development phase that
cannot be detected by adversary capabilities. As a result, the adversary begins
development of countermeasures to defeat the new technology.
iii. Administration: The adversary obtains information about force protection equipment
being sent to a unit operating in theater. As a result, the adversary changes its tactics,
techniques, and procedures to defeat the equipment.
d. From the examples given above, there are many areas within an organization where elements
of critical information can be obtained. Commanders and directors, administrative staff,
operational personnel, even personnel not directly assigned to the organization may handle
portions of the organization’s critical information. Therefore, it is important to have
personnel from each functional area involved in the process of identifying critical
information.
2. Conduct a Threat Analysis - Threat information is necessary to develop appropriate
countermeasures. The threat analysis includes identifying potential adversaries and their associated
capabilities and intentions to collect, analyze, and exploit critical information and indicators.
a. When conducting a threat analysis, organizations should seek support from their security,
intelligence, and counterintelligence experts.
b. A thorough threat analysis will answer the following questions:
i. Who is the adversary? What is the adversary’s intent and capability?
5
Calvert Systems
Operations Security (OPSEC) Plan
ii. What are the adversary’s goals?
iii. What tactics does the adversary use?
iv. What does the adversary already know about the unit’s mission? What critical
information has already been exposed and is known by the adversary?
3. Conduct a Vulnerability Analysis - An OPSEC vulnerability exists when the adversary is capable of
collecting critical information or indicators, analyzing it, and then acting quickly enough to impact
friendly objectives. Conducting exercises, red teaming, and analyzing operations can help identify
vulnerabilities.
4. Conduct a Risk Assessment - The risk assessment is the process of evaluating the risks to information
based on susceptibility to intelligence collection and the anticipated severity of loss. It involves
assessing the adversary’s ability to exploit vulnerabilities that would lead to the exposure of critical
information and the potential impact it would have on the mission. Determining the level of risk is a
key element of the OPSEC process and provides justification for the use of countermeasures. Once
the amount of risk is determined, consider cost, time, and effort of implementing OPSEC
countermeasures to mitigate risk. Factors to consider include:
a. The benefit and the effect of the countermeasure on reducing risk to the mission.
b. The cost of the proposed countermeasure compared with the cost associated with the impact
if the adversary exploited the vulnerability.
c. The possibility that the countermeasure could create an OPSEC indicator.
5. Apply OPSEC Countermeasures - Countermeasures are designed to prevent an adversary from
detecting critical information, provide an alternative interpretation of critical information or indicators
(deception), or deny the adversary’s collection system. If the amount of risk is determined to be
unacceptable, countermeasures are then implemented to mitigate risk or to establish an acceptable
level.
a. Given the examples presented earlier with regard to military operations, acquisition, and
administration; adversary exploitation of information could have been prevented with simple
no-cost countermeasures. Proper safeguarding, limiting distribution, and shredding
information when no longer needed are just a few examples of easily applied
countermeasures.
b. There are many best practices for countermeasures throughout the Department of Defense.
Organizations may consult with OPSEC practitioners, security specialist, information
technology specialists, and organizations with similar missions. However, countermeasures
should not be regarded as risk-avoidance measures to be pulled from a list and implemented.
Prior to recommending countermeasures, employees must carefully consider cost and their
potential to degrade mission accomplishment.
RESPONSIBILITIES
Calvert employees performing tasking on the NAVAIR 6.8.5 contract are responsible for performing the
OPSEC Five-Step Process for this Project.
Calvert is responsible for developing a list of CPI and associated Indicators for this Project.
Calvert is responsible for looking at the vulnerabilities associated with this Project.
Calvert is responsible for determining the risk for all potential vulnerabilities and implementing any
recommended countermeasures.
6
Calvert Systems
Operations Security (OPSEC) Plan
Calvert is responsible for developing an OPSEC plan for this Project and updating the plan as needed
based on tasking and/or OPSEC requirement changes.
Calvert employees performing tasking on the NAVAIR 6.8.5 contract are required to complete annual
OPSEC Awareness training. All records associated with this training will be maintained by the local FSO
in security files.
CRITICAL PROGRAM INFORMATION
The CPI for this Project is:
Technical Data
• Technical Manuals (TMs)
• Technical Data Packages (TDPs)
• Technical Manual Source Data Records (TMSDRs)
• Technical Publication Deficiency Reports (TPDRs)
• Engineering Change Proposals (ECPs)
• Engineering Drawings
• Weapon System Configuration Data
• Logistics Product Data
• Notices of Revision (NORs)
• Specifications, and Specification Change Notices (SCNs)
• Military Handbooks
• General and Weapons System TMs
• Equipment Specifications
• Operational Descriptions
• Customer and/or Contract Related Plans, Policies, Processes, and Procedures
• Digital Media
Information Technology (IT) System Access
• Technical Manual Application System (TMAPS)
• NSIV SharePoint
• CMPro
• Joint Technical Data Integration (JTDI)
• AIR 7.2 Repository
• All Other DoD Information Systems
Contract Information
• Specific guidelines and requirements contained in the Statement of Work (SOW) tasks.
• Contract modifications
• Modifications to the SOW tasks
• Funding status
• Special funding for future projects
• Quality Control Evaluations
• Quality Deficiency Reports
Personnel Records
• Employee schedules
• Number of personnel
• Organizational Structure
7
Calvert Systems
Operations Security (OPSEC) Plan
INDICATORS
The indicators for this Project are:
Administrative Indicators
• Travel itineraries
• Logos
• Emblems
• Memos
• Advanced plans
• Schedules
• Organizational charts
Financial Indicators
• Budget and contracts
• Justifications
• Projections
• Financial plans
• Supplemental requests
• Special purchases
• Non-proprietary contract information
Communications Indicators
• Talking around classified/sensitive subjects
• Email
• Cell phones
• Telephones
• Facsimile
• Teleconferences
Operations Indicators
• Stereotyped activities
• Abrupt changes in normal operations
THREAT
The threat for this Project is:
• Human Intelligence (HUMINT) collection is the gathering of information for intelligence
purposes through the use of human sources.
•
Signal Intelligence (SIGINT) collection incorporates Communication Intelligence
(COMINT), non-communication emanations, Electronic Intelligence (ELINT), Telemetry
Intelligence (TELINT). SIGINT is collected by intercepting electronic signals emanating
from telecommunication facilities or non-communicative devices that emit an electronic
signal.
VULNERABILITIES
The ways that information is vulnerable for this Project:
• Use of email between Project participants;
• Talking in public places;
8
Calvert Systems
•
•
•
•
•
•
•
•
•
•
Operations Security (OPSEC) Plan
Recycle bins;
Trash;
Procedures;
Web Pages (if applicable);
Unauthorized access to and distribution of Technical Data
Access to IT Systems
Access to Contract Information
Access to Personnel Records
Storage of technical data, personnel information and/or employment information;
Receipt and delivery of technical data;
RISKS / COUNTERMEASURES
Refer to Table 1 for risk levels and associated countermeasures for the indicated vulnerabilities.
9
Calvert Systems
Operations Security (OPSEC) Plan
Table 1 - NAVAIR 6.8.5 Contract - Threat Matrix
VULNERABILITY
METHOD OF
COLLECTION
HUMINT
SIGINT
X
X
RISK
LEVEL
OPSEC COUNTERMEASURES
Critical,
High, Med
High,
Med, Med
Low, Low
Med
To the extent possible, task related data is
stored on government servers. Files are
Email Use
referenced in emails rather than files being
sent as attachments.
X
X
Low
Task related discussions are conducted in
government/contractor facilities. If a sensitive
Talking in Public
call comes in while at a public location, the
Places
discussion can be rescheduled for a more
appropriate time/place.
X
Low
Recycle Bins
All project related documents are shredded
with a crosscut shredder that meets NISPOM
requirements.
X
Low
Trash
All project related documents are shredded
with a crosscut shredder that meets NISPOM
requirements.
X
X
Low
Procedures
All Calvert procedures are kept internal and
can be kept with stronger security
requirements.
X
X
Low
Web Pages
Government/Prime approval is requested
prior to posting any contract association on
web pages.
Unauthorized access
X
X
Med
Access limited to authorized employees and
to/distribution of
further security procedures can be
Technical Data
implemented.
Access to IT
X
X
Systems
Access to Contract
Med
Access limited to authorized employees and
High
further security procedures can be
implemented.
X
X
Med
Access limited to authorized employees and
further security procedures can be
Information
implemented.
10
Calvert Systems
Access to Personnel
Operations Security (OPSEC) Plan
X
X
Records
Storage of Technical
Med
Access limited to authorized employees and
High
further security procedures can be
implemented.
X
X
Med
Access limited to authorized employees and
Data, personnel
further security procedures can be
information, and/or
implemented.
employment
information
Receipt and delivery
X
X
Med
Receipt and delivery limited to one
designated person and monitored through
of technical data
implemented security procedures.
CONCLUSION
By following the OPSEC Five-Step process this Project has identified what needs to be protected, what
the threat is, what the vulnerabilities are, what the risk is, and what countermeasures need to be developed
to protect any and all information associated with the Project. By doing so, the Project team will have
effectively mitigated any potential information loss.
11