Download SECNAVINST 3070.2A DUSN 9 May 2019 SECNAV ... and more Exercises Logistics in PDF only on Docsity!
DEPARTMENT OF THE NAVY O FFICE O F THE S ECRETA RY 1000 NA VY PENTAGON WASHINGTON DC 20350·
SECNAVINST 3070.2A DUSN 9 May 2019
SECNAV INSTRUCTION 3070.2A
From: Secretary of the Navy
Subj: OPERATIONS SECURITY
Ref: See enclosure (1)
Encl: (1) References (2) Definitions (3) OPSEC Program Manager Requirements (4) OPSEC Working Group Requirements (5) OPSEC Instruction Requirements (6) OPSEC Plan Template (7) OPSEC Program Checklist (8) Roles and Responsibilities
- Purpose. Establishes policy, procedures, and responsibilities for Department of the Navy (DON) Operations Security (OPSEC) per references (a) and (b).
- Cancellation. SECNAVINST 3070.2.
- Definitions. See enclosure (2).
- Applicability. This instruction applies to the Office of the Secretary of the Navy (SECNAV), the Chief of Naval Operations (CNO), the Commandant of the Marine Corps (CMC), and all U.S. Navy (USN) and U.S. Marine Corps (USMC) installations, commands, activities, field offices, and all other organizational entities within the DON. This includes all DON personnel (military and civilian), as well as supporting contractor employees.
- Policy
a. Pursuant to reference (a), the Secretariat, USN, and USMC shall maintain effective OPSEC that ensures coordination between public affairs, all security disciplines, operations, acquisition, intelligence, training, and command authorities and include mechanisms for enforcement, accountability, threat awareness, and the highest level of leadership oversight. OPSEC
9 May 2019
protects critical information to prevent an adversary from determining friendly intentions or capabilities. Programs must endeavor to establish a proper balance between dissemination of information to families and the public, consistent with the requirement to protect critical information and maintain essential secrecy.
b. Commanders shall take all OPSEC measures required to prevent disclosure of critical information and maintain essential secrecy.
c. Commanders are required to establish, resource, and maintain effective OPSEC. OPSEC includes policies, manning, training, and equipping functions necessary for OPSEC planning and execution, and to ensure all personnel understand their responsibilities to protect essential secrecy. The maintenance and effectiveness of OPSEC is the responsibility of each commanding officer. Each command shall include, at a minimum:
(1) A designated OPSEC program manager meeting the criteria listed in enclosure (3). The program manager shall familiarize themselves with the requirements and procedures of references (a) through (e), their service-level OPSEC instruction as applicable, and any additional guidance from their chain of command.
(2) An effective OPSEC working group in accordance with the guidance of enclosure (4).
(3) A tailored, command-specific training program that ensures all assigned personnel are aware of the contents of their Critical Information and Indicators List (CIIL) and their specific responsibilities for safeguarding critical information. All assigned personnel must receive OPSEC training as part of their onboarding process prior to approving personnel for access to DON networks, and at least annually. This training shall include, at a minimum, the unit’s CIIL; social media awareness and vulnerabilities; local threats; how to protect, transmit, and destroy controlled unclassified information; risks and guidance pertaining to geolocation-capable devices, applications, and services; and OPSEC review procedures for public release. All training must be formally documented, maintained, and available online for higher command review. Family outreach shall also be performed to educate the families of assigned personnel about OPSEC principles and concerns.
9 May 2019
g. All information considered for release into the public domain shall include a review in accordance with the appendix to enclosure (3) of reference (f), and shall involve an appropriately designated and trained OPSEC professional. All public affairs professionals must be properly trained per references (a) and (b) and understand their command’s CIIL sufficiently to determine what details of the command’s activities may be shared with the public. The Public Affairs Officer (PAO) and OPSEC program manager shall work with command leadership to determine when the need for public transparency outweighs the risk of disclosure. Additional guidance on the relationship between OPSEC and public affairs can be found in reference (e), chapter 8. Additional guidance on OPSEC considerations for use of the Internet and social media can be found in reference (f), chapters 6 and 10 and appendix K.
h. Research, development, test, and evaluation (RDT&E) activities and documentation as defined in references (g) and (h), comprising both classified and controlled unclassified information, are particularly vulnerable to disclosure and compromise and as such must exercise particular care and attention in implementing robust OPSEC. Supply Chain Risk Management and Critical Program Information (CPI) protection principles must be adhered to per references (h) and (i), including OPSEC measures and countermeasures, and OPSEC shall be considered in all Program Protection Plans (PPPs).
i. OPSEC shall be used to evaluate the vulnerabilities of sensitive information and technology during all RDT&E activities and phases. Program managers at all levels should coordinate with their respective Systems Command (SYSCOM) leads for program protection throughout the RDT&E life-cycle, especially regarding release of information into the public domain, prior to sensitive testing, and aboard or with operational units.
j. DON program executive officers, program, project, or product managers, and contracting officials shall include OPSEC considerations as a stipulation in all contracts. All requirements packages must receive an OPSEC review at the start and completion of the contracting process to identify critical and/or sensitive information by the requiring activity OPSEC program manager. Additional guidance on OPSEC considerations in contracts can be found in reference (e), appendix J.
9 May 2019
k. Critical information shall be transmitted in a manner that reduces the risk of aggregation and compromise. Where practicable, a classified network (either data or phone) is the preferred method of transmission for critical information. When a classified network is not available and the information is not sensitive to ongoing or planned operations, then it may be transmitted over an unclassified network so long as it is encrypted. Unencrypted transmission of critical information over an unclassified network is not authorized.
l. The Naval OPSEC Support Team (NOST) and Marine OPSEC Support Team (MOST) are designated as the service OPSEC support elements for the Navy and Marine Corps respectively, per reference (a). In that capacity they serve as advisors to the Deputy Under Secretary of the Navy (DUSN) as well as CNO and CMC respectively on all issues related to OPSEC and related support to their services as required. Requests for OPSEC support from the NOST and MOST can be sent to OPSEC@navy.mil and MOST@mcia.osis.gov, respectively.
- Responsibilities. See enclosure (8).
- Records Management. Records created as a result of this instruction, regardless of media and format, must be maintained and dispositioned according to the records disposition schedules found on the Directives and Records Management Division (DRMD) portal page (https://portal.secnav.navy.mil/orgs/DUSNM/DONAA/DRM/SitePages/Ho me.aspx).
- Reports. The requirements contained in enclosure (5), paragraph 1d and enclosure (8), paragraph 8 are exempt from reports controls per part IV, paragraph 7n of reference (j).
THOMAS B. MODLY
Under Secretary of the Navy
Distribution: Electronic only, via Department of the Navy Issuances Web site https://www.secnav.navy.mil/doni/.
9 May 2019
DEFINITIONS
- Operations Security (OPSEC). A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level.
- Essential Secrecy. The condition achieved from the denial of critical information and indicators to adversaries through the combined efforts of the OPSEC program and traditional security programs.
- Critical Information. Specific facts about friendly intentions, capabilities, and activities needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment.
- Indicator. Data derived from friendly detectable actions and open-source information that an adversary can interpret and piece together to reach conclusions or estimates of friendly intentions, capabilities, or activities.
- OPSEC Measure. Planned action to conceal or protect critical information and indicators from disclosure, observation, or detection and protect them from collection; generally defensive in nature.
- OPSEC Countermeasure. Planned offensive action taken to affect collection, analysis, delivery, or interpretation of information that impacts content and flow of critical information and indicators.
- Critical Information and Indicators List (CIIL). A list of critical information and indicators for a specific command or organization.
9 May 2019
- OPSEC Plan. A plan that matches critical information to associated indicators, and assigns OPSEC measures or countermeasures as appropriate to reduce vulnerabilities and mitigate risk.
- OPSEC Operations Plan. An augment to a standing OPSEC plan that provides specific measures and countermeasures to be applied by a unit during a specific operation. It may be generated as an annex to a Joint Operation Planning and Execution System plan or as a local document endorsed by the commander.
- Deception in Support of OPSEC (DISO). DISO is a military deception planned and executed to protect the security and secrecy of friendly operations, personnel, programs, equipment, and other assets from foreign intelligence entity (FIE) collection.
- OPSEC Program Manager. An appointee or primary representative assigned to develop and manage an OPSEC program.
- OPSEC Coordinator. An individual trained in OPSEC who works in coordination with the OPSEC program manager or primary OPSEC representative.
- OPSEC Planner. A functional expert trained and qualified to plan and execute OPSEC.
- Open Source Research. Monitoring publically available information to identify potential disclosures of critical information and indicators. Open source research does not produce intelligence.
9 May 2019
- Based on the requirements above, for afloat or deploying commands the most appropriate designee for OPSEC program manager will tend to be the operations officer (or N3, S3, or G3 as appropriate), as they will have the requisite grade, authority, access, and placement to effectively implement OPSEC. Owing to the number of duties and responsibilities typically placed on these persons, an additional assistant OPSEC program manager may also be appointed by the program manager with the requirement that they be E-6 or higher, and have attended an approved OPSEC program manager's course.
- Because contractors do not have authority over U.S. military and government personnel and cannot represent the position of the U.S. Government, contract employees will not be assigned as a command’s OPSEC program manager or coordinator. They can perform OPSEC duties in a supporting capacity under the supervision of a government employee or servicemember.
9 May 2019
OPSEC WORKING GROUP REQUIEMENTS
- The working group shall convene at least quarterly to assist the OPSEC program manager in applying the five-step OPSEC process to the command per reference (e), chapter 3. As such it should assist the designated OPSEC program manager in generating and updating their CIIL, understanding the evolving threat to critical information, assessing vulnerability and risk, and implementing effective OPSEC measures and countermeasures with the involvement of all elements of a command.
- An OPSEC working group shall include representatives of all key command components, departments, or functions. Per reference (c), enclosure A, paragraph 7b(13), it shall include where applicable representatives for:
a. security,
b. anti-terrorism/force protection,
c. intelligence,
d. critical infrastructure protection,
e. public affairs,
f. information assurance,
g. and FOIA.
h. where applicable, it should additionally include representation from the command technical authority and the Naval Criminal Investigative Service (NCIS). In the absence of a representative from NCIS an alternative counterintelligence representative should attend.
- Minutes shall be kept of OPSEC working group meetings and retained for review.
9 May 2019
OPSEC PLAN TEMPLATE
OPERATIONS SECURITY (OPSEC) PLAN
FOR
XXXX
Date
Overall document Classification is: Classified By: Derived From: Declassify on:
9 May 2019
COMMANDER XXX OPERATONS SECURITY (OPSEC) PLAN FOR XXX OPERATIONS
References:
a. List all applicable references
- SITUATION. a. General. Describe the conditions that exist to warrant the development of the plan. b. Adversary. Describe the enemy situation that provided the impetus for this plan. Describe the specific adversary FIE capabilities that can detect and observe the indicators listed in this plan. c. Friendly. Describe in general terms the friendly operations or mission and the conditions from which the critical information is derived from. Describe in general terms the friendly vulnerabilities that place the critical information at risk. d. Assumptions. List the assumptions that must be made to continue planning.
- MISSION. a. OPSEC Mission Statement. b. Critical Information and Indicators. Table 2-1 lists the critical information (CI) associated with XXX. CI is the specific facts about friendly intentions that could be exploited by the adversary, allowing them to plan and act effectively against friendly mission accomplishment. The CI has been assessed to have enough observable indicators or associated friendly vulnerabilities that risk of compromise warrants the development of focused OPSEC measures to protect them. Appendix A aligns this CI with the indicators and resultant OPSEC measures.
CI-1 Critical Information
CI-2 Critical Information
CI-3 Critical Information
Table 2-1 Critical Information for XXX Operations
c. Vulnerabilities. List the conditions that leave the CI and indicators exploitable by the adversary which has
9 May 2019
APPENDIX A
Critical Information, Indicators, and Measures
ESSENTIAL SECRET: Protect the presence, intent, timing, location, and method of XXX Operations Critical Information Indicator OPSEC Measure
CI-1: Planning activities are occurring XXX operations.
I-01: List the indicator
O-1: List the OPSEC Measure
I-02: List the indicator
O-2: OPSEC Measure
O-3: OPSEC Measure
Table A-1 Critical Information, Indicators and Measures Table
OPSEC MEASURE DETAILS WHO WHAT WHEN WHERE WHY Check When Complete
O-01: OPSEC Measure Details
Who specifically is tasked to execute the measure.
Provide an actionable level of details on the measure.
When will this action take place (date, time, before or after action X).
Where the measure will be executed.
Describes what specifically the measure is achieving- why it is executed the way it is, when it is as well as the conduit or collection means.
Admin Purposes.
O-02: OPSEC Measure #2 Details
Table A-2 OPSEC Measure Details
9 May 2019
APPENDIX B GLOSSARY
APPENDIX C ACRONYMS AND ABBREVIATIONS
9 May 2019
1.1 0 For two-star and above commands, is the program manager assigned full-time and not as a collateral duty?
2. OPSEC Working Group – per enclosure (4) Requirement Yes No N/A Comment 2.1 (^) Does the OPSEC working group include representatives from all key command components, departments, or functions? 2.2 Does the OPSEC working group include representatives from security, anti- terrorism/force protection, intelligence, critical infrastructure protection, public affairs, information assurance, FOIA, and the command technical authority as applicable? 2.3 Does the OPSEC working group convene at least quarterly? 2.4 (^) Does the OPSEC working group apply the five-step OPSEC process to the command? 2.5 Does the OPSEC working group recommend appropriate revisions to the CIIL and implementation of OPSEC measures and/or countermeasures? 2.6 Are minutes of OPSEC working group meetings recorded and retained? 3. OPSEC Training – per paragraph 5c(3) Requirement Yes No N/A Comment 3.1 Do command personnel demonstrate awareness of the content of their CIIL, and their specific responsibilities for safeguarding critical information?
9 May 2019
3. 2 Is tailored, command-specific OPSEC training provided to all assigned personnel as part of their onboarding process? 3. 3 Is OPSEC training required for all personnel prior to granting access to DON networks? 3. 4 Do all assigned personnel complete OPSEC training at least annually? 3. 5 Does command OPSEC training cover the unit CIIL? 3. (^6) Does command OPSEC training cover social media awareness and vulnerabilities? 3. 7 Does command OPSEC training cover local threats? 3. 8 Does command OPSEC training cover how to protect, transmit, and destroy controlled unclassified information (such as items on the CIIL)? 3. (^9) Does command OPSEC training cover risks and guidance pertaining to geolocation- capable devices, applications, and services? 3. 10 Does command OPSEC training cover OPSEC review procedures for public release? 3.1 1 Is command OPSEC training documented?
3.1 (^2) Does the command conduct family outreach for OPSEC education and awareness?
4. OPSEC Instruction – per enclosure (5) Requirement Yes No N/A Comment 4.1 Does the command instruction contain a CIIL tailored to specific command functions?
