DEPARTMENT OF THE NAVY
COMMANDER MILITARY SEALIFT COMMAND
914 CHARLES MORRIS CT SE
WASHINGTON NAVY YARD DC 20398-5540
REFER TO:
COMSCINST 3070.1B
N3/5
17 March 2006
COMSC INSTRUCTION 3070.1B
Subj:
OPERATIONS SECURITY (OPSEC) PLAN
Ref:
(a)
(b)
(c)
(e)
(f)
OPNAVINST 3432.1
DoD 5205.2, DoD Operations Security (OPSEC) Program
DoD 5220.22-M, National Industrial Security Program
Operating Manual
Joint Pub 3-54, Joint Doctrine for Operations
Security
USTRANSCOM Policy Directive 10-4
National Security Decision Directive Number 298
(1)
(2)
(3)
(4)
Operations Security Guidance for Contractors
Critical Information
The OPSEC Process
OPSEC Self-Survey Checklist
(d)
Encl:
1. Purpose. To update the Operations Security (OPSEC) plan for
Military Sealift Command (MSC) in accordance with references (a)
through (e). This instruction is a complete revision and should
be read in its entirety.
2.
Cancellation.
COMSCINST 3070.1A
3. Scope. The provisions of this instruction apply to the MSC
organization, world wide, including ships of the MSC Force. To
ensure integrity of operations, Naval Fleet Auxiliary Force
(NFAF), Special Mission ships, Propositioned ships and Strategic
Sealift ships while under the operational control of other
commands, will operate under the provisions of that Commander’s
OPSEC Plan.
4.
Policy
a. MSC will conduct an aggressive OPSEC Program designed to
improve mission effectiveness through the identification and
elimination of potential OPSEC vulnerabilities. Reference (f),
which established the National Operations Security Program,
COMSCINST 3070.1B
17 March 2006
defines OPSEC as a systematic and proven process by which the
U.S. Government and its supporting contractors can deny to
potential adversaries information about capabilities and
intentions by identifying, controlling, and protecting generally
unclassified evidence of the planning and execution of sensitive
Government activities. OPSEC is not a security function; it is
an operations function. The practice of OPSEC prevents the
inadvertent compromise of sensitive or classified activities,
capabilities or intentions at the tactical, operational and
strategic levels. In order to conduct an effective OPSEC
Program, all assigned personnel and contractors must understand
the concept of OPSEC and apply that knowledge and awareness in
their day-to-day performance of assigned tasks. Therefore, it
is essential that all military and civilian personnel receive
appropriate OPSEC training.
b. All MSC and contractor personnel will undergo OPSEC
training in accordance with references (a) through (d) and
enclosure (1).
c. OPSEC measures will be employed at all times to protect
Critical Information (CI). Enclosure (2) contains a list of
Critical Information that may require protection depending upon
the existing situation.
d. All MSC commands shall appoint in writing a designated
OPSEC Officer. For MSC Headquarters, the Current Operations
Officer (N31) performs this function.
5.
Process
a.
General
(1) OPSEC planning is accomplished through the use of
the OPSEC process. This process provides the information
required to write the OPSEC section of any plan or order. OPSEC
planning is done in close coordination with the overall Command
and Control Warfare (C2W) components.
(2) The OPSEC process consists of five distinct actions.
These actions are applied in a sequential manner during OPSEC
planning. In dynamic situations, however, individual actions
may be revisited at any time. New information about the
2
COMSCINST 3070.1B
17 March 2006
adversary’s intelligence collection capabilities, for instance,
would require new analysis of threats.
(3) An understanding of the following terms is required
before the process can be explained:
b. Critical information: Specific facts about friendly
intentions, capabilities and activities vitally needed by
adversaries for them to plan and act effectively to guarantee
failure or unacceptable consequences for friendly mission
accomplishment.
c. OPSEC indicators: Friendly detectable actions and opensource information that can be interpreted or pieced together by
an adversary to derive critical information.
d. OPSEC vulnerability: A condition in which friendly
actions provide OPSEC indications that may be obtained and
accurately evaluated by an adversary in time to provide a basis
for effective adversary decision making.
e.
The OPSEC Process
(1) OPSEC Action 1 - Identification of Critical
Information
(a) While assessing and comparing friendly versus
adversary capabilities during the planning process for a
specific operation or activity, the commander and staff seek to
identify the questions that they believe the adversary will ask
about friendly intentions, capabilities and activities. These
questions are the Essential Elements of Friendly Information
(EEFI). In an operation plan or order, the EEFI are listed in
Appendix 3 (Counter-intelligence) to Annex B (Intelligence).
(b) Critical information is a subset of EEFI. It is
only that information that is vitally needed by an adversary.
The identification of critical information is important in that
it focuses the remainder of the OPSEC process on protecting
vital information rather than attempting to protect all
classified or sensitive information.
(c) Critical information is listed in the OPSEC
portion of an operation plan or order.
3
COMSCINST 3070.1B
17 March 2006
(2) OPSEC Action 2 - Analysis of Threats
(a) This action involves the research and analysis
of intelligence information, counterintelligence, reports and
open source information to identify who the likely adversaries
are to the planned operation.
(b) The operations planners, working with the
intelligence and counterintelligence staffs and assisted by the
OPSEC program personnel, seek answers to the following
questions:
1. Who is the adversary? (Who has the intent
and capability to take action against the planned operation?)
2. What are the adversary’s goals?
the adversary want to accomplish?)
(What does
3. What is the adversary’s strategy for
opposing the planned operation? (What actions might the
adversary take?)
4. What critical information does the adversary
already know about the operation? (What information is it too
late to protect?)
5. What are the adversary’s intelligence
collection capabilities?
6. Detailed information about the adversary’s
intelligence collection capabilities can be obtained from the
command’s counterintelligence and intelligence organizations.
In addition to knowing about the adversary’s capabilities, it is
important to understand how the intelligence system processes
the information that it gathers.
(3) OPSEC Action 3 - Analysis of Vulnerability
(a) Vulnerability analysis identifies operation or
activity OPSEC vulnerabilities. It requires examining each
aspect of the planned operation to identify any OPSEC indicators
that could reveal critical information and then comparing those
indications with the adversary’s intelligence collection
capabilities identified in the previous action. A vulnerability
4
COMSCINST 3070.1B
17 March 2006
exists when the adversary is capable of collecting an OPSEC
indicator, correctly analyzing it and then taking timely action.
(b) Continuing to work with the intelligence and
counterintelligence staffs, the operations planners seek answers
to the following questions:
1. What indicators (friendly actions and open
source information) of critical information not known to the
adversary will be created by the friendly activities that will
result from the planned operation?
2.
What indicators can the adversary actually
collect?
3. What indicators will the adversary be able
to use to the disadvantage of friendly forces? (Can the
adversary analyze the information, make a decision and take
appropriate action in time to interfere with the planned
operation?)
(4) OPSEC Action 4 - Assessment of Risk
(a) Assessing risk has two components. First,
planners analyze the OPSEC vulnerabilities identified in the
previous action and identify possible OPSEC measures for each
vulnerability. Second, specific OPSEC measures are selected for
execution based upon a risk assessment done by the commander and
staff.
(b) OPSEC measures reduce the probability of the
adversary either collecting the indicators or being able to
correctly analyze their meaning.
(c) OPSEC measures can be used to:
1.
Prevent the adversary from detecting an
2.
Provide an alternative analysis of an
3.
Attack the adversary’s collection system.
indicator.
indicator.
5
COMSCINST 3070.1B
17 March 2006
(c) OPSEC measures include, among other actions,
cover, concealment, camouflage, deception, intentional
deviations from normal patterns and direct strikes against the
adversary’s intelligence system.
(d) More than one measure may be identified for each
vulnerability. Conversely, a single measure may be used for
more than one vulnerability. The most desirable OPSEC measures
are those that combine the highest possible protection with the
least impact on operational effectiveness.
(e) Risk assessment requires comparing the estimated
cost associated with implementing each possible OPSEC measure to
the potential harmful effects on mission accomplishment
resulting from an adversary’s exploitation of a particular
vulnerability.
(f) OPSEC measures usually entail some cost in time,
resources, personnel or interference with normal operations. If
the cost to mission effectiveness exceeds the harm that an
adversary could inflict, then the application of the measure is
inappropriate. The decision not to implement a particular OPSEC
measure requires command involvement to evaluate level of risk.
(g) Typical questions that might be asked when
making this analysis include:
1. What risk to effectiveness is likely to
occur if a particular OPSEC measure is implemented?
2. What risk to mission success is likely to
occur if an OPSEC measure is not implemented?
3. What risk to mission success is likely if an
OPSEC measure fails to be effective?
(h) The interaction between OPSEC measures must be
analyzed. In some situations, certain OPSEC measures may
actually create indicators of critical information. For
example, the camouflaging of previously unprotected facilities
could be an indicator of preparations for military actions.
(i) The selection of measures must be coordinated
with the other components of C2W. Actions such as jamming of
6
COMSCINST 3070.1B
17 March 2006
intelligence nets or the physical destruction of critical
intelligence centers can be used as OPSEC measures. Conversely,
deception and Psychological Operations (PSYOP) plans may require
that OPSEC measures not be applied to certain indicators in
order to protect a certain message to the adversary.
(5) OPSEC Action 5 - Application of Appropriate OPSEC
Measures
(a) In this step, the command implements the OPSEC
measures selected in Step 4 or, in the case of planned future
operations and activities, includes the measures in specific
OPSEC plans.
(b) During the execution of OPSEC measures, the
reaction of adversaries to the measures is monitored to
determine measure effectiveness and provide feedback. Planners
use that feedback to adjust ongoing activities and for future
OPSEC planning. Provisions for feedback must be coordinated
with the command’s intelligence and counterintelligence staffs
to ensure the requirements to support OPSEC receive the
appropriate priority. In addition to intelligence sources
providing feedback, OPSEC surveys can provide useful information
relating to the success of OPSEC measures.
6.
Responsibilities
a.
MSC commands will:
(1) Appoint an OPSEC Officer from their Operations
Directorate.
(2) Conduct annual OPSEC plan reviews utilizing
enclosure (4) as a guide.
(3) Incorporate OPSEC into all operations and
operational planning activities.
(4) Provide OPSEC training to all personnel.
(5) Provide copies of local OPSEC Instructions/Plans to
COMSC (N31).
b.
MSC Sealift Logistics Commands (SEALOG Areas) will:
7
COMSCINST 3070.1B
17 March 2006
(1) Support OPSEC programs of their Unified Commanders.
(2) Provide guidance to subordinate MSC units on OPSEC
considerations during training evolutions that use methods,
equipment or tactics that require special consideration.
c. MSC Headquarters Program Managers/Functional
Directors/Special Assistants will:
(1) Appoint OPSEC Points of Contact (POC) and provide
their names to the Headquarters OPSEC officer.
7.
Action
a. Each MSC SEALOG (Area) Commander will establish an OPSEC
plan in accordance with reference (a) through (d) and as
outlined in enclosure (4). A copy of plans will be provided to
COMSC N31.
b. In order to prevent duplication of effort, MSC SEALOG
Area incorporation into the OPSEC plans of local commanders
(e.g. Fleet X3) meets the requirements of this instruction.
c. The COMSC Contracting Officer, MSFSC Contracting Officer
and MSC SEALOG (Area) Contracting Officers will ensure OPSEC
requirements are stated in requests for proposals (RFPs) and
classified contracts in accordance with reference (d). The
development and submission to the Contracting Officer of OPSEC
requirements for inclusion in RFPs/contracts is the
responsibility of the code originating the contractual
requirement. Enclosure (1) discusses OPSEC measures required of
DoD contractors.
d. The COMSC Comptroller will program funds, as necessary,
for the conduct of formal OPSEC surveys of MSC commands and
operations.
e. COMSC and MSC SEALOG (Areas) will conduct periodic OPSEC
surveys of subordinate units, ashore and afloat.
f. All newly assigned/employed military/civilian personnel
will receive an OPSEC orientation briefing conducted by the
appropriate MSC Security officer (MSCHQ/ SEALOG Area Command)
within 60 days after reporting to duty at MSC.
8
COMSCINST 3070.1B
17 March 2006
g. All MSC personnel are required to complete annual OPSEC
orientation/ familiarization in accordance with this
instruction. The OPSEC Officer will provide/ arrange this
training.
h. MSFSC, SEALOG (Areas), Commanding Officers, Officers in
Charge and Headquarters Program Managers/Functional
Directors/Special Assistants will ensure compliance with the
provisions of this instruction.
//S//
D. L. BREWER III
Distribution:
COMSCINST 5215.5
List I (Case A, B, C)
SNDL 41B
(MSC SEALOG(Areas))
41C
(NFAF East/West)
41D
(MSC Offices)
41E
(APMC)
41J
(OICMILDEPTs)
41K
(APSRON FOUR)
41L
(COMPSRONs)
41M
(MSC TAGOS Project Office & Det)
T-100 (Masters, civil service manned ships)
T-102 (Masters & Operators, Fast Sealift Ships)
T-103 (Masters & Operators, TAGOS)
T-104 (Masters & Operators, MPS)
T-105 (Masters & Operators, LMSRs)
T-106 (Masters & Operators, Prepo Ships)
COMSFSC
MSC Reserve Units
MSC Reps
All MSC Chartered Ships
9
COMSCINST 3070.1B
17 March 2006
This page intentionally left blank
10
COMSCINST 3070.1B
17 March 2006
OPERATIONS SECURITY GUIDANCE FOR CONTRACTORS
1.
OPSEC measures are required of contractors when:
a.
Administrative, technical and physical actions they
may execute incident to a classified contract may result in
indicators in open sources of information and detectable
activities, and
b.
Foreign intelligence collection against those open
sources of information and detectable activities may result in
foreign countries obtaining indicators that permit them to
derive classified information.
c.
The existence of the above situation must be
determined prior to issuance of requests for proposals (RFPs) or
contracts. To accomplish this, an OPSEC estimate will be
prepared (by the requestor with the assistance of that
organization’s OPSEC Officer) when a requirement to issue an RFP
or contract involving classified information is identified, with
the exception of contracts that are limited to classified
materials, such as:
(1) Contracts to process or evaluate information and
produce classified documents, pictures, computer programs,
training materials and other similar matters.
(2)
Contracts for classified consultant services.
(3) Contracts for library or ADP services related to
classified materials.
(4)
Contracts for printing classified documents.
d.
Care must be taken not to confuse requirements for
OPSEC measures with requirements for information, physical,
communications or personnel security contained in reference (c).
Industrial Security Manual measures are automatically required
of all contractors executing classified contracts.
e.
A contract effort that requires the use of OPSEC
measures may result in classification requirements additional to
those of other contracts. These additional requirements may
include such things as:
(1) Indications of when and where activities will
occur (such as tests) that can be targeted by foreign
Enclosure (1)
COMSCINST 3070.1B
17 March 2006
intelligence to obtain indicators that must be protected
(collection opportunities).
(2) The duration of a contract and indications of
results (such as in ads, status reports and brochures).
f.
The existence of a contract, services involved and
what is being developed in U.S. press releases, stock
prospective, etc.
g.
Pictures indicating classified design features or
approaches.
h.
The lettering of contracts and identity of subcontractors.
2.
To ensure uniformity in the way OPSEC requirements are
presented to industry, the following guidance shall be followed:
a.
Guidance will be appended to basic RFPs or contracts
and labeled: “OPSEC Requirements.”
b.
OPSEC guidance will include:
(1)
activities.
Critical Information pertinent to contractual
(2) Essential secrecy to be maintained and statement
of harm if adversaries derive accurate estimates.
c.
Specific OPSEC measures:
(1) Controls over administrative actions in addition
to those in the Industrial Security Manual to keep indicators
from appearing in open sources of information.
(2) Controls over technical and physical actions, in
addition to encryption and TEMPEST (electronic security measures
program), to keep indicators from appearing in detectable
activities, such as electromagnetic or acoustic emissions and
observable physical matters.
(3) Covers or other deceptive methods to explain
indicators that result from actions necessary to execute
contracts.
(4)
Countermeasures against collection systems.
Enclosure (1)
2
COMSCINST 3070.1B
17 March 2006
d.
Requirements for an OPSEC plan for activities that
will occur at contractor owned facilities.
e.
Requirements for coordinated DON-contractor OPSEC
planning for activities that will occur at DON or other DOD
facilities, indicating who is responsible for preparing plans.
f.
Support for DON in providing upon request, help to
contractors preparing OPSEC plans and executing OPSEC measures,
including multi-disciplinary counterintelligence threat
information and OPSEC survey support.
g.
Specific OPSEC measures Defense Investigative Service
should examine during periodic security investigations. The
project security officer will inspect all contracts for
contractor compliance.
3.
Contractors shall provide all cleared employees with
security training and briefings commensurate with their
involvement with classified information.
a.
Contractors may obtain defensive security, threat
awareness and other education and training information and
material from the appropriate MSC Security Officer or other DoD
sources.
b.
Prior to being granted access to classified
information, an employee shall receive an initial security
briefing that includes the following:
(1)
A threat awareness briefing;
(2)
A defensive security briefing;
(3)
An overview of the security classification
(4)
Employee reporting obligations and requirements;
system;
(5) Security procedures and duties applicable to the
employee’s job.
c.
The contractor shall conduct periodic refresher
briefings for all cleared employees. As a minimum, the
refresher briefing shall reinforce the information provided
during the initial briefing and inform employees of appropriate
changes in security regulations. The use of audio/video
Enclosure (1)
3
COMSCINST 3070.1B
17 March 2006
materials and issuance of written materials on a regular basis
may satisfy this requirement.
d.
Contractors shall debrief cleared employees at the
time of termination of employment (discharge, resignation or
retirement) or when an employee’s security clearance is
terminated, suspended or revoked.
Enclosure (1)
4
COMSCINST 3070.1B
17 March 2006
CRITICAL INFORMATION
1.
The following list of Critical Information (CI) is provided
as a guideline in the development of specific Critical
Information for a given operational activity. This list is not
all inclusive and should be changed and updated whenever
necessary.
a.
Information which reveals the specific capabilities or
operational readiness of MSC Force ships.
b.
Information which reveals a weakness of a specific
ship, activity, etc., which could represent a compromise of the
ship or activity mission.
c.
Information regarding scheduling and routing of ships.
d.
Information that reveals manifest data or
loading/discharge ports.
e.
Information that reveals security weakness within MSC
or organizational activities.
f.
Information that reveals security classification of
various projects, operation or exercises.
g.
Associations of a particular cover name or nickname
with a classified project, operation or exercise.
h.
Information which reveals special requirements for
specific duty which could indicate deployment location or
mission, such as:
(1)
Special immunization requirements;
(2)
Specific language requirements;
(3)
Other than routine security procedures;
(4)
Additional survival or mobility training;
(5) Special passport, visa and other foreign
clearance requirements; and
(6)
Special or civilian clothing requirements.
Enclosure (2)
COMSCINST 3070.1B
17 March 2006
i.
Information, which reveals a special ship operation.
j.
Effectiveness of MSC Command and Control Information
System under stress; its vulnerabilities to countermeasures.
k.
MSC Command and Control Information System interfaces
with other commands and its effectiveness.
l.
MSC Force size.
m.
MSC Force ships' ability to support U.S. Navy theater
commanders during crisis/ hostilities.
2.
The Critical Information should be used for the following
purposes:
a.
To assist in assigning the proper classification to
specific items and to provide guidelines for downgrading when
appropriate.
b.
For guidance to staff agencies responsible for
document, communications, electronic and physical security in
their respective areas and for protecting mission sensitive
data.
c.
By OPSEC officers to analyze the significance of each
planned action and activity in the operational, intelligence,
administrative, logistics, communications and maintenance areas.
Enclosure (2)
2
COMSCINST 3070.1B
17 March 2006
The Sequential Operations Security
(OPSEC) Process
Identify
Critical
Information
• Compare friendly
versus adversary
capabilities during the
planning process for a
specific operation or
activity.
• Identify the questions
that they believe the
adversary will ask about
friendly intentions,
capabilities and
activities.
Analyze
threats
• Research and analyze
intelligence information,
counterintelligence, reports
and open source information
to identify the likely
adversaries to the planned
operation.
• Who is the adversary?
• What are the adversary’s
goals?
• What is the adversary’s
strategy for opposing the
planned operation?
• What critical information
does the adversary already
know about the operation?
• What are the adversary’s
intelligence collection
capabilities?
Analyze
Areas of
Vulnerability
Assess
Risk
• Identify operation or
activity OPSEC
vulnerabilities.
• Examine each aspect
of the planned operation
to identify any OPSEC
indicators that could
reveal critical
information
• Compare OPSEC
indicators with the
adversary’s intelligence
collection capabilities.
• Analyze the OPSEC vulnerabilities
• Identify possible OPSEC measures for
each vulnerability
• Select specific OPSEC measures based
upon a risk assessment done by the
commander and staff.
Does
Vulnerability
Exist?
No
• Vulnerability exists when the adversary is
capable of collecting an OPSEC indicator,
correctly analyzing it and then taking timely
action.
• What indicators (friendly actions and open
source information) of critical information
not known to the adversary will be created by
the friendly activities that will result from the
planned operation?
• What indicators can the adversary actually
collect?
• What indicators will the adversary be able
to use to the disadvantage of friendly forces?
Yes
Apply
Appropriate
OPSEC
Measures
• Implement the OPSEC
measures selected in
Step 4
Enclosure (3)
COMSCINST 3070.1B
17 March 2006
This page intentionally left blank
Enclosure (3)
2
COMSCINST 3070.1B
17 March 2006
OPSEC Self-Survey Checklist
1.
Has a command or staff OPSEC officer been appointed in
writing?
a.
Is the appointee from the command Plans or Operations
department? With PRD greater then 6 months or relief identified
under training?
b.
Are visual aids identifying the OPSEC officer and
department representatives prominently displayed throughout the
command?
c.
Are the command or staff agency OPSEC officer and
department representatives aware of their responsibilities?
d.
Does the OPSEC officer attend and address OPSEC
matters at command security awareness and education meetings?
e.
Has the command OPSEC officer attended or requested to
attend the FCTCLANT/PAC OPSEC course or IOSS Program Managers’
Course?
2.
Has the OPSEC officer established a continuity folder?
a.
Are current editions of all instructions, pamphlets,
and directives (DOD 5205.2, JCS Pub 3-54, OPNAVINST 3432.1,
OPNAVINST 3430.26) being maintained in support of the OPSEC
program?
b.
Does the command have local directives which define
command OPSEC program requirements, responsibilities, and
procedures?
3.
Does the commander actively advocate, support, and
implement OPSEC options in support of the operational mission
and exercises?
a.
Has the Commanding Officer signed an OPSEC policy
letter supporting the program?
b.
Is the command Critical Information (CI) reviewed and
approved by the Commanding Officer?
c.
Is the command Critical Information displayed near
unclass communication systems?
Enclosure (4)
COMSCINST 3070.1B
17 March 2006
4.
Does the command OPSEC program promote active participation
and involvement of all personnel?
a.
command?
Are OPSEC posters prominently displayed throughout the
b.
Are all avenues of media being utilized to promote
OPSEC? (Internal LAN, site TV, POD, etc.)
c.
members?
Are OPSEC education materials reaching all command
d.
Is the command CI list tailored to each functional
activity?
(1)
Is the CI list specific, realistic, and current?
(2) Are command or functional area CI lists easily
accessible to command members?
(3) Are command members familiar with command or
functional area CI?
(4) Is the CI list unclassified to allow for maximum
dissemination?
5.
Does the command OPSEC program include provisions for
reviewing plans, operations orders (OPORD), and exercise
scenarios?
a.
Is current (less then 12 months) potential adversary
threat data maintained and considered in plans and exercises?
b.
Do command instructions, plans, doctrine or OPORDS,
contain, as a minimum, the purpose and current definition of
OPSEC, OPSEC Threat, and CI?
6.
Are the interrelationships of OPSEC, communications
security (COMSEC), computer security (COMPUSEC), physical
security, and information security programs clearly understood
by the OPSEC officer?
7.
Has the command OPSEC officer coordinated with other
command security managers (e.g., COM-SEC, Information Security,
COMPUSEC), to incorporate OPSEC concepts and lessons learned
into security training sessions? Has the OPSEC officer also
coordinated with command Supply and PAO?
Enclosure (4)
2
COMSCINST 3070.1B
17 March 2006
8.
Has the command OPSEC officer established and maintained
liaison with the staff or higher headquarters OPSEC Program
Manager?
9.
Is OPSEC training related to the command mission, tailored
to individual duties and responsibilities, and presented to
newly assigned personnel within 60 days after arrival for duty?
10.
Does command OPSEC training contain the following:
a.
The OPSEC methodology?
b.
Duty related mission critical information and OPSEC
indicators?
c.
Foreign intelligence threat to the unit mission?
d.
Individual responsibilities?
11. Has the OPSEC officer reviewed command OPSEC
plan/instruction annually, and if required submitted an annual
OPSEC Status Report to their respective staff?
12. Has an OPSEC survey or appraisal been conducted? (min once
every 2 years)
a.
If yes:
(1)
When?
(2)
Are the results easily accessible?
(3) Have results been addressed through unit
awareness programs?
(4) Has unit mission or CI changed significantly to
warrant a new survey?
b.
If yes, has one been scheduled or requested?
13. Have actions been taken to act on recommendations or to
correct weaknesses and deficiencies noted in the OPSEC survey?
14. Are all OPSEC recurring publications (e.g., the OPSEC
update, COMSEC quarterly analyses, etc.) reviewed for OPSEC
lessons learned?
Enclosure (4)
3
COMSCINST 3070.1B
17 March 2006
15. Do official and unofficial feedback publications such as
command newsletters and web sites contain sensitive or
classified information? If so, are they protected?
16.
Who reviews them for OPSEC compliance?
17. Has a WEB Risk Assessment been conducted on command’s WEB
site? If yes when?
18. Do indexes for directives and operating instructions reveal
sensitive operations or functions?
19. Do unclassified computer products disclose sensitive
mission activity?
20. Is the OPSEC officer on distribution for telecommunications
monitoring (JCMA) reports involving their command?
Enclosure (4)
4