OPSEC for DoD Contractors

1
Checking the OPSEC Box on DD-254! Now What??
Mr. Charles E. Rick Estberg National
Security Agency
2
(No Transcript)
3

• FOUR FRIGHTENING
• SCENARIOS
• Vivid imagination?
• Or tomorrows headlines

4

• Using public sources openly and without
  resorting to illegal means, it is possible to
  gather at least 80 of information about the
  enemy.
• -- from an Al-Qaeda terrorist training manual

5

• OPERATIONS SECURITY
• An analytic, systematic process to identify and
  then control mission- critical information so
  that adversaries cannot exploit it to their gain
  and your loss

6
OPSEC
Public Affairs
Emanations
Acquisition
Operations
COMPUSEC
Personnel
COMSEC
Logistics
Physical
7

• THE OPSEC PROCESS
• Analytic, systematic process

8

• THE OPSEC PROCESS
• Analytic, systematic process
• Identify, control mission-critical info

9

• THE OPSEC PROCESS
• Analytic, systematic process
• Identify, control mission-critical info
• Who is the adversary?

10

• THE OPSEC PROCESS
• Analytic, systematic process
• Identify, control mission-critical info
• Who is the adversary?
• What are my vulnerabilities?

11

• INTELLIGENCE COLLECTION
• SIGINT
• COMINT
• ELINT
• HUMINT
• IMINT
• OSINT

12

• PROCEDURES POLICIES
• Classification
• Document control disposal
• Public release
• Modes of communication
• Office access
• Information sharing

13

• THE OPSEC PROCESS
• Analytic, systematic process
• Identify, control mission-critical info
• Who is the adversary?
• What are my vulnerabilities?
• Risk/cost-benefit analysis - what is the
  impact?

14

• THE OPSEC PROCESS
• Analytic, systematic process
• Identify, control mission-critical info
• Who is the adversary?
• What are my vulnerabilities?
• Risk assessment/cost-benefit analysis
• Identify/implement counter-measures

15
Corporate OPSEC

• Voluntary OPSEC Program
• Program developed for the wellbeing of the
  company
• DoD OPSEC Requirements
• Based on a contract

16
Voluntary OPSEC Program

• Not specifically required by contract
• Supports the company by preventing
• Loss of proprietary technology
• Disclosure of marketing plans
• Hostile actions by competitors / adversaries
• Legal liability related to
• Export law violations
• Employees personal information
• other

17
IDENTITY THEFT
70 begin with information stolen in a
workplace
Study conducted by Michigan State University
18
Why a Voluntary OPSEC Plan?

• Silicon Valley At least 20 foreign nations have
  tried to steal U.S. trade secrets in the past
  five years. SAC,
  FBI Palo Alto Office
• Fortune 1,000 companies lost 59 Billion in 2001
  in theft of trade secrets. Price
  Waterhouse Coopers U.S. Chamber of Commerce
• Over 3000 companies in the U.S. are controlled by
  Chinas Secret Intelligence Service.
  FBI Source
  to Gordon Thomas

19
Structure of a Voluntary Program

• 5 step OPSEC Process
• gtCritical Information gtThreat gtVulnerability gt
  gtRisk gt Countermeasures gt
• Overarching OPSEC Program for the company or
  corporation.
• Subordinate plan for each
• Business unit
• Operating location
• Project, Program, Contract, etc.

20
DoD OPSEC Requirements

• DoD Operations Security Program Directive (DoD
  Directive 5205.2)
• Applies to DoD contracts when heads of components
  or their representatives determine in writing
  that OPSEC measures are necessary in a contract.
• Also applies to SAPS
• Assigns specific responsibilities to DSS
• DoD representative at the IOSS

21
DoD OPSEC Requirements

• DoD OPSEC Security Program Directive (DoD
  Directive 5205.2)
• Industrial Security Regulation (5200.22R)
  (existing draft)
• Includes guidance on including OPSEC in
  contracts
• DSS inspection of OPSEC
• Based on OPSEC plan approved by UA (GCA)

22
When DoD Requires OPSEC

• Specific requirements in contract
• Protection of unclassified indicators that
  may reveal classified information
• Additional security costs are addressed in
  the contract
• Requirement noted on DD form 254

23
When DoD Requires OPSEC

• Specific requirements in contract
• So contractors can comply.and
• So contractors can charge costs to the specific
  contract.

24
When DoD Requires OPSEC

• Specific requirements in contract
• In statement of work (SOW)
• Detailed guidance must be inprogram protection
  plan (PPP), solicitations, contracts,
  subcontracts
• GCA may provide UA approved OPSEC plans and
  requirements
• What needs to be protected?
• How?

25
When DoD Requires OPSEC

• Requirement noted on DD form 254
• Check mark on item 11j
• Remark in item 14 referring to contract
• Details are in the contract

26
When DoD Requires OPSEC

• Protection of unclassified indicators that
  may reveal classified information
• DoD OPSEC requirements are not intended to
  protect unclassified technology from public
  disclosure (!)

27
The Role of DSS

• Ensures contractor compliance with OPSEC
  requirements during security reviews (based on UA
  approved OPSEC plan)
• Requests assistance from UA when needed
• Coordinates with UA in OPSEC surveys

28
The Role of the IOSS

• Three missions
• Awareness / Customer Outreach
• Training
• Program Development
• Collaboration with FBI / ANSIR
• Collaboration with the DAU

29
Interagency OPSEC Support Staff
Greenbelt, Maryland
30
(No Transcript)
31

• OPSEC TRAINING COURSES
• OPSEC FUNDAMENTALS CBT (4 hrs)
• WEB CONTENT VULNERABILITIES 2 days
• OPSEC ANANYSIS 3 days
• PROGRAM MANAGERS COURSE 2 days
• OPSEC FOR PUBLIC SAFETY 3 days
• WEB RISK ASSESSMENT 2 days
• ADVANCED APPLICATIONS 5 days

32
Interagency OPSEC Support Staff
6411 Ivy Lane, Suite 400 Greenbelt, MD
20770 www.ioss.gov RICK ESTBERG (443)
479-4662 c.estber_at_radium.ncsc.mil WAYNE LUND
(443) 479-4640 w.lund_at_radium.ncsc.mil