Operations Security (OPSEC) Guide For Defense Contractors
Operations Security (OPSEC)Guide for Defense ContractorsDeveloped by:Security Office (Code 00SO)Naval Undersea Warfare Center Division KeyportKeyport, WA 98345-7610DISTRIBUTION STATEMENT A: Approved for public release; distribution is unlimited
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)REVISION HISTORYRevisionN/ADate10/1/2013Summary of ChangesOriginal issueii
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)TABLE OF CONTENTSPageRevision History.iiTable of Contents.iiiPurpose.1Definitions. .1OPSEC Applicability.1Section I: Contractor OPSEC requirements.3Section II: OPSEC Training Requirements.5Section III. Contractor Developed OPSEC Plans.5Glossary.7Terms.10References.16Resources .16iii
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)1. Purpose. This document provides Operations Security (OPSEC) guidance toGovernment Contractors, e.g., corporations and businesses and independentcontractors awarded government work for Naval Undersea Warfare Center Division(NUWCDIVKPT) Keyport, Washington, and our detachments, other military facilities andinstallations, and aboard US Navy vessels and aircraft. Government Contractors areprovided this guidance to ensure compliance and protection of National SecurityInformation.2. Definition. OPSEC is an analytical process to identify Critical Information (CI),identify threats to that CI and the related vulnerabilities and risks of exploitation to thatCI, and identify, develop, and implement countermeasures to protect that CI. CI isspecific facts about friendly intentions, capabilities, and activities vitally needed byadversaries for them to plan and act effectively so as to guarantee failure orunacceptable consequences for friendly mission accomplishment. CI includes thosefacts, which individually, or in the aggregate, reveal sensitive details about USGovernment and/or NUWCDIVKPT or, the contractor’s security or operations related tothe support or performance of the Statement of Work (SOW)/Performance WorkStatement (PWS), and thus require a level of protection from adversarial collection orexploitation not normally afforded to unclassified information. OPSEC supplements, butdoes not replace traditional security practices such as Physical Security and InformationSecurity. OPSEC is essential to ensure the initial and continued success of ourmission, operations, systems, and procedures.3. OPSEC Applicability. The NUWCDIVKPT OPSEC Program Manager hasdetermined that additional safeguards are essential for specific contracts, and imposesOPSEC as a requirement in addition the standard requirements for participation in theNational Industrial Security Program Operating Manual (NISPOM). Contractors mustadhere to the guidance stipulated in SECTIONS I and/or, II or III below whenStatements of Work specify OPSEC requirements during the performance of work. TheGovernment has determined that OPSEC is required during the performance of thiscontract because:a. The Contractor requires long or short-term physical access to NUWCDIVKPT, ourfacilities or vessels, aircraft or other government facilities, therefore the minimumOPSEC requirements specified in Section I apply. This includes but is not limited to:(1) Contractor personnel who require intermittent or short-term access, such as;construction, installation and repair crews, recurring visitors, some route deliverypersonnel, those attending multiple meetings, conducting inspections, onsite training, orrequiring physical access to other government systems, sites, vessels and/or aircraft onbehalf of NUWCDIV Keyport, (Section I applies) and/or;(2) Require continuous access, such as ALL embedded contractors, direct supportpersonnel, maintenance and/or janitorial services and those viewing or participating insensitive operations, (Sections I and II apply) or;1
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)(3) With direct or indirect access to Government CI; base logistics services,photography, recording, surveying, printing, graphics design, and/or reproductionservices of government information or material (Section I and II apply) or;b. The contract includes U.S. Government supplied material for production ofsensitive unclassified material or components including: Tools, Technical Drawingsand/or Technical Data, or; Military Critical Technologies List, and/or Dual-UseTechnology items, including Commercial Off The Shelf (COTS) technology adapted forspecific military applications. Applicable paragraphs of Section I and/or II apply wherethere is no specific OPSEC plan or requirements to develop one;(1) The contractor shall follow all applicable security rules and regulations toprotect its proprietary information and that of the government. Public release or releaseto third parties of government information provided is not authorized without governmentapproval.c. The contract is for production of items which may have an established OPSECplan or; Program Protection Plans and/or; when a contract includes or developsGovernment Critical Information. Therefore, the minimum OPSEC requirementsspecified in Section III apply.(1) OPSEC is usually required in system acquisition (e.g., weapon systems,electronic countermeasures, radio transmitters, active sensors, or low observablecapabilities) or sensitive activities (such as intelligence operations or testing of foreignmaterials), particularly if such contracts involve special access.(2) The contractor may use or produce, U.S. Government Critical Information (CI)and/or Observables and Indicators which may lead to discovery of CI. In which casebasic OPSEC awareness and measures should be implemented.d. In cases where there is question as to the proper application of elements of thisguide, the NUWDIVKPT OPSEC Program Manager should be consulted. Deviationfrom this guidance is not authorized without approval. The NUWCDIVKPT OPSECProgram Manager can be reached at (360) 396-5345.4. Cost Associated with OPSEC Requirements. Any cost associated with compliancewith these requirements shall be included in the contractor’s response to the Invitationfor Bids or Request For Proposal with the contractor’s other cost to provide the requiredsupply or service. Costs may include, but are not limited to, Public Key or encryptionsoftware for email communications.2
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)I. GENERAL CONTRACTOR OPSEC REQUIREMENTSDuring the course of this contract, in addition to those restrictions, instructions andguidelines delineated in the contract Statement of Work, Contract Data RequirementsList (CDRL), and/or other references provided, the contractor will adhere to the followingminimum requirements in support of NUWCDIVKPT OPSEC Program:a. Introduction of personnel electronic devices into government spaces, laptops,tablet PCs, cellular phones, cameras, recording devices, and data recording/storagedevices is STRICTLY controlled and forbidden in most cases. Company issuedequipment required for the performance of work must be approved by theNUWCDIVKPT and/or government Security Officer. Photography and recording is notallowed except for official use and by permit only. (Unless otherwise stipulated in thecontract, contact the Installation Security Officer for approval.) Photographs will bereviewed by Security to ensure sensitive and/or classified information is not revealed.b. Contractor personnel shall not discuss government operations in public or overunprotected or unencrypted communications. Official Business, controlled unclassifiedinformation may only be transmitted as directed in the SOW/PWS.c. The Contractor shall not post to company websites, publications, newsletters orother media any images, data or information that reveal sensitive governmentoperations, personnel, equipment, and/or classified or controlled unclassifiedinformation, refer to paragraph (d) below. When in doubt, company press releasesrelated to this contract should be coordinated through the Contracting OfficerRepresentative (COR) or Technical Point of Contact, as applicable.d. Because observation of events, operations, physical changes, etc. may revealNational Security information, specific restrictions are needed to preclude unintentionalrelease of this information to unauthorized parties. (Unauthorized disclosure andtransfer of National Security Information is punishable under 18 USC § 793.)Therefore, contractor personnel shall not disclose to unauthorized third parties, post tounofficial sites (including Social Networking sites) any images, data or information, orobserved events that reveal sensitive government operations, personnel, equipment,including, but not limited to:(1) Tactics, techniques and procedures, production or work schedules, any visibleor concealed modifications, upgrades, additions to vessels, aircraft, or weapons orequipment; increases, change, or decreases in work/deployment frequency orgovernment personnel, vehicle, vessel or aircraft movements; specialized equipmentorders, deliveries, shipments, etc., Unauthorized disclosures and attempts to solicit thistype of information by unauthorized third parties or others not affiliated with this contractshall be reported to the NUWCDIVKPT and/or installation Security Office, contract pointof contact, and your company Facility Security Officer and/or the Defense Security3
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)Service. Non-Disclosure requirements remain in effect during the duration of thiscontract and indefinitely thereafter.e. Government issued badges, identification shall be removed and/or concealed fromplain sight when off station and shall not be left in vehicles or unprotected. Badges andpasses may not be duplicated or copied or loaned to others. Lost or stolen identificationbadges, vehicle passes etc. will be immediately reported to the NUWCDIVKPT and/orinstallation Security Office.f. Practice OPSEC and implement countermeasures to protect CI and other sensitiveunclassified information and execution of military operations performed or supported bythe contractor in support of the mission. Protection of CI will include the adherence toand execution of countermeasures which the contractor initiates or as provided byNUWCDIVKPT, for CI on or related to the SOW/PWS.g. It is strongly recommended the contractor mark and protect related internalproduction schedules, deliverables, inventories and shortages and identifiedvulnerabilities related to production of government material. Internal company markingse.g., Business Sensitive, etc., are appropriate for identifying the aforementioned assensitive information. Specific Government-provided information, drawings etc., will beprotected in accordance with guidance in applicable paragraphs of the SOW/PWS andclauses included in the solicitation/contract.h. All government information must be destroyed at contract termination or returnedto the government at the government’s discretion.i. Permanent Onsite Contractors: Where a contract includes permanent/embeddedcontract personnel at NUWCDIVKPT facilities, these additional requirements apply:(1) Assign an OPSEC Point of Contact for this contract (this maybe the FacilitySecurity Officer or company security manager or site manager).(2) OPSEC Awareness Education and Training will be provided or coordinatedthrough government channels (NUWCDIVKPT OPSEC Program, IOSS, etc.) as aexpense within the Cost Management Process when developing a project bid. Allpersonnel supporting the contract will receive initial OPSEC awareness training andannual OPSEC Refresher training. Contact the NUWCDIVKPT Operations SecurityOfficer to assist in this requirement.(3) CI listed below and that listed in the NUWCDIVKPT Command CriticalInformation List (CIL) or additional information identified by NUWCDIVKPT or thecontract COR will be marked and handled appropriately as FOR OFFICIAL USE ONLY(FOUO) or other required marking in accordance with guidance in applicableparagraphs of the SOW/PWS and solicitation/contract clauses. Government CI includesbut is not limited to: known or probable vulnerabilities to any U.S. system and theirdirect support systems, details of information about military operations, unit, vessel,aircraft movements/arrivals, missions and exercises, etc.4
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)(4) An applicable list of NUWCDIVKPT CI will be provided to the contractor sitemanager (if assigned) by the Keyport OPSEC Officer upon award of the contract.Questions regarding Critical Information shall be directed toward the NUWCDIVKPTOPSEC Program Manager.(5) OPSEC requirements are additional to the requirements of the NISPOM.II. OPSEC Training Requirements.Where a contract requires long term access to NUWCDIVKPT facilities or othergovernment facilities, such as embedded contractors or participates in our operations,they must follow the provisions of the NUWCDIVKPT OPSEC Instruction, to includetraining and awareness.a. Initial training may be provided by computer-based training, live training or acombination of both.b. OPSEC training is required initially within 30 days of assignment and annuallythereafter.c. The contractor is required to maintain individual training records for compliancepurposes.III. Contractor Developed OPSEC Plans.When a Contractor developed OPSEC Plan is required, the SOW/PWS and/or CDRLwill include specific contract language and Data Item Descriptor D-MGMT-80934B(Operations Security Plan) will be provided as part of the contract. The Data ItemDescriptor provides specific guidance for developing an OPSEC Plan and will betailored to include only that information that is necessary to ensure CI is adequatelyprotected. The OPSEC plan must include a program for internal OSPEC training of allemployees working on the project.a. Specific guidance is provided in the solicitation/contract , i.e. “Operations SecurityPlan Requirements.” OPSEC plan requirements must be included for any and allsubcontractors. A copy of subcontractor OPSEC plans must accompany thesubcontractor DD254s (if applicable) provided to the NUWCDIVKPT Security Officer.”b. Compliance with security requirements imposed by documents generated inresponse to DoD 5200.39, Critical Program Information (CPI) Protection within theDepartment of Defense Jul 16, 07, is required. Compliance with OPSEC measuresidentified in the existing OPSEC Plan for this program is required. The plan will beprovided by the NUWCDIVKPT program manager or representative or theNUWCDIVKPT OPSEC Officer.5
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)c. When an OPSEC plan from the contractor is required, the Contracting Officer orCOR/Technical Point of Contract is responsible for obtaining and submitting thecontractor’s existing or proposed plan to the OPSEC Officer for review. A contractaward DD254 will not be endorsed or issued by the Security Office until theNUWCDIVKPT OPSEC Officer has approved the contractor’s OPSEC plan.d. If the company has an existing OPSEC Plan, awareness, education, training, andplanning processes in place to protect corporate information, these should be appliedpending government acceptance rather than creating a new program.e. OPSEC Awareness Education and Training will be provided or coordinatedthrough government channels (NUWCDIVKPT OPSEC Program, IOSS, etc.) as ancontractor expense within the Cost Management Process when developing a projectbid. All personnel supporting the contract will receive initial OPSEC awareness trainingand Annual OPSEC Refresher training; contact the NUWCDIVKPT Operations SecurityOfficer to assist in this requirement.f. Program OPSEC plans shall be coordinated with and approved by NUWCDIVKPTas specified in the CDRL. Program protection measures shall be applied and approvedby NUWCDIVKPT at ALL locations where CI is developed, produced, analyzed,maintained, transported, stored, tested, or used in training.g. The contractor should request guidance from the Contracting Officer orCOR/Technical Point of Contract on any specific predetermined OPSEC CI associatedwith the contract during the preparation of OPSEC plans or any associated OPSECplans that directly relate to the information provided by the government. OPSECprotective measures will be applied as directed by the government and programmanagers. While performing on a government site, the contractor shall comply with theOPSEC guidance or plans specific to that location or program supported.6
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)GLOSSARYCI- Critical InformationCIL- Critical Information ListCNIC- Chief of Naval Installations CommandCNO- Chief of Naval OperationsCOMINT- Communications IntelligenceCOMSEC- Communications SecurityCOMPUSEC- Computer SecurityCOR- Contracting Officer’s RepresentativeCPI- Critical Program InformationCUI- Controlled Unclassified InformationDoD- Department of DefenseDoN- Department of the NavyDSS- Defense Security ServiceEAA- Export Administration ActEAR- Export Administration RegulationsEEFI- Essential Elements of Friendly InformationELINT- Electronic IntelligenceEW- Electronic WarfareFIS- Foreign Intelligence ServiceFOIA- Freedom of Information ActFOUO- For Official Use OnlyFPCON- Force Protection ConditionGCA- Government Contracting ActivityHUMINT- Human IntelligenceIMINT- Imagery IntelligenceIA- Information AssuranceINFOSEC- Information SecurityIO- Information OperationsIOSS- Interagency OPSEC Support Staff (A division of the National Security Agency)ITAR- International Traffic in Arms Regulations7
Operations Security (OPSEC) Guide for Defense Contractors (1OCT2013)MASINT- Measurement and Signatures IntelligenceMILDEC- Military DeceptionNAVSEA- Naval Sea Systems CommandNBK- Naval Base KitsapNCIS- Naval Criminal Investigative ServiceNIPRNet- Non-classified Internet Protocol (IP) Router NetworkNISPOM- National Industrial Security Program Operating Manual (DoDINST 5220.22M)NNPI- Navy Nuclear Propulsion InformationNOFORN- Not Releasable to Foreign Nationals/Governments/Non-US CitizensNOTAM- Notice to airmen (Also: Notice to Mariners)NUWC- Naval Undersea Warfare CenterNUWCDIVKPT- Naval Undersea Warfare Center Division KeyportOPSEC- Operations SecurityOSINT- Open-Source IntelligencePAO- Public Affairs Office/Public Affairs OfficerPEO- Program Executive OfficerPII- Personally Identifiable Information (Privacy Act Information)PKI- Public Key InfrastructurePMO- Program Management OfficePOC- Point of ContactPPP- Program Protection PlansR&D- Research and DevelopmentRDT&E- Research, Development, Test, and EvaluationSAP- Special Access ProgramSBIR- Small Business Innovative ResearchSCG- Security Classification GuideSCI- Sensitive Compartmented InformationSIGINT- Signals Intell
training and awareness. a. Initial training may be provided by computer-based training, live training or a combination of both. b. OPSEC training is required initially within 30 days of assignment and annually thereafter. c. The contractor is required to maintain individual training records for compliance purposes. III. Contractor Developed .
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
(c) DoDINST 5220.22M, National Industrial Security Program Manual (NISPOM) (d) AR 530-1, Army Regulation Operations Security (f) U.S. Army Corps of Engineers, Fort Worth District, Operations Plan, August 2018 (g) Interagency OPSEC Support
Threat analysis support to OPSEC † 3–4, page 12 Chapter 4 Training Requirements, page 13 Overview † 4–1, page 13 Training programs † 4–2, page 13 OPSEC and external official presence training † 4–3, page 15 Joint and interagency training † 4–4, page 15 Chapter 5 Operat
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
United States OPSEC Program has given us a superb monograph about the genesis of Operations Security during the Vietnam War. I . !thorough and readable account describes the initial problems in air operations which prompted a high-level investigation, explains the weaknesses in U.S, practices
