DEPARTMENT OF THE AIR FORCE UNITED STATES AIR FORCE WASHINGTON DC 20330

Transcription

1 DEPARTMENT OF THE AIR FORCE UNITED STATES AIR FORCE WASHINGTON DC MEMORANDUM FOR DISTRIBUTION C MAJCOMs/FOAs/DRUs AFI10-701_AFGM JULY 2017 FROM: HQ USAF/A Air Force Pentagon Washington DC SUBJECT: Air Force Guidance Memorandum to AFI , Operations Security (OPSEC) By Order of the Secretary of the Air Force, this Air Force Guidance Memorandum immediately changes AFI , Operations Security (OPSEC), 8 June Compliance with this Memorandum is mandatory. To the extent, its directions are inconsistent with other Air Force (AF) publications; the information herein prevails, in accordance with AFI , Publications and Forms Management. This Memorandum becomes void after one year has elapsed from the date of this Memorandum, or upon incorporation by interim change to, or rewrite of AFI , Operations Security (OPSEC), whichever is earlier. MARK C. NOWLAND Lieutenant General, USAF Deputy Chief of Staff, Operations Attachment: AFI10-701_AFGM Title of Attachment: Operations Security (OPSEC)

2 ATTACHMENT AFI10-701_AFGM Operations OPERATIONS SECURITY (OPSEC) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-publishing website at: for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: AF/A3TY Certified by: AF/A3T (Maj Gen Scott F. Smith) Supersedes: AFI , 8 June 2011 Pages: 58 This publication implements Air Force Policy Directive (AFPD) 10-7, Air Force Information Operations. The reporting requirements in this publication have been assigned Report Control Symbol (RCS) DD-INTEL (A) 2228 in accordance with Department of Defense Directive (DoDD) E, DoD Operations Security (OPSEC) Program, and DoD Manual (DoDM) M, DoD Operations Security (OPSEC) Program Manual. It applies to all Department of the Air Force (AF) civilians (DAFC), contractor, Regular Air Force (REGAF) personnel, AF Academy and Reserve Officer Training Corps, the Air Force Reserves (AFRC) and the Air National Guard (ANG), except where noted otherwise. This Air Force Instruction (AFI) may be supplemented at any level, but all supplements that directly implement this publication must be routed to AF/A3TY, Information Operations Division for coordination prior to certification and approval. Refer recommended changes and questions about this publication to the Office of Primary Responsibility (OPR) using the AF Form 847, Recommendation for Change of Publication; route AF Forms 847 from the field through the appropriate functional chain of command. The authorities to waive wing/unit level requirements in this publication are identified with a tier ( T-0, T-1, T-2, and T-3 ) number following the compliance statement. See AFI , Publications and Forms Management, Table 1.1 for a description of the authorities associated with the Tier numbers. Submit request for waivers through the chain of command to the appropriate Tier waiver approval authority, or alternately, to the Publication OPR for non-tiered compliance items. Ensure that all records created as a result of processes prescribed in this publication are maintained IAW Air Force Manual (AFMAN) , Management of Records, and disposed of IAW Air Force Records Information Management System (AFRIMS) Records Disposition Schedule (RDS) located at

3 The use of the name or mark of any specific manufacturer, commercial product, commodity, or service in this publication does not imply endorsement by the AF. SUMMARY OF CHANGES This document has been substantially revised and must be completely reviewed. This revision adds responsibilities for major commands (MAJCOMs), Direct Report Units (DRUs), and Field Operating Agencies (FOAs), Numbered Air Forces, OPSEC Program Managers (PM), Coordinators, and Planners. Additionally, this revision introduces the AF OPSEC Support Team (AF OST), establishes changes to signature management (SM), base profiling process, and updates how the AF conducts OPSEC External Assessments (OEA), previously known as OPSEC surveys.

4 Chapter Operations Security (OPSEC) Overview. National Security Decision Directive 298 (NSDD 298), National Operations Security Program requires each executive department and agency with a national security mission to have an OPSEC program. Likewise, DoDD E, DoD Operations Security (OPSEC) Program, supports the national program and requires each DoD component to establish and maintain an OPSEC program OPSEC is an information-related capability (IRC) that preserves friendly essential secrecy by using a process to identify, control, and protect critical information and indicators that, if compromised, would allow adversaries or potential adversaries to identify and exploit friendly vulnerabilities leading to increased risk or potential mission, function, program, or activity failure or the loss of life. OPSEC s desired effect is to influence the adversary s behavior and actions by reducing the adversary s ability to collect and exploit critical information and indicators about friendly activities Essential secrecy is the condition achieved by the denial of critical information and indicators to adversaries. Adversaries in possession of critical information can hinder or prevent friendly mission accomplishment. Thus, essential secrecy is a prerequisite for effective operations OPSEC supports planning, preparation, execution, and post execution phases of any activity, operation or program across the entire spectrum of military action and in any operational environment. Enhanced operational effectiveness happens when commanders and other decision-makers apply OPSEC from the earliest stages of planning. Exclusion of OPSEC in the early stages of strategy and operational planning limits the effectiveness of operations within the information environment from the beginning of an operation and consequently degrades the commander s ability to gain information superiority OPSEC, when closely integrated and synchronized with other IRCs, security disciplines, and all aspects of protected operations, preserves essential secrecy. OPSEC does this by systematically identifying and managing critical information and indicators attendant to military operations, in order to deny the adversary s ability to interpret friendly intentions, capabilities, or activities in sufficient time to act effectively against friendly mission accomplishment. OPSEC provides a methodology to manage risk. It is impossible to avoid all risk and protect everything. To attempt to protect all information diverts resources from actions needed for mission success. OPSEC must endeavor to establish a proper balance between dissemination of information to family members and the public, consistent with the requirement to protect critical information and maintain essential secrecy AF OPSEC. OPSEC is established, managed, and implemented at all levels throughout the AF. It is an operations function, and shall be integrated into all operational planning and coordinated with relevant military deception (MILDEC) and other information operations programs To ensure effective implementation across organizational and functional lines of operations, the organization s OPSEC program should reside in the operations and/or plans

5 element of an organization and have unimpeded access to the commander/director. For those organizations with no traditional operations or plans element, the commander/director must decide the most logical area to place management and coordination of the organization s OPSEC program while focusing on operations and the mission of the organization AF OPSEC program management consist of OPSEC practitioners (e.g., PM, coordinators, planners, instructors, OST members) at appropriate command levels. AF OPSEC coordinates between acquisition, cybersecurity, intelligence, operations, public affairs (PA), security, training and education, and command authorities with mechanisms for enforcement to ensure accountability, threat awareness, and senior leadership oversight To enhance the effectiveness and understanding of OPSEC, the AF provides awareness, education, and training to all AF personnel (e.g., military, DAFC, contractors, family members). Additionally, the AF conducts internal and external assessments utilizing tools and capabilities such as the AF OST, Cyberspace Defense Analysis (CDA) Weapon System (WS), and Enterprise Protection Risk Management (EPRM) OPSEC shall be coordinated and integrated into all security disciplines (personnel, information, cybersecurity, industrial, physical, (including law enforcement), antiterrorism, and force protection). (T-0) At a minimum, OPSEC shall be integrated into military strategy; command and control; operational and tactical planning and execution; continuity of operations; AF specialized training; and military indoctrination. In addition OPSEC shall be integrated into relevant support activities; contingency; combat and peacetime operations and exercises; communicationscomputer architectures and processing; critical infrastructure protection; weapons systems Research, Development, Test and Evaluation (RDT&E); inspections; acquisition and procurement; and medical operations. (T-0) RDT&E activities are high-priority targets for collection by multiple actors and particularly vulnerable to compromise for both classified and controlled unclassified information, and have an inherent requirement to implement OPSEC Waivers to the security clearance requirement in this instruction must be elevated and coordinated with the HHQ OPSEC PM and organizations information security manager, prior to submitting to the wavier authority. (T-2). Though, OPSEC essentially is concerned with protecting unclassified critical information, threat information, vulnerabilities, and countermeasures regarding specific operations, activities, and program can become classified. Ensuring OPSEC practitioners have the appropriate security clearance allows the OPSEC practitioner to complete their OPSEC duties Special Experience Identifier (SEI). All individuals performing OPSEC duties who have not been awarded a 14F Air Force Specialty Code may be awarded a 9O (Officer) or 234 (Enlisted) SEI. All training and experience criteria stipulated in the AF Officer and Enlisted Classification Directories and approval by the commander and/or appropriate Air Force Personnel Center assignment manager is required for award of the SEI.

6 1.3. Roles and Responsibilities: Commanders/Directors at all levels are solely responsible for the essential secrecy of operations within their enterprise and retain overall responsibility for risk management decisions and the implementation of OPSEC countermeasures. Commanders/Directors must maintain a balance between countermeasures and operational needs. They must understand the risk to the mission, and then approve countermeasures to implement and mitigate said risk. The maintenance and effectiveness of an OPSEC program is the responsibility of each commander/director. NOTE: Commanders/Directors may delegate responsibility for OPSEC program management decisions to no lower than the MAJCOM/HAF DRU/A3/director responsible for the OPSEC Program, and no lower than the Wing/CV for Wings. (T-0). Commanders/directors will: Establish, resource, and maintain effective OPSEC programs. A program consists of policies, accountability, mechanisms for enforcement, operating staff, tactics, techniques, and procedures (TTPs), awareness education, training, and equipping functions necessary to enable the conduct of OPSEC planning and execution support and to ensure the highest level of leadership oversight. (T-0) Ensure implementation of AF OPSEC policy and guidance to incorporate and institutionalize OPSEC concepts into relevant doctrine, policies, strategies, programs, budgets, training, exercises, and evaluation methods in order to deny adversaries the opportunity to take advantage of publicly available information, especially when aggregated. (T-0) Ensure written guidance is issued (e.g., critical information and indicator lists (CIIL), memorandums, standard operating procedures (SOPs), OPSEC program plans) to make sure OPSEC is integrated into day-to-day and contingency operations. (T-0) Ensure measures are taken to manage operational signatures, prevent disclosure of critical information and indicators, and protect essential secrets. (T-0) Ensure at a minimum signatures are identify relating to the planning, development, deployment, and movement of equipment, personnel, and weapon systems and document their mitigation, allowing for the essential secrecy of AF Activities. (T-0) Ensure critical information and indicators are identified for each AF activity whether it be planned, conducted or supported. (T-0) Consider a 100% shred policy for documents containing critical information (e.g., local/hhq exercises, test schedules, recall rosters, medical supply listings, funding documents, travel itineraries, flight plans). (T-3) Appoint in writing full-time primary and alternate OPSEC PMs at Headquarters Air Force (HAF), MAJCOMs, HAF DRUs, AFFOR Staff, and Air and Space Operations Centers (AOC). (T-0).

7 Appoint primary OPSEC PMs at grades no lower than O-4, GS-13 for MAJCOMs, and DRUs and O-3, E-7, GS-11 for AFFOR Staff, and AOCs. (T-1) Appoint alternate OPSEC PMs at grades no lower than O-2, E-7, GS-11 for MAJCOM and DRUs and 0-1, E-6, GS-9 for AFFOR Staff and AOCs. (T-1) Appoint in writing full-time or additional duty primary and alternate OPSEC PMs at HAF FOAs, MAJCOM DRUs, Numbered Air Forces (NAF), Wings, Centers, and Laboratories. NOTE: Due to the shared HQ management level relationship of C-MAJCOMs and NAFs, C- MAJCOMs do not require a NAF OPSEC PM. (T-0) Appoint primary OPSEC PMs at grades no lower than O-3, GS-11. (T-1) Appoint alternate OPSEC PMs at grades no lower than O-2, GS-9, E-7. (T-1) Ensure contractors are not appointed as OPSEC PMs. (T-0) Ensure OPSEC PMs are appointed for no less than two years in order to ensure OPSEC program continuity, long-term stability, and maximize AF training investment. NOTE: Geographical locations where the tour of duty is less than two years are exempt from having to meet the 2-year requirement. (T-2) Ensure procedures are established to determine and appoint if deemed necessary OPSEC Coordinators within subordinate organizations to implement and enhance the effectiveness of the parent organizations OPSEC program. (T-3) Ensure when appointing contractors as OPSEC Coordinators, there are no inherently government functions associated with their OPSEC Coordinator duties. NOTE: To reduce potential conflict of interest, prior to creating a contract requiring a contractor to be an OPSEC Coordinator, consult the local contracting representative for information regarding government contractor relationship Appoint in writing OPSEC Planners at C-MAJCOMs, NAFs, AFFORs, and AOCs. (T-2). NOTE: Due to the shared HQ management level relationship of C-MAJCOMs and NAFs, C-MAJCOMs do not require a NAF OPSEC Planner. Wing and wing-equivalent organizations have the option of appointing OPSEC Planners to assist OPSEC PMs in the implementation of OPSEC within the planning process Appoint OPSEC Planners at grades no lower than O-3, GS-7, or E-6. (T-0) Ensure OPSEC Working Groups (OWG) are established and convened a minimum of bi-annually to address specific OPSEC issues in order to advise, coordinate, and support AF activities e.g., threat, intelligence/counterintelligence, anti-terrorism, security, force protection working groups, and PA efforts. (T-3).

8 Ensure OWGs are established for any operation or exercise to protect the critical information and indicators of the operation/exercise. (T-0) Ensure an Annual OPSEC Program Report is completed and forward IAW guidance issued in Chapter 5 of this instruction. (T-0) Ensure a report detailing OPSEC risk mitigation efforts on Open Skies Treaty observation activities within the commander s/director s enterprise is completed IAW guidance issued in Chapter 5 of this instruction. (T-1) Ensure OPSEC internal assessments are conducted annually to make sure OPSEC is being consistently applied, integrated into day-to-day operations and/or other IO activities throughout the organization, and critical information and indicators are being protected. (T-0) Ensure an OPSEC review of the organization s owned, operated or controlled externalfacing websites, social media sites, and SharePoints is conducted annually to confirm critical information and indicators are not being made available to the public. (T-0) Ensure guidance is establish make sure OPSEC considerations are included in the PA security policy review processes for publishing/releasing information to the public. Utilization of the appropriate and current CIIL is important to the success of ensuring critical information and indicators are not made available for public consumption. (T-0) Ensure OPSEC PMs and planners liaise with communities such as the information protection (IP), force protection, intelligence/counterintelligence, cybersecurity, foreign disclosure, protocol office, anti-terrorism, and threat working groups. (T-0) Ensure procedures are in place for the OPSEC PM, Treaty Compliance Officer, and Intelligence Officer to work together to identify and mitigate the risk associated with Open Skies Treaty observation flights within the commander s/director s enterprise. (T-1) Ensure coordination with other organizations on the installation to ensure the protection of mission critical activities and capabilities. (T-0) The Deputy Chief of Manpower, Personnel & Services (AF/A1): Ensures pre-deployment OPSEC training is added to Readiness Training and Country-Specific Training Requirements of the USAF-Wide Personnel Deployment Readiness Tool Ensures manpower studies are accomplished to determine appropriate manpower requirements to staff OPSEC across the AF.

9 The Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (AF/A2): Develops policy and guidance to ensure intelligence functions support OPSEC programs by providing integrated, evaluated, analyzed, and interpreted information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. Intelligence informs the OPSEC PM what the adversary is doing, is capable of doing, and may do in the future Assists AF/A3 in the development of training and doctrine programs pertinent to all intelligence aspects of OPSEC Serves as the proponent for program management of intelligence support to the AF OPSEC Program Ensures the annual production and dissemination of threat assessments addressing current and future modifications and enhancement to the collection capabilities for all intelligence disciplines of foreign intelligence entities Provides written regional threat assessments in support of OPSEC. When this is not practical or possible, forward requirements through proper channels to the appropriate threat analysis center. The written threat information must be updated as necessary to include adversary collection means against an organization s current situation and environment Provide threat assessments of current, updated, and future modification, additions and technical capabilities of collection capabilities regarding Open Skies Treaty observation flights The Deputy Chief of Staff for Operations (AF/A3) is responsible for the development of AF OPSEC policy, programs, guidance, and activities. This responsibility is delegated to the Director of Training and Readiness (AF/A3T) who: Provides policy, program oversight and resource advocacy for AF OPSEC Programs and initiatives per DoDD E Appoints a full-time OPSEC PM charged with ensuring the AF plans, executes, and resources OPSEC in line with AF assigned missions and responsibilities Establishes and maintains AF OPSEC support capabilities that provide for program development, planning, training, assessments, operational support, and readiness training Ensures OPSEC support capabilities are utilized for planning support, external assessments, program development, and mutual support of other vulnerability assessments as well as other assessments within the AF Provides the Deputy Under Secretary for Defense (Intelligence) (OUSD(I) an annual assessment of the status of AF OPSEC.

10 Ensures threat-based comprehensive OPSEC assessments are scheduled and conducted to reduce risk to and enhance mission effectiveness Identifies and prioritizes threat-based comprehensive OPSEC assessment requirements, develops and outlines procedures for conducting OEA Ensures OEAs are conducted on activities that warrant them. These activities may include, but are not limited to AF weapons systems; research, development, test and evaluation; acquisitions; treaty verification; nonproliferation protocols; international agreements; force protection operations; special access programs; and activities that prepare, sustain, or employ military services over the range of military operations Supports OPSEC programs at the national, DoD and Joint-level as necessary Ensures the integration of intelligence and counterintelligence support into OPSEC planning and implementation Ensures the establishment and maintenance of an effective OPSEC awareness, education, and training program Ensures the AF workforce, to include all contractors who have access to mission critical information receive OPSEC awareness training upon initial entry to duty (to include entry to accession programs such as basic training, commissioning sources, and internships) and annually thereafter Ensures the risk of exposure to critical or classified information (alone or through compilation) is mitigated by providing OPSEC training and guidance for those using DoD Internet services, other Internet-based capabilities, emerging technologies, or developing information sharing environments that are accessible across the enterprise Ensures procedures are in place for personnel to complete theater specific OPSEC training prior to deployment Ensures OPSEC practitioners, IO professionals, public affairs personnel, contracting specialists, and personnel responsible for the review and approval of information intended for public release have received specialized OPSEC training for their duties Ensures policies and procedures are established for the review of information for OPSEC considerations and data aggregation prior to public release Ensures OPSEC requirements are properly reflected in classified and unclassified contracts Establishes and maintains a capability to conduct ongoing OPSEC vulnerability assessments on automated information systems or applications and/or programs designed for net-

11 centric interoperability for data aggregation (e.g., component websites, SharePoint sites, , radios, telephone, and other communication systems and methods.) Establishes guidance to identify organizational critical information and indicators in line with mission requirements Dedicates manpower, funding, and resources to implement the OPSEC program AF OPSEC PM is the appointed adviser to AF Leadership regarding the AF OPSEC Program. The AF OPSEC PM will: Develop, communicate, and ensure implementation of standards, policies, and procedures that supplement this instruction and meet specific needs of the DoD Component Identify requirements and necessary resources for the effective implementation of OPSEC Review and assess the effectiveness and efficiency of the AF OPSEC program Within 90 days of appointment, complete the required OPSEC training as outlined in Chapter 4 of this instruction Identify, prioritize, and request OPSEC assessments Participate in OPSEC training and education reviews and work with OUSD(I) and the Interagency OPSEC Support Staff (IOSS) to identify DoD and Federal OPSEC training requirements Provide oversight and advocacy as the focal point for AF OPSEC assessment capabilities Deputy Chief of Staff, Logistics, Installations & Mission Support (AF/A4) ensures OPSEC is implemented to protect supply chain, design and testing to counter the threat to AF activities posed by foreign intelligence collection system Secretary of the Air Force Office of Information Dominance and Chief Information Officer (SAF/CIO A6): Ensures OPSEC is included in cybersecurity and cyberspace policy, guidance, and operational activities Ensures OPSEC measures and practices are correctly reflected in the AF Enterprise Architecture.

12 Ensures OPSEC is incorporated into the development of net-centric operating environments in order to mitigate risks of classification through compilation of critical information and indicators The Secretary of the Air Force, Office of Public Affairs (SAF/PA): Ensures OPSEC is considered in the public affairs process for releasing information to the public Coordinates with the Assistant Secretary of Defense for Public Affairs and the AF OPSEC Program Office to ensure specialized OPSEC training is included in the curriculum for public affairs specialist and officers at all levels of training at the Defense Information School Ensures public affairs personnel receive specialized OPSEC training in addition to training received at Defense Information School regarding the review and approval of information intended for public release through all available media forums. (See Chapter 4 of this instruction) Ensures policy and procedures are established throughout AF Public Affairs to ensure OPSEC reviews are accomplished within the Public Affairs Security and Policy Review process Responsible for the oversight and management of all content on official AF externalfacing SharePoint and websites Establishes and maintains on-going collaboration with information security, OPSEC, and PA professionals to minimize potential OPSEC vulnerabilities on AF SharePoint, websites, and social media profiles The Assistant Secretary of the Air Force, Acquisition (SAF/AQ): Establishes and maintains procedures for OPSEC review of contracts prior to public release Ensures OPSEC is included in program protection plans to protect critical information throughout the life-cycle of AF acquisition and RDT&E for critical program information (reference DoDI , Critical Program Information (CPI) Protection Within the Department of Defense) Ensures when applicable, OPSEC requirements are properly reflected in government contracts. (See Chapter 6 of this instruction for OPSEC responsibilities required within a contract) Ensures Acquisition, Research and Technology, and OPSEC program managers work together to protect critical information and indicators throughout the RDT&E life-cycle, especially regarding release of information into the public domain.

13 Ensures individuals who perform acquisition duties receive appropriate OPSEC training (see Chapter 4 of this instruction) in support of program protection planning The Administrative Assistant to the Secretary of the Air Force (SAF/AA) provides coordination and integration of OPSEC policy, guidance, and procedures within the AF security community The Secretary of the Air Force, Inspector General (SAF/IG): Ensures OPSEC is included as a mandatory item in the AF Inspection System at all levels throughout the Continual Evaluation period and the On-site Capstone Visit of the Unit Effectiveness Inspection (UEI) process Ensures OPSEC PMs are identified as subject matter experts (SME) for OPSEC on Wing Inspection Teams (WIT). The WIT should observe and evaluate mission profiles and signatures, as well as measures of effectiveness (MOE) and measures of performance (MOP) that assess the organizations ability to mitigate loss of critical information Ensures procedures are established for members of IG teams that evaluate OPSEC to receive specialized OPSEC training identified within Chapter 4 of this instruction Ensures the Air Force Office of Special Investigations (AFOSI), provides commanders/directors and OPSEC practitioners with AFOSI threat information (e.g., counterintelligence-related information), Local Threat Assessments, Regional Threat Assessments) at CONUS, OCONUS and deployed locations. AFOSI will: Tailor threat information as requested to support AF OPSEC MOEs and MOPs Provide support as required to the AF OPSEC Support Team (AF OST) Provide counterintelligence and criminal threat intelligence as requested to support the AF OST in conducting threat-based comprehensive OEA. This support enhances the AF OST ability to reproduce the intelligence image in light of the known collection capabilities of potential adversaries against friendly capabilities and intentions Air Combat Command (ACC) will: Manage OPSEC Global Force Management and sourcing of Request for Forces Define requirements and advocate for OPSEC resources Manage, develop, and implement IO CONOPS and TTPs Perform programming and budgeting for Program Elements 23345F and 28021F.

14 Provide funding for AF personnel to attend AF OPSEC courses. HAF and MAJCOM OPSEC PMs are responsible for identifying personnel that are eligible within their organizations for TDY funding Fund attendance at non-af OPSEC courses based on operational requirements. MAJCOM OPSEC PMs will forward request to attend non-af OPSEC courses to the HAF OPSEC PM and HQ ACC. The request must include a justification why the AF OPSEC courses cannot meet the organizations operational requirement. The HAF OPSEC PM is the approval authority for determining validity to fund attendance at non-af courses Air Force Space Command (AFSPC) will: Establish, resource, manage, and maintain the AF OST and OPSEC training Coordinate and validate current and future CDA WS requirements, processes, and resources with the AF OPSEC PM to meet the needs of the AF OPSEC Program Ensure OPSEC and the use of the CDA WS is integrated with other traditional security support capabilities, programs, efforts, or initiatives Ensure CDA WS support is provided to the AF OST as required Provide CDA capabilities to support OPSEC requirements as identified in this instruction and AFI , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process. (T-1) Provide direct support to commanders, directors, and the AF OPSEC PM by delivering an effective OPSEC support capability. The AF OST will: Manage and provide OPSEC reach-back support (e.g., awareness education, planning, readiness training, assessments, and operational support) to the AF OPSEC PM and all AF organizations at all levels. (T-0) Manage and conduct OEAs and OPSEC Program Management Assessments (PMA) to assist organizations in developing effective OPSEC programs. (T-0) Assist in National, DoD, joint, and AF-level OPSEC activities as tasked. (T-1) Coordinate with CDA organizations to receive ESSA products regarding the status of potential OPSEC compromises discovered during CDA operations. (T-2) Coordinate with CDA organizations and the IO Formal Training Unit (FTU) regarding trends observed from assessments for inclusion in future ESSAs and OPSEC curriculum. (T-2) Provide annual report to AF OPSEC PM regarding OPSEC assessments, their findings, and trend analysis. (T-1).

15 Assist in the development of OPSEC continuing education and training of the general AF population to include military members, DAFC, contractors, and family members (e.g., Total Force Awareness Training (TFAT), accession training, Professional Military Education (PME), awareness training, Commander Orientation Briefings, Just In Time Training, Readiness Training, Family Awareness Training). (T-2) Advise, evaluate, and support research and development efforts for OPSEC tools supporting combatant commands. (T-1) Support the Joint OPSEC Support Element (JOSE) in OPSEC activities as necessary. (T-1) Manage the AF OPSEC SharePoints sites. (T-1) Assist with the development and documentation of OPSEC related lessons learned and TTPs Coordinate with 24th Air Force (24 AF) on support request from MAJCOM, DRU, and FOA organizations regarding OPSEC support request for AF and Joint organizations Establish, resource, and maintain an IO FTU to provide formal OPSEC training to AF OPSEC practitioners. The FTU will: Maintain IOSS adjunct instructor certification and currency IAW with IOSS procedures. (T-1) Maintain AF instructor certification and currency IAW AFI , Community College of the Air Force (CCAF). (T-1) Develop and maintain an AF OPSEC adjunct instructor program. (T-1) Identify, train, and recommend for certification additional AF OPSEC instructors as necessary. (T-2) Provide OPSEC training and mobile training teams as directed by the AF OPSEC PM (T-1) Support the development of OPSEC training and TTPs. (T-1) Support AF and DoD-level OPSEC curriculum reviews. (T-1) Support development of OPSEC policies for education and training as required. (T- 1).

16 Manage training information by ensuring training completion information is provided to the AF OPSEC community and the IOSS as required. (T-1) Publish a quarterly student critique trend analysis report and upload to the AF OPSEC SharePoint website on Secret Internet Protocol Router Network (SIPRNet) NLT the 15th of January, April, July, and October. (T-3) Upload copies of student and course critique forms to the AF OPSEC SharePoint website on SIPRNet within 10 working days of course completion. (T-3) Coordinate with the AF OST regarding OPSEC-related trends that should be incorporated within existing OPSEC curriculum. (T-1) Air Force Materiel Command (AFMC) will: Ensure OPSEC is effectively integrated into all RDT&E programs to provide a consistent and effective level of protection throughout the life cycle of all weapon systems IAW DoDI , Critical Program Information (CPI) Protection Within Research, Development, Test, and Evaluation (RDT&E), and AFI /20-101, Integrated Life Cycle Management. (T-0) Provide information regarding research and development of camouflage and concealment with regards to the protection of installations, ranges, and test facilities under the purview of AFMC. (T-1) Air Education and Training Command (AETC) will: Provide OPSEC orientation for all new AF accessions (e.g., Basic Military Training School, and Officer Training School). At a minimum, the orientation will include the definition and purpose of OPSEC, threat awareness, vulnerabilities, countermeasures, and the individual's role in protecting critical information. (T-0) Incorporate OPSEC education into all PME. At a minimum, this will include the purpose of OPSEC, critical information, indicators, threats, vulnerabilities, countermeasures, and the individual's role in protecting critical information. (T-0) Incorporate OPSEC concepts and capabilities into specialized courses, such as the Contingency Wartime Planning Course, Joint Air Operations Planning Course, and the Information Operations Fundamental Application Course. These courses will include command responsibilities and responsibilities of OPSEC Planners supporting joint planning and execution efforts. (T-0) Establish a validation process in coordination with the AF OWG to ensure a content review of all OPSEC training materials within all AETC accession and professional military education. (T-2).

17 US Air Force Academy will provide OPSEC orientation for all new AF accessions. At a minimum, the orientation will include the definition and purpose of OPSEC, threat awareness, vulnerabilities, countermeasures, and the individual's role in protecting critical information OPSEC PMs serve as the commander s/directors representative regarding OPSEC and the point of contact (POC) for all OPSEC related issues between the organization s HHQ OPSEC PM, AF OST, and subordinate organizations. OPSEC PMs will: Advise the commander/director on all OPSEC related matters. (T-0) Manage the organization s OPSEC program IAW policies and procedures provided within this instruction. (T-0) Participate in budget development activities to identify manpower, funding, and resources to effectively implement and sustain the OPSEC program. (T-0) Develop and monitor OPSEC program expenditures. (T-1) Provide and ensure OPSEC awareness, education and training is completed IAW Chapter 4 of this instruction. (T-0) Advise the commander/director on the placement of OPSEC Coordinators in a manner that best supports the commander s/directors OPSEC Program responsibilities. (T-3) Provide oversight, guidance, and training to subordinate OPSEC PMs, Coordinators, Planners, and working group members IAW Chapter 4 of this instruction. Training shall include specific roles and responsibilities associated with the OPSEC function. (T-0) Within 90 days of appointment, complete the required OPSEC training outlined in the Chapter 4 of this instruction. (T-0) Incorporate and institutionalize OPSEC concepts into relevant strategies, operations, plans, programs, budgets, exercises, training, and evaluation methods. (T-0) Develop, implement, distribute, and annually review for currency the commander s OPSEC guidance and procedures (e.g., CIIL, SOPs, OPSEC Program Implementation Plan). (T- 0) Develop, establish, and implement policies and procedures to deny adversaries the opportunity to take advantage of publicly available information, especially when aggregated. (T- 0) Develop and implement procedures to control signatures and associated indicators of AF activities. Annually review for currency and effectiveness. (T-0).

18 Ensure all subordinate organizations have implemented OPSEC in their day-to-day activities and are identifying critical information and indicators for each relevant AF activity whether it be planned, conducted, or supported. (T-0) Coordinate with intelligence providers (e.g., A2, AFOSI, Defense Intelligence Agency) to identify the intelligence needs of the organization s OPSEC program. (T-0) As required, participate in HHQ planning and working groups (e.g., OWG, Threat, Anti-Terrorism, Force-Protection working groups) to assist in the development of policy and guidance, TTPs, and to address OPSEC concerns. (T-2) As required, establish and chair OWG to address OPSEC concerns and train OWG members. (T-0) Coordinate with host and tenant organization OPSEC PMs regarding the implementation of OPSEC countermeasures between organizations on an installation. Administrative oversight of a Wing s OPSEC program will reside with its respective MAJCOM or HAF DRU. (T-3) Assist as necessary PA, IP, contracting, Cybersecurity, and other officials in the review of information intended for release outside the organization. (T-3) Coordinate as necessary with the Foreign Disclosure and Protocol offices on visits by Foreign Nationals (e.g., Air Attaches, other military, military personnel exchange) to ensure critical information and indicators are protected from adversarial collection opportunities. (T-3) Coordinate on contracting documents to ensure contract requirements explicitly state contractor OPSEC responsibilities and requirements in order to protect critical information and indicators for the activity, operation, program that is being contracted. (T-0) Provide OPSEC training materials to organizations, which have/require contract support. Within 30 days of a contract being awarded, organizations will provide training/training materials to the prime contractor and/or AF contractors newly assigned to the organization. (T- 3) Annually, review and assess the effectiveness and efficiency of the organization s OPSEC program. (T-0) Annually, review for currency and effectiveness subordinate organization s procedures to control critical information and associated indicators. (T-3) Conduct an OPSEC analysis for each phase of a plan and evaluate each course of action against the commander s acceptable level of risk. (T-0) Conduct Staff Assistance Visits (SAV) as required or requested to assist in OPSEC planning or provide assistance in operationalizing OPSEC in the wing. (T-3).

19 Serve as the focal point for OPSEC assessments and supporting capabilities. (T-2) Provide assistance and develop possible scenarios (e.g., OPSEC activities, areas/functions, validating self-assessments, evaluating scenarios, participating in the hot wash, and providing inputs to the inspection report) to/for Wing and HHQ IG teams to assist in the evaluation of OPSEC activities. This ensures the OPSEC planning processes and the execution of OPSEC measures are properly trigger during inspection activities. (T-2) The MAJCOM, HAF DRU, and FOA level OPSEC PMs, manage the command s CDA WS and AF OST support through directing, soliciting, prioritizing, and consolidating assessment requests IAW AFI , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process and Chapter 5 of this instruction. (T-1) Collect after-action reports and lessons learned for incorporation into future OPSEC courseware and the AF lessons learned database when applicable, as prescribed IAW AFI , Air Force Lessons Learned Program. (T-2) Annually provide a list of Information Defense Priorities specific to that command to CDA units for inclusion into the continuous monitoring mission IAW AFI NOTE: (MAJCOM, AF DRU, and AF FOAs only). (T-2) Request focused look CDA assessments through the 24 th Air Force (24 AF) IAW AFI (T-2). A Focused Look Assessment can cover multiple organizations, installations, or locations Review, assess impact, risk, and update countermeasures as required using the results for the CDA assessments. (T-1) Coordinate with appropriate organizations to resolve/mitigate OPSEC assessment observations as required. Utilize assessment results to mitigate discovered vulnerabilities and aid organization s OPSEC awareness efforts. (T-0) Coordinate and deconflict implementation of OPSEC countermeasures with other MAJCOMs, DRUs, FOAs and Wings on the installation. (T-1). NOTE: The best way to accomplish this is through an installation OWG Conduct an OPSEC program review to determine the stability of the OPSEC program and provide the commander/director with an OPSEC Program Report IAW guidance from Chapter 5 of this instruction. (T-0) Due to sensitivity of the mission and need for access to Top Secret/Sensitive Compartmented Information (TS/SCI) threat information, OPSEC PMs should maintain a TS/SCI clearance.

20 OPSEC PMs are required to establish and maintain a SIPRNet address to have access to classified threat information and OPSEC task. (T.1) Recommend OPSEC PMs establish and maintain a Joint Worldwide Intelligence Communication System (JWICS) account to access TS threat information to enhance the development of effective countermeasures to mitigate risk to operational missions Maintain a continuity system to include at a minimum the following OPSEC documents for a period of two years or when no longer need (whichever is longer). (T-1) Letters of appointment OWG POC Listing Approved waivers Request for formal training Organizational specific training List of major mission processes Approved CIIL Annual OPSEC Program reports Annual OPSEC Internal Assessment OEA (e.g., ESSA, AF OST, JOSE) Requests for information (intelligence and counterintelligence) Threat analysis for your organization List of Organizational vulnerabilities Organization s risk assessments (before and after proposed countermeasures are implemented) Proposed countermeasures (costs of implementing those countermeasures, and those countermeasures chosen to implement) MOP(s) and MOE(s) for countermeasures After-action reports (Intelligence and AFOSI Reports, organization exercise, and other assessments used to determine the effectiveness of countermeasures)

21 OPSEC related incident reports The OPSEC Planner is a functional expert trained to integrate OPSEC as an IRC, into the organization s planning process using AF standards, policies, procedures and this instruction as guidance. The OPSEC Planner supports the OPSEC PM in ensuring OPSEC is incorporated into the planning process to protect the overall planning and execution of operational activities. The OPSEC Planner will: Within 90 days of appointment, complete the required OPSEC training outlined in Chapter 4 of this instruction. (T-0) Provide OPSEC planning and guidance in accordance with the organization s OPSEC programs and policies to protect the plan. (T-0) Develop OPSEC planning documents for inclusion in all organizational plans. Review planning documents annually and update when necessary. Consider changes in the threat, vulnerabilities, impact to the plan, and the MOE and MOP of implemented countermeasures. (T-0) Coordinate with intelligence and counterintelligence providers to identify the intelligence needs for the OPSEC plan. (T-0) Identify and ensure the integration of OPSEC measures/countermeasures into the plan to reduce vulnerabilities and indicators. (T-0) Coordinate the integration of OPSEC measures/countermeasures with other information-related capabilities. (T-0) Due to sensitivity of the mission and the need for access to Top Secret threat data OPSEC Planners should maintain a Top Secret SCI clearance Develop and synchronize OPSEC measures across multiple subordinate units as needed Coordinate with other MAJCOM/Area of Responsibility OPSEC Planners for OPSEC measures/counters during events and/or operations that involve cross-reginal activities. (T-2) OPSEC Coordinators serve an important function within the OPSEC Program structure as they assist the OPSEC PM and Planner regarding OPSEC related matters within their assigned organizations, to include developing and recommending guidance and implementing countermeasures to mitigate the risk of potential adversary exploitation of critical information and indicators. OPSEC Coordinators will: Implement and distribute the commander s OPSEC guidance (e.g., CIILs, memorandums, SOPs, OPSEC implementation plans as required). (T-3).

22 Within 90 days of appointment, complete the required OPSEC training outlined in Chapter 4 of this instruction. (T-0) When necessary, assist the OPSEC PM in reviewing and updating OPSEC guidance and procedures for currency. (T-3) Implement procedures per guidance from the OPSEC PM to control signatures and associated indicators to deny adversaries the opportunity to take advantage of publicly available information, especially when aggregated. (T-3) Ensure critical information and indicators are protected from disclosure. (T-0) Ensure organizational personnel (military, DAFC, and contractors) complete initial and annual refresher OPSEC training IAW Chapter 4 of this instruction. (T-3) When necessary, assist the OPSEC PM in conducting OPSEC internal assessments to ensure sufficient protection measures are in place to protect critical information and indicators. (See Chapter 5 of this instruction for additional information regarding OPSEC internal assessments). (T-3) When necessary, conduct OPSEC reviews of organizational documents and photographs prior to them being submitted to Public Affairs and/or release to the public. (T-3) When necessary, assist the OPSEC PM in ensuring OPSEC is considered for all organizational contracts. (See Chapter 6 for additional information regarding OPSEC and Contracts). (T-3) Due to sensitivity of the mission and the need for access to Secret threat data, OPSEC Coordinators require a minimum of a Secret clearance. (T-1) OPSEC Coordinators should establish and maintain a SIPRNet address to have access to classified threat information and OPSEC task All Air Force Personnel: OPSEC is everyone s responsibility. Ideally, the AF uses OPSEC countermeasures to protect its critical information. Failure to properly implement these countermeasures can result in serious injury or death to our personnel; damage to weapons systems, equipment and facilities; loss of sensitive technologies; and mission degradation or failure. OPSEC is a continuous process and an inherent part of military culture. Integrate OPSEC into the execution of all AF activities All AF personnel (active duty, reserve, ANG, DAFCs, and DoD contractors) will: Be familiar with the organization s critical information and indicators. (T-0) Protect critical information and indicators from disclosure. (T-0).

23 This includes, but is not limited to: letters, resumes, articles, books, collegiate papers, electronic mail ( ), social media postings, web log (blog) postings, internet message board discussions, or other forms of dissemination or documentation Airmen should solicit the advice of their immediate supervisor, security office, OPSEC PM, and/or OPSEC Coordinator when publicly posting or publishing work-related information to internet-based capabilities. This will aid in preventing disclosure of critical information and indicators within the public domain Encrypt all messages containing critical information and OPSEC indicators IAW AFMAN , User Responsibilities and Guidance for Information Systems; para and this instruction. (T-0) Do not publicly disseminate, or publish photographs displaying critical information. (T-0). Examples include but are not limited to: Improvised Explosive Device strikes, battle scenes, casualties, destroyed or damaged equipment, personnel killed in action (both friendly and adversary), and the protective measures of military facilities. (T-0) Do not publicly reference, disseminate, correct, or publish critical information or indicators already compromised. (T-0). This provides further unnecessary exposure of the compromised information and may serve as validation Actively encourage others (including family members and family readiness groups) to protect critical information and indicators. (T-3) Destroy (e.g., burn, shred) all products (e.g., official and working papers, hard drives, disks, tapes, recordings) containing critical information or indicators when no longer needed to prevent the reconstruction, inadvertent disclosure or exploitation of critical information. (T-0) Implement countermeasures as ordered by the commander, director, or an individual in an equivalent position. (T-3) Avoid discussing critical information on non-secure telephones, cellular, or satellite telephone. (T-1) Know who their organization s OPSEC PM and/or OPSEC Coordinator are and contact them for questions, concerns, or recommendations for OPSEC related topics. (T-0).

24 Chapter 2 OPSEC PROCESS 2.1. General: The OPSEC process is a systematic method used to identify, control, and protect critical information. This chapter presents the five elements of the OPSEC process as steps: 1) Identify critical information; 2) Analyze threats; 3) Analyze vulnerabilities; 4) Assess risk; and 5) Apply countermeasures. These steps may or may not be used in sequential order but all elements must be present to conduct OPSEC analysis. During deliberate or crisis action planning, dynamic situations may require any step to be revisited at any time. The AF uses OPSEC to enhance mission effectiveness by managing operational signatures. Additionally, a profiling process is employed to identified and understand how we use specific information systems and conduits to accomplish operational missions and activities. Within the AF, processrelated subject matter experts (SME) are consulted to create the most accurate list of critical information, the identification of vulnerabilities and indicators allowing us to conduct a thorough risk analysis. This risk analysis provides AF leadership with options, based on the risk analysis results, to manage signatures in order to protect AF activities Identify Critical Information: Critical information is a specific fact about friendly activities, intentions, capabilities, or limitations that an adversary seeks in order to gain a military, diplomatic, economic, or technological advantage. Such information, if revealed to an adversary, may prevent or degrade mission accomplishment, cause loss of life or damage friendly resources. This step only identifies potential critical information items. The resulting CIIL should not be published as the unit s official CIIL until the remainder of the OPSEC process has been accomplished. Other steps within the OPSEC process may remove, refine, or add additional items from/to the list The identification of critical information is a key part of the OPSEC process because it focuses the remainder of the OPSEC process on protecting vital information rather than attempting to protect all unclassified information. The individuals responsible for the planning and execution of the organization s mission are the ones that can best identify their critical information. Additionally, using an adversarial approach and asking what information an adversary wants to know about the mission is a helpful method when trying to identify critical information Once you have completed the OPSEC process, compile the critical information and indicators identified into a CIIL, obtain the commander/director approval, and disseminate it to all organizational personnel to ensure they are aware of the information which requires protection Identify critical information at the earliest stages of planning an operation or activity and continuously update as necessary to support mission effectiveness Strive to keep CIILs unclassified. CIILs are to assist with reminding personnel to protect related critical information and indicators. If some critical information is considered For Official

25 Use Only (FOUO), include that information in an FOUO OPSEC Implementation Plan with associated countermeasures, but do not include on the publically distributed CIIL OPSEC PMs/Coordinators will maintain the most currently approved CIIL and countermeasures IAW their established Wing OPSEC procedures. (T-3) Reports of compromised critical information will be sent over SIPRNet or JWICS in memorandum format to the MAJCOM or AF DRU OPSEC PM. (T-1) OPSEC PMs will forward OPSEC compromised incident reports to their MAJCOM or AF DRU OPSEC PM. Sanitize all OPSEC compromised incident reports to safeguard the identity of personnel involved. If the commander/director deems an OPSEC compromised incident report requires HHQ notification or resolution, forward the related report to the next HHQ OPSEC NLT 15 days after the signing of the report. (T-2). Maintain a copy of the report and any actions taken in the organizations OPSEC Continuity records IAW Chapter 1 of this instruction Analyze Threats: A threat is an adversary with the capability and intent to undertake action detrimental to mission success, to include associated program activities and/or operations. An adversary is any entity with goals counter to your own Threat information is necessary to understand what to protect and subsequently develop appropriate countermeasures. Analyzing threat includes identifying potential adversaries and their associated capabilities and intentions to collect, analyze and exploit critical information and indicators Analyzing threat involves the research and analysis of intelligence, counterintelligence, and open-source information to identify the likely adversaries to the planned operation. The operation planners, working with the intelligence and counterintelligence staffs, assisted by the OPSEC PM, will seek answers to the following threat questions: Who is the adversary? (who has the intent and capability to take action against the mission? Who are the friends of these adversaries? Who are our potential adversaries?) What are the adversary s intentions and goals? (What does the adversary want to accomplish?) What are the adversary s intelligence collection capabilities (e.g., Human Intelligence, Imagery Intelligence, Signals Intelligence, Measurement and Signature Intelligence, Open Source Intelligence)? What are the adversary s tactics (course of action (COA) for opposing the mission (What actions might the adversary take)?

26 What critical information or indicators does the adversary already know about the operation (what information is it too late to protect)? What is the adversary s methodology for collecting on friendly forces? AFOSI provides local and counterintelligence threat information. Intelligence organizations provides tailored intelligence threat support. Threats can include, but are not limited to: foreign intelligence services, foreign and domestic terrorist organizations, criminals, cyber-based threats, lone extremists, and economic competitors. Reports from cyberspace organizations can be used to assess cyber threats and vulnerabilities Analyze Vulnerabilities: A vulnerability exists when the adversary is capable of collecting critical information and/or indicators, correctly analyzing them and acting quickly enough to impact friendly objectives An adversary exploits vulnerabilities to obtain critical information. The adversary then uses the information collected to support their decision-making process thus obtaining an operational advantage. The vulnerability can be in an organization s procedures, a failure of traditional security, poor judgment on the part of leadership, lack of threat awareness, the fact that we process critical information on unsecure information systems without encryption, or the system design itself. Conducting exercises and analyzing operations can help identify vulnerabilities An indicator is a friendly detectable action and/or open-source information that can be interpreted or pieced together by an adversary to derive critical information. All indicators have characteristics making them identifiable or causing them to standout. The characteristics of an indicator are: 1) signatures, 2) profiles, 3) associations, 4) contrast, and 5) exposure A vulnerability analysis is the examination of your processes, projects or missions to determine if you have inherent, naturally occurring or self-induced vulnerabilities or indicators that put your critical information and thus your mission at risk Assess Risk : Risk is a measure of the potential degree to which critical information is subject to loss through adversary exploitation. The assessment of risk evaluates the degree of probable harm or adverse impact that a vulnerability or combination of vulnerabilities may cause if exploited by an adversary. It involves assessing the adversary s ability to exploit vulnerabilities that would lead to the exposure of critical information and the potential impact it would have on the mission. Determining the level of risk is a key element of the OPSEC process and provides justification for the use of countermeasures. A planning group must conduct a risk assessment and develop recommended countermeasures based on operational planning and the current operating environment. A typical risk assessment will:

27 Determine the level of risk by comparing the vulnerabilities identified with the probability of an adversary being able to exploit those vulnerabilities and the impact if exploited Once the amount of risk is determined, identify potential countermeasures to reduce the vulnerabilities with the highest risk. The most desirable countermeasures are those combining the highest possible protection with the least resource requirements and/or adverse effect on mission goals consider the cost, time, and effort of implementing measures and countermeasures to mitigate risk. Factors to consider include: What are the benefits and the proposed countermeasures on reducing risks compared to the effects on the mission? What is the cost of the proposed countermeasure compared with the cost associated with the impact if the adversary exploited the vulnerability? Will implementing the countermeasure create a new OPSEC indicator? 2.6. Apply Countermeasures: Countermeasures are anything which negates or reduces an adversary s ability to exploit our vulnerabilities. Countermeasures are designed to prevent an adversary from detecting critical information, provide an alternative interpretation of critical information or indicators (deception), or deny the adversary the ability to utilize their collection system to exploit our operations. Countermeasures may be both offensive and defensive in nature (e.g., camouflage, concealment, deception, intentional deviations from normal patterns, direct strikes against adversary collection capabilities, etc.). If the commander/director determines the amount of risk is unacceptable, implement countermeasures to mitigate risk and reduce it to an acceptable level The planning group will submit recommended countermeasures for commander/director approval through the established organizational processes Countermeasures must be synchronized and integrated with other IRCs to achieve synergies in efforts to influence the adversary s perceptions and situational awareness Countermeasures must be coordinated with other affected organizations to ensure they do not become vulnerabilities or unacceptable indicators During the execution of countermeasures, monitor the adversary s reaction, if possible, to provide feedback that can be used to assess effectiveness or determine potential unintended consequences Signature Management. Commanders manage operational signatures to identify processes and details within an AF activity in order to defend or exploit operational profiles.

28 Defense of operational profiles are accomplished by implementing countermeasures to deny or mitigate adversary collection of critical information Using a profiling process, the OPSEC PM defines the local operating environment and captures process points that present key signatures and profiles with critical information value. This process is the deliberate effort to identify functional areas and the observables they produce to contribute to the overall signature of day-to-day activities and operational trends. Once completed, use the results to develop an organizational execution checklist, organizational CIILs, and identify key process points for potential protection or exploitation. This ultimately provides commanders several options to exploit or deny operational signatures to enhance mission effectiveness.

29 Chapter 3 OPSEC PLANNING 3.1. General. This Chapter provides direction for planners at wings, AF component headquarters, and AOCs (e.g., C-MAJCOM, AFFOR, AOC) to integrate OPSEC into plans. OPSEC is conducted continuously across the range of military operations. The continuous planning, implementation, and assessment of countermeasures throughout military operations enhance a commander s ability to shape the information environment, achieve desired effects, and meet operational objectives. The basic principles, capabilities, and activities of OPSEC planning remain the same whether units are at home station or deployed only the specific focus of the planning process change. OPSEC planning is most effective in war or contingencies when integrated with other IRCs and are part of strategy development, planning, and execution phases of operations. AF forces can be under observation at their peacetime bases and locations during normal daily operations, in training or exercises, while moving, or when deployed to the field conducting actual operations. OPSEC provides systematic and comprehensive analysis designed to identify observable friendly actions that could portray intentions and/or capabilities. Therefore, integrate OPSEC into operations, support, exercise, and acquisition planning. Review plans annually and update as needed. Consider changes in the threat, vulnerabilities, impact to the plan, and MOEs and MOPs of implemented countermeasures OPSEC PMs or Coordinators will assist organizational planners to incorporate protection of critical information and indicators into supported operations plans (OPLANs) and supporting plans. OPSEC PMs and Coordinators will also assist WIT members and exercise planners in developing master scenario events listings (MSEL) and MOPs to train organization personnel in the application or execution of countermeasures. (T-1) A sound understanding of the adversary s capability to exploit OPSEC vulnerabilities is fundamental to proper OPSEC planning OPSEC Program Plans: OPSEC Program Plans outline the broad OPSEC Program objectives for the AF organization/activity. A useful format for an OPSEC Program Plan is as follows: References: This instruction and other OPSEC references as applicable Purpose: To establish OPSEC within an organization or AF activity Scope: Concise statement of the program/activity Policy: Statement of Command Policy on protection of critical information Process/Procedures: Detailed explanation of the activities, methods, and results of the five-step OPSEC Process.

30 Responsibilities: Designation of the OPSEC PM, Coordinator, and Office of Primary Responsibility of the activity OPSEC Evaluation: How OPSEC will be evaluated within the organization/activity (e.g., OPSEC internal assessments, Management Internal Control Toolset (MICT) Program Goals: List specific benchmarks for the organization s OPSEC Program/activity (e.g., establish an OWG, accomplish annual OPSEC training, accomplish annual OPSEC internal assessment, publish an OPSEC Annex to all OPlans) Operations Planning. OPSEC will be included in all OPLANs, concept plans (CONPLANs), and operation orders (OPORDS), etc. Planners will use existing TTPs to develop Tab C to Appendix 3 to Annex C to the OPORD or OPLAN. The planning staff will identify critical information and OPSEC indicators from all functional areas requiring protection throughout each phase of the operation. Use risk assessments to identify applicable countermeasures to mitigate any unacceptable operational risks. Develop MOPs and MOEs for each OPSEC countermeasure. (T-0) Operational planning is typically focused at the Air Force component headquarters, with reach-back support outside the theater when appropriate. When planning duties are split, all responsible entities will integrate OPSEC into their planning efforts (see also JP , Operations Security, Chapter 3). When there is no C- MAJCOM, as the supported organization, the theater AOC resolves debates and provide general guidance Component headquarters will include in their OPSEC plan the CIIL, threats, vulnerabilities, countermeasures, and points of contact for supporting organizations (e.g. wings/wing-equivalents deploying for exercises, operations, and/or systems under development and sustainment). This action will occur as soon as the organization(s) are identified so that critical information can be protected before there are compromises to operations or system acquisitions. OPSEC Plans will be classified IAW respective security classification guidance. (T-0) Proper OPSEC planning ensures that sensitivities of friendly operations are identified, vulnerabilities to the hostile intelligence threat are assessed, and protective measures are identified and executed OPSEC Planning Sequence. OPSEC is a systematic process encompassing all aspects of security. Below are recommended actions to take to provide a positive and effective OPSEC plan. Although the following steps are not all inclusive, they serve as a point of consideration during the planning process: Prepare an OPSEC estimate of the situation. To include what the adversary may already know about the organization/exercise/operations/activity Issue OPSEC planning guidance.

31 Identify Protective Measures and Countermeasures Prepare OPSEC plans Brief participants Execute protective measures and monitor the situation Provide OPSEC follow-up Support Planning. Integrate OPSEC into all wartime and contingency plans as well as support plans (e.g., programming plans and in-garrison expeditionary site plans). Note: See AFI , Base Support and Expeditionary (BAS&E) Site Planning, for In-garrison Expeditionary Support Plan requirements and format Exercise Planning. In order to enhance combat readiness and improve crisis response include OPSEC in exercise plans. Include specific OPSEC scenarios in the exercise MSELs with MOPs and MOEs to assess the proficiency of functional planners to mitigate loss of critical information and organization personnel to execute countermeasures. Plan and implement OPSEC countermeasures for exercises to minimize observations of sensitive training activities by adversary surveillance and treaty verification activities Submit deficiencies or best practices to the MAJCOM OPSEC PM for inclusion into the AF Lessons Learned (L2) database ( Submit L2 and After-Action Reports (AAR) to MAJCOM OPSEC PMs within 45 days of completion of the exercise or operation when something significant or potentially useful was identified during the event. These documents are used to develop tactics improvement proposals (TIPs) IAW AFI , Participation in Joint and National Exercises, and AFI , Tactics Development Program L2 Validation and Resolution: MAJCOM OPSEC PMs review and track L2 observations to ensure accuracy and applicability OPSEC Planning for Acquisitions. OPSEC requirements will be determined for all acquisitions and contractor-supported efforts beginning with operational capabilities, requirements generation, and continue through design, supply chain protection, development, test and evaluation, fielding, sustainment and system disposal. When required to protect sensitive military activities, commanders will ensure an OPSEC plan is developed for all applicable contracts. (T-0).

32 Chapter 4 OPSEC AWARENESS EDUCATION AND TRAINING 4.1. General. All AF personnel (military, DAFC, and DoD contractors) who have access to mission critical information require a general knowledge of threats, vulnerabilities, countermeasures, and their responsibilities associated with protecting critical information. OPSEC education is a continuous rather than periodic requirement. All personnel require OPSEC education upon their initial entrance/accession into the work force, and annually thereafter Initial and Annual OPSEC Awareness Education: Initial AF OPSEC Awareness Education should provide a brief overview of the OPSEC process, explanation of OPSEC, its purpose, the organization s critical information, the importance of understanding critical information, the individual s role in protecting it, and the general adversary threat The AF OPSEC PM will provide standardized base-line OPSEC Awareness Education materials directly to the MAJCOM, AF DRU, and FOA OPSEC PM for distribution to the field. Commanders/Directors may use this standardized training to provide annual OPSEC training via commander s call, training days, or similar events. This training may be supplemented with other information and promotional efforts to ensure maintenance of awareness and understanding of both adversary threat and of the techniques employed by adversaries to collect classified and sensitive information Annual OPSEC Awareness training must include, at a minimum, updated threat information, changes to critical information, new procedures, and/or OPSEC measures implemented by the organization. (T-0) OPSEC Awareness Education will be recorded and maintained by OPSEC PMs through locally developed means. (T-1) Contractors with OPSEC requirements within a contract must ensure employees receive OPSEC training as specified in the contract. Accomplishment of training must not exceed 90 days from initial assignment to a contract with OPSEC requirements. Access to mission critical information will not be allowed until OPSEC awareness training has been completed and documented. (T-0) The circulation of directives, memos for record, posters, or similar material on a read and initial basis shall not be utilized as a sole means of fulfilling any of the specific requirements of OPSEC education. (T-0) Commanders/directors should encourage personnel to share OPSEC awareness information with family members (both immediate and extended) and friends. This will allow family members and friends to understand how adversaries could use public media sources to

33 obtain critical information that may be used to target AF members and their families (e.g., websites, blogs, social networking sites, newspapers, and television) Procurement of low-cost promotional items and awareness aids (e.g., pens, pencils, magnets, key chains, lanyards) are authorized for the exclusive intent to promote and reinforce OPSEC awareness and training in accordance with organizational missions. For Guidance, refer to AFI , Vol 1, Budget Guidance and Procedures Mission-Oriented OPSEC Awareness Training: Mission-oriented OPSEC Awareness training is event-driven and ensures all locally assigned AF personnel are familiar with potential threats related to the organization, critical information for the mission it supports, job specific OPSEC indicators, and the OPSEC measures unique to that specific duty assignment Mission-oriented OPSEC Awareness training may be combined with annual OPSEC Awareness training. Mission-oriented training must include, at a minimum, updated threat information, changes to CIIL, and/or new OPSEC procedures, and/or measures implemented by the organization. (T-0) Mission-oriented OPSEC awareness training may be directed by the commander/director to address specific events not covered by annual OPSEC training (e.g., Personally Identifiable Information (PII) breaches, change of mission, updates to the CIIL, recurring OPSEC disclosures, new threats and/or vulnerabilities, countermeasures) Access to mission critical information will not be allowed until mission-oriented OPSEC awareness training has been completed and documented. (T-3) OPSEC Pre-Deployment Training: Deploying personnel are provided OPSEC training prior to departure to bring awareness of what information in regards to the deployment requires protection prior to and while in transit to the deployed location. Obtain theater-specific information, which requires protection, from the deployed locations OPSEC PM AF OPSEC and other Training Courses: (See Table 4.1, AF OPSEC Education and Training Requirements, within this instruction for applicable courses) Air Force OPSEC Course. The AF OPSEC Course is required for all AF OPSEC PMs, Instructors, AF OST members, OPSEC Planners, and IO Officers (14F). (T-1) It is especially useful and should be attended by MILDEC PMs/Planners assigned to Major Commands (MAJCOM), Air Component Commander s staff, numbered A-Staff, or deemed necessary via MAJCOM discretion Individuals who have completed the AF OPSEC Course will not need to take the following courses, AF Identity Management (IdM), OPSEC and Public Release Decisions (OPSE-1500), OPSEC Analysis (OPSE-2380), OPSEC Program Management (OPSE-2390), or OPSEC Analysis and Program Management (OPSE-2500).

34 The AF OPSEC Course educates students on how to identify observable activities and operational trends that reveal critical information and indicators to potential adversaries. The course provides training on how to develop and maintain an OPSEC program and hands-on activities and instruction on how to incorporate OPSEC TTPs across the range of military operations. This training postures AF organizations to plan and execute flexible and adaptive activities, while protecting our own, in support of HHQ and commander s objectives/effects. Subjects covered include OPSEC program management, basic MILDEC fundamentals, Public Release Considerations for OPSEC, AF IdM, profiling process, OPSEC Process, countermeasure development, checklist development, coordination, synchronization, planning, and implementation considerations, security and administrative fundamentals, and practical exercises. Once completed the student will have a better understanding on how to effectively identify critical information, vulnerabilities, and indicators within an organization and implement OPSEC countermeasures to protect operations The AF OPSEC Course must be completed within 90 days of appointment to OPSEC duties. (T-0) If scheduling conflicts exist, the HHQ OPSEC PM must document and ensure the OPSEC Practitioner is scheduled for the next available course not to exceed 180 days. If training is not completed within 180 days, OPSEC PMs must report training deficiencies through the Defense Readiness Reporting System (DRRS) with a get well date. (T-0) Defense OPSEC Planners Course (DOPC). The DOPC provides OPSEC Planners, IO Instructors, and AF OST members training to effectively plan, integrate, conduct, and assess Joint OPSEC at the joint/operational level, across the range of military operations in accordance with applicable doctrine, policy, and authorities, as well as to enhance corporate knowledge of vulnerabilities associated with operations and plans for the joint warfighter OPSEC Planners and Instructors will complete the DOPC within 90 days of assignment to OPSEC duties or when a class becomes available, whichever comes first. (T-2). Though OPSEC PMs are not required to attend the DOPC, they may attend with the concurrence of their MAJCOM or AF DRU OPSEC PM The DOPC course schedule and registration information is available on the Joint Forces Staff College website OPSEC Fundamentals Training. This is the primary OPSEC course for OPSEC Coordinators and the prerequisite course to attend all formal OPSEC training courses. The OPSE 1301, OPSEC Fundamentals course found on ADLS and the IOSS websites, satisfies this AF requirement OPSEC Fundamentals training provides a basic working knowledge of OPSEC and how it affects both work and personal life. The course focuses on the history of OPSEC, the OPSEC process as described in NSDD-298, and provides students with the opportunity to practice OPSEC in a modern scenario.

35 OPSEC PMs, OPSEC Coordinators, IO Planners, assessment and inspection team members, and OPSEC OWG members assigned to OPSEC duties are required to complete OPSEC Fundamentals training within 30 days of assignment. This course is also, designed for personnel who require knowledge of the OPSEC process, but who will not necessarily be required to perform OPSEC risk analysis. (T-0) AF IdM Course. This training introduces the student to common threats, vulnerabilities, and countermeasures associated with Internet-based Capabilities (IbC). It provides digital identity awareness education for military members, government employees, and contractors. The course will help the individual understand what their digital identity is and how to protect their critical information on the internet. It allows the student to better assess the risk when considering using IbC whether at work or home. The course will provide an overview of identity management, how to protect your digital identity, discuss various ways outsiders obtain your personally identifiable information (PII), and provides recommended good OPSEC practices. The target audience for the AF IdM Course is not just OPSEC practitioners, but anyone that uses internet-based capabilities OPSEC and Public Release Decisions. This training addresses the OPSEC issues that should be considered when reviewing information (e.g., print, public speeches, contracts, social media, SharePoint postings) for public release and public access. The target audience for OPSEC and Public Release Decisions training is OPSEC practitioners, IO Planners, Contracting and PA representatives, Website and SharePoint managers/administrators, and anyone else that reviews or releases information intended for the public OPSEC Contract Requirements. The Continuous Learning Center (CLC) 107 course OPSEC Contract Requirements is located on the Defense Acquisition University website. This training introduces OPSEC practitioner and contracting representatives to the basic elements of OPSEC, identifies the role of OPSEC within DoD, and recognizes the OPSEC responsibilities of program managers and Contracting representatives for establishing contracting services. CLC 107, OPSEC Contract Requirements is mandatory for OPSEC practitioners and contracting representatives and is to be completed within 90 days of appointment to the duty position. (T-0) Intelligence Oversight. Intelligence oversight training is required for OPSEC PMs, Planners, AF OST members, AF OPSEC Instructors. Training materials for Intelligence oversight are available from the MAJCOM Intelligence Oversight Manager for distribution to the field. Additional, information regarding intelligence oversight training is available within AFI , Oversight of Intelligence Activities.

36 IG (OPSEC Rep) Contracting Reps WEBSITE ADMIN PA REPRESENTAT IVE OPSEC PLANNER AF IO INSTRUCTOR AF OST MEMBER OPSEC COORD OPSEC PM Table 4.1. AIR FORCE OPSEC EDUCATION AND TRAINING REQUIREMENTS TRAINING Training Location OPSEC Fundamentals X X X X X X X X X ADLS AF OPSEC Course X X X X O In-residence Hurlburt Field, Florida OPSEC and Public Release Decisions X X X X X X X X X ADLS AF Identity Mgmt. X X X X X X X X X ADLS OPSE 2380 OPSEC Analysis O O O X O IOSS In-residence OPSE-2390 OPSEC PM O O X O IOSS In- Residence CLC-107, OPSEC Contract Requirements X X X X O X X Defense Acquisition University website Defense OPSEC Planners Course O X X X In-Residence Intelligence Oversight X O X O X X O = Optional X = Required Provided by per AFI

37 Chapter 5 OPSEC ASSESSMENTS 5.1. Annual OPSEC Program Report: The annual OPSEC Program Report is a continual process that involves combining data collected from OPSEC program reviews, MOPs, MOEs, exercise after-action reports, lessons learned, Unit Effectiveness Inspections, and annually conducted external and internal assessments. The report serves to characterize the current level of effort and posture of OPSEC within the AF. The annual OPSEC Program Report also seeks to identify best practices, gaps, and issues so the AF may focus effort to remedy gaps, issues, and help inform a way ahead on AF OPSEC policy, guidance, and TTPs. This has been assigned Report Control Symbol (RCS) DD-INTEL(A) By 1 July of each calendar year, the AF OPSEC PM provides the MAJCOMs, DRUs, and FOAs with the guidelines for the Annual OPSEC Program report The MAJCOMs, DRUs, and FOAs are responsible for tasking their subordinate organizations with providing information that allows the MAJCOMs, DRUs, and FOAs to compile and provide a command view of their OPSEC program via the OPSEC program report The MAJCOM, DRU, and FOA director or higher-level authority responsible for the Command s OPSEC program signs that organization s Annual OPSEC Program Report and forwards it to the AF OPSEC PM. (T-1) The commander/director or designated representative for organizations below the MAJCOM and DRU signs that organization s Annual OPSEC Program Report and forwards it to their HHQ OPSEC PM. (T-2) Assessments: OPSEC assessments are performed to achieve two specific purposes: to ensure required policies and procedures are in place to protect critical information and indicators and to gauge the overall effectiveness of countermeasures The assessment of an OPSEC program identifies the effectiveness through the evaluation of established MOPs and MOEs within plans and programs. MOPs indicate whether a particular measure was performed and MOEs measure the ability of the implemented OPSEC measures to protect mission/program capabilities and actions to achieve the commander s/director s objectives The AF provides several tools to assist OPSEC PMs and Coordinators to obtain information and data to perform OPSEC assessments. These tools assist in assessing the level of exposure of critical information and indicators to adversary observation, surveillance, and intelligence sensors. OPSEC PMs and Coordinators use assessment results within the risk management process to develop or adjust countermeasures that can mitigate or negate risk to operations.

38 Organizations may use the OPSEC Self-Assessment Communicator (SAC) in MICT in maintaining an OPSEC program and conducting internal OPSEC assessments. The SACs are divided into functional levels (e.g., wing/wing-equivalents and below wing-level) and provide the basics for maintaining your OPSEC program At least annually, organizations that maintain web and SharePoint sites that are externalfacing will conduct content vulnerability analysis of the information on these entities to ensure critical information is not available for exploitation by potential adversaries. (T-0) Owners of the web or SharePoint sites should conduct the annual assessments. They have the best understanding of the scope, intent, and focus of the site and with the assistance from an OPSEC Practitioner and a CIIL can determine if critical information and indicators are present on the site Web and SharePoint sites that require a DoD Common Access Card are exempt from this annual requirement. (T-1) MAJCOM, HAF DRU, and FOA OPSEC PMs are the focal point for requesting and scheduling all external assessments and setting all priorities between command organizations. Request for external assessments through the AF, MAJCOM, HAF DRU, or FOA OPSEC PM. (T-1) Management Internal Control Tool (MICT): MICT is the AF program of record to communicate a unit s current status of selfassessment communicators (SAC), HAF, SAC Fragmentary Order, and Special Interest Item compliance. MICT allows commanders, unit MICT owners and functional at all levels to monitor the status of unit compliance with inspected areas and items. Additionally, MICT assists IGs by informing the Risk Based Sampling Strategy and formulating specific inspection methodology and IG team composition for the Commanders Inspection Program and Unit Effectiveness Inspection A SAC is a two-way communication tool designed to improve compliance with published guidance and communicate risk and program health up and down the chain of command in near real-time. The HAF OPSEC SACs are developed and managed by the AF OPSEC PM AF OPSEC has four SACs available on MICT: Wing, Center, Laboratory SAC pertain to wings, centers, and laboratories MAJCOM/AF DRU/AF FOA SAC pertain to MAJCOM, AF DRU, and AF FOA organizations AFFOR/AOC SAC pertain to AFFOR and AOC organizations OPSEC Coordinators pertain to OPSEC Coordinators at any AF level.

39 5.4. OPSEC Internal Assessment: An OPSEC internal assessment is an overall evaluation of the organization s OPSEC posture. Use the organization s internal assets to conduct internal assessments. The purpose of an internal assessment is to evaluate an organization s activities and supporting functions to determine if sufficient countermeasures are in place to protect against the loss of critical information and indicators Internal assessments may be conducted when there is a need for an evaluation based on the sensitivity of the operation or program, or when there is evidence that an adversary is attempting to gain critical information and indicators Conduct an internal assessment prior to the development of an OPSEC program or OPSEC plan. The internal assessment can establish an OPSEC profile by revealing indicators that present vulnerabilities for an adversary to exploit. This allows the program to be developed with fact-based knowledge of threats and vulnerabilities that must be addressed Each OPSEC PM will conduct OPSEC internal assessments annually to determine the effectiveness of their OPSEC program, and as a minimum, assess the status of the following: (T- 0) Personnel s knowledge of critical information and indicators and publication of the CIIL Personnel s knowledge of the collection threat to the organization and the countermeasures in place to protect against the collection The effectiveness of current OPSEC countermeasures to protect identified critical information and indicators Status of OPSEC training within the organization Organizations may utilize assessments tools such as the MICT, and the OPSEC Module in the EPRM system to conduct annual OPSEC internal assessments Annually MAJCOM, HAF DRU, and FOA OPSEC PMs will conduct a physical or virtual OPSEC assessment of subordinate units using established AF guidance to determine if the unit being assessed are implementing HHQ-directed and their own OPSEC policies and procedures. (T-2) MAJCOM, HAF DRU, and FOA OPSEC PMs will identify and prioritize OPSEC assessment requirements and outline procedures for requesting OEA and program management assessments support from the AF OST or CDA. (T-1).

40 5.5. OPSEC External Assessment (OEA): An OEA is the application of the OPSEC methodology by a team of external subject matter experts to conduct a detailed analysis of AF activities associated with a specific AF Core Function, by employing the known collection capabilities of potential adversaries. This thirdparty evaluation of the effectiveness of AF OPSEC as it relates to AF weapon systems provides AF leadership in-depth analysis and feedback on the countermeasures in place to mitigate adversarial exportation of AF activities. An AF OEA is not a programmatic assessment The OEA requires a team of experts to look at an activity from an adversary s perspective to determine if critical information and indicators are being disclosed through normal operations and functions, to identify vulnerabilities, and propose countermeasures to mitigate them In order to maintain team and mission integrity, it is imperative that OEA team members if possible be billeted at the same lodging facility. The OEA Mission Director, while maintaining requirements established in the Joint Travel Regulations is responsible for determining appropriate lodging for OEA team members The primary focus is to identify critical information, indicators and vulnerabilities associated with the operations of the assessed AF capability, pinpoint weaknesses an adversary could utilize to degrade AF missions, and provide AF Senior Leadership information about when, where and how a potential adversary could interpret AF intentions Additionally, an OEA determines if current OPSEC countermeasures are effectively mitigating identified threats and vulnerabilities. OEA, recommendations for new or additional countermeasures against existing or future capabilities are identified to better protect assets and increase the operational advantage over adversaries and competitors The AF OST conducts OEAs on Air Force core functions, operations, and weapon systems as directed by the AF OPSEC PM. The AF OST needs minimal support from a commander s enterprise (e.g., facility to work from, letter of authorization to conduct observations on the installation) The AF OST coordinates their presence at locations with MAJCOM IG Gatekeepers and OPSEC PMs to ensure minimal impact by the team within a commander's enterprise The AF OST annually nominates AF OEA targets, based on adversary threat information, to the AF OPSEC PM, in order to gain approval of the coming FY OEA focus area(s). OEAs are comprehensive and multi-site assessments with the ultimate goal to collect and exploit AF critical information and indicators Results from AF OEAs are provided in an annual AF OST report to the AF OPSEC PM. The AF OPSEC PM will share AF OEA results with the program manager of the assessed AF capability and the assessed organizations. Additionally, sanitized results will be include in the Annual AF OPSEC Program Report.

41 MAJCOMs, DRUs, and AF FOAs may request an OEA as needed, but the OEAs must be focused on a specific operation, mission, activity, or capability to allow the AF OST to provide the best results to the organizations The AF OST forwards results from the MAJCOM, DRU, and AF FOA OEA to the requestor of the assessment. MAJCOM, DRU, and AF FOA OPSEC PMs will provide an analysis of the results from the OEA in their Annual OPSEC Program Report OPSEC Program Management Assessment (PMA): An OPSEC PMA provides an in-depth look at a unit s OPSEC program implementation and effectiveness. OPSEC PMAs differ from OEAs in that they are focused on a specific organization, activity, or event and not necessarily part of the annual yearlong OEA process. OPSEC PMAs are conducted by a team of subject matter experts to provide a detailed analysis of an OPSEC program s effectiveness by completing a thorough analysis of how the program is implemented, executed, supported, and managed. The AF OST conducts OPSEC PMAs During an OPSEC PMA, the assessment team will work with the assessed organization to identify methods and opportunities to develop and implement more effective OPSEC programs that enable improved protection of critical information and operational indicators OPSEC PMAs require considerably more time and effort from the assessed organization s leadership, program managers and general work force than required for an OEA. To be successful, the AF OST s activities during an OPSEC PMA require dedicated time and resources of the assessed organization in order to thoroughly understand and assess the OPSEC program OPSEC PMAs can be initiated by the assessed organization and/or the organization s higher headquarters. MAJCOMs, DRUs, and AF FOAs may request an OPSEC PMA as needed, but the PMA must be focused on a specific operation, mission, activity, or capability to allow the AF OST to provide the best results to the organizations. It is the requesting organizations, not the AF OST s responsibility to ensure the MAJCOM, and Wing Gatekeepers are aware of the AF OST presences on the installation The requesting organization is responsible for funding OPSEC PMAs, unless preapproved by the Director AF OST Results from OPSEC PMAs are included in the yearly summary reports created by the AF OST and provided to the AF OPSEC PM to outline trends and overall posture results of the AF OPSEC program. These results will be included in the AF s Annual OPSEC Program Report Electronic Systems Security Assessment (ESSA): AF conducted ESSA is the continuous monitoring of AF owned, operated, and/or leased communication systems to support OPSEC protection measures. ESSAs cover a range of devices and communication systems to include radio frequencies, wired and wireless devices,

42 websites, and computer systems and networks. Awareness of active ESSA monitoring of government telecommunication systems is an essential element of deterrence of such disclosures ESSA monitoring can be tasked and focused to defend specific information via Information Defense Priorities. Information Defense Priorities can be based on AF organizations, mission sets, capabilities, weapon systems, platforms, or any other significant categorization of AF owned information The 68th Network Warfare Squadron and its associated units conduct ESSA for the AF. Monitoring of AF communication systems can only be conducted within certain legal parameters and may only be performed by authorized personnel Guidance regarding ESSA operations is provided in AFI , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Program for further guidance ESSA assists commanders in evaluating their organization's OPSEC posture by determining the amount and type of information available to adversary collection entities AF, MAJCOM, DRU, and FOA OPSEC PMs and members of the AF OST request Focused Look Assessment through the 624th Operations Center. A Focused Look Assessment can cover multiple organizations, installations, or locations Organizations request CDA WS support through their HHQ OPSEC PM to their respective MAJCOM, DRU, or AF FOA OPSEC PM. MAJCOM, DRU, AF FOA OPSEC PMs submit CDA WS request to 24 AF/A3X, IAW AFI and this instruction. (T-1) Staff Assistance Visit (SAV). HHQ OPSEC PMs, or other organization SMEs conduct SAVs as needed IAW AFI , The Air Force Inspection System, and this instruction to assist organizations in developing an OPSEC program or OPSEC Plans, repairing dormant, noncompliant, deficient programs, or for any other reason deemed necessary by the commander/director or their appointed representative. Organizations request such assistance through their respective chain-of-command and the IG Gatekeeper process. SAVs check for program compliance (e.g., Special Interest Items, AFIs, MAJCOM policies), identify and resolve shortfalls, and provide guidance to OPSEC PMs and Coordinators as required AF OPSEC Support Team: The AF OST is the operational arm of AF OPSEC Program. The AF OST conducts OPSEC assessments and provides reach back support to AF units worldwide to include support to OPSEC program development, planning efforts, and development and availability of OPSEC awareness materials Program Development: Provides support at the strategic through tactical level in the development of an OPSEC program. Such as support to build and maintain an OPSEC program, development of an OPSEC Implementation Plan, and/or provide knowledge and experience (helpdesk).

43 Planning: Provides support at the strategic through tactical level through the development and maintenance of operational plans. This support may include support in areas such as build and maintain OPSEC operational planning, provide framework of a plan annex, development of countermeasures/mitigation methods, provide knowledge and experience (helpdesk), and assist in the development of OPSEC scenarios emulating real world operations, exercises, and activities Awareness Training: Provides for the development and continued education and training of the AF population. This support may include develop and maintain OPSEC education and training, develop and provide SMEs in the development of awareness education training materials. The AF OST may also provide as requested an OPSEC booth for respective conferences and other events to raise OPSEC awareness Internal and External Assessments: Provide support at the operational and tactical level through the assessment of AF OPSEC Programs. This support may include areas such as advice on tools and capabilities, recommend corrective actions, develop capability to conduct program assessments, orchestrate and conduct AF OEAs, AF OPSEC PMAs, analyze and evaluate results of assessments, and integrate lessons learned EPRM s OPSEC Module is a web-based tool developed to provide a standardized process to assist the OPSEC community with assessing and quantifying risk to critical information allowing decision makers to make informed decisions on what countermeasures to implement to reduce the organization s overall risk and vulnerabilities. EPRM provides posture, vulnerabilities and risk level status, which can provide assistance in developing plans and management reports. It provides a platform for planners to test remediation options and scenarios and provides an expert knowledge base to assist in threat assessments. OPSEC practitioners can request an EPRM account by going to the EPRM site on SIPRNet SharePoint Sites The AF OPSEC SharePoint site located on NIPRNet is the central location for unclassified collaboration of AF OPSEC. Information e.g., shared awareness briefings and training material, potential OPSEC vulnerabilities regarding current communication technology, and lessons learned are available on the AF OPSEC SharePoint. OPSEC practitioners may request access to the AF OPSEC SharePoint by going to the SharePoint site and requesting access ( AF OPSEC Program Management SharePoint site located on SIPRNet, is the central storage and collaboration space for AF OPSEC publications, documents, information, AF OPSEC Course schedule and ideas at the classified level. AF OPSEC practitioners may request access to the AF OPSEC Program Management SharePoint through their MAJCOM, HAF DRU/FOA OPSEC PM.

44 5.11. Joint and Interagency OPSEC Support: AF personnel are welcome and encouraged to receive training from the Joint OPSEC Support Element (JOSE) and IOSS. The courses offered by the JOSE and IOSS provide a perspective of OPSEC from the joint and federal government level while AF OPSEC training is oriented specifically to an AF audience. Address questions regarding JOSE and IOSS support to the MAJCOM, DRU, or FOA HHQ OPSEC PM JOSE. The JOSE as part of the Joint Information Operations Warfare Center (JIOWC) serves as the OPSEC Joint Center of Excellence and provides direct support to Combatant Commands and Joint Force Commanders through the integration of OPSEC into operations, plans, and exercises and by providing staff-level program development and training and OPSEC vulnerability assessments when directed IOSS. The IOSS supports the National OPSEC Program by providing tailored training, assisting in program development, producing multimedia products and presenting conferences for the defense, security, intelligence, research and development, acquisition and public safety communities. Its mission is to help government organizations develop their own, self-sufficient OPSEC programs in order to protect United States programs and activities. IOSS offers a multitude of OPSEC training aids available to all OPSEC professionals.

45 Chapter 6 OPSEC REQUIREMENTS WITHIN CONTRACTS 6.1. General: Contractors for defense systems acquisition programs as well as other types of AF contracts will practice OPSEC to protect critical information and indicators as specified in government contracts and subcontracts Each organization that request contract support is responsible for determining and communicating which OPSEC measures are essential to protect critical information and indicators for each of their specific contracts. Organizations must identify OPSEC measures in their requirements documents and ensure they are identified in resulting solicitations and contracts. See paragraphs and of this instruction for additional guidance. (T-0) Each organization requesting contract support is responsible for ensuring the appropriate OPSEC measures and costs associated with the implementation of these measures are billed and tracked as a separate line item in all contracts OPSEC PMs, Coordinators, or contracting representatives, depending on the organizations conduct reviews of contracting documents for OPSEC concerns. If an OPSEC Coordinator or Contracting representative is conducting the review, the HHQ OPSEC PM provides at a minimum technical guidance and an approved CIIL to assist in the analysis of information within the contract documents OPSEC Coordinators advise the OPSEC PM as to the results of the review of the contract documents. The OPSEC PM and not the OPSEC Coordinator is responsible for inherently government functions within the OPSEC program. (T-0) Guidance and procedures: (T-0) Organizations will consider OPSEC for all contractual requirements Organizations must first determine whether there is any form of critical information or activities within each of their contracts. It is the responsibility of each organization to inform the Contracting representative if there are no OPSEC requirements for the contract Organizations will develop an OPSEC Plan to protect critical information and indicators associated with each contract from cradle to grave. (See Paragraph 3.2 of this instruction for guidance on developing an OPSEC Plan (aka OPSEC Implementation Plan) The organization will specify OPSEC requirements for unclassified and classified contracts in the Statement of Work (SOW), Performance Work Statement (PWS), and/or Statement of Objectives (SOO).

46 Provide sufficient detail to ensure complete contractor understanding of the requirements (e.g., what do you want the contractor to do, how do you want the contractor to comply, when do you want the contractor to comply, who is going to provide training) In order to reduce vulnerabilities, critical information and indicators will not be included in unclassified contract documents Provide the contractor a copy of the OPSEC Plan associated with the contract Commanders/directors must ensure: (T-1) OPSEC PM and Coordinators work with the Contracting representative when writing contract documents such as requests for proposal, SOW, PWS, and SOOs Contracting representatives have access to all unit CIILs and compare their unclassified documents to those CIILs to ensure critical information and indicators are not included in the contracting documents OPSEC PMs or Coordinators review contractual documents prior to release. MARK C. NOWLAND Lieutenant General, USAF Deputy Chief of Staff, Operations

47 Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION References National Security Decision Directive 298 (NSDD 298), National Operations Security Program, 22 January 1988 DoDI , Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), 28 May 2015 DoDD E, DoD Operations Security (OPSEC) Program, 20 June 2012 DoDM M, DoD Operations Security (OPSEC) Program Manual, 3 November 2008 DoDI , DoD Internet Services and Internet-Based Capabilities, 11 September 2012 JP 1-02, DoD Dictionary of Military and Associated Terms, 15 June 2015 JP , Joint Doctrine for Operations Security, 6 January 2016 AFPD 10-7, Information Operations, 4 August 2014 AFI , Participation in Joint and National Exercises, 27 March 2015 AFI , Base Support and Expeditionary (BAS&E) Site Planning, 27 August 2015 AFI , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Program, 17 December 2015 AFI , Tactics Development Program, 15 September 2011 AFI , Oversight of Intelligence Activities, 26 September 2016 AFI , Publications and Forms Management, 1 December 2015 AFI , Community College of the Air Force (CCAF), 29 October 2013 AFI /20-101, Integrated Life Cycle Management, 7 March 2013 AFI , Vol 1, Budget Guidance and Procedures, 16 August 2012 AFI V2, Budget Management for Operations, 18 May 2012 AFI , Air Force Lessons Learned Program, 18 December 2013

48 AFI , Air Force Inspection System, 11 February 2016 AFMAN , User Responsibilities and Guidance for Information Systems, 19 May 2016 AFMAN , Management of Records, 1 March 2008 AFTTP 3.1. IO/NKO, Information Operations/Non-Kinetic Operations, 15 March 2016 Prescribed and Adopted Forms Adopted Forms: AF Form 847, Recommendation for Change of Publication DD Form 254, Department of Defense Contract Security Classification Specification Abbreviations and Acronyms AAR After-Action Report ACC Air Combat Command ADLS Advanced Distributed Learning Service AFNET Air Force Network AFOSI Air Force Office of Special Investigations AFPD Air Force Policy Directive AFTTP Air Force Tactics, Techniques, and Procedures ANG Air National Guard AOC Air and Space Operations Center AOR Area of Responsibility C2 Command and Control CC Commander CCAF Community College of the Air Force CCD Camouflage, Concealment, and Deception

49 CDA WS Cyberspace Defense Analysis Weapon System CIIL Critical Information and Indicators List CONPLAN Contingency Plan COA Course of Action CPI Critical Program Information DAFC Department of the Air Force Civilian DIRLAUTH Direct Liaison Authorized DoD Department of Defense DoDD Department of Defense Directive DOPC Defense OPSEC Planners Course DRU Direct Reporting Unit EPRM Enterprise Protection Risk Management ESSA Electronic System Security Assessment FOA Field Operating Agency FTU Field Training Unit HAF Headquarters Air Force HHQ Higher Headquarters HUMINT Human Intelligence HVA HUMINT Vulnerability Assessments IbC Internet-based Capabilities IG Inspector General IO Information Operations IOSS Interagency OPSEC Support Staff

50 IQT Initial Qualification Training IRC Information Related Capability JOSE Joint OPSEC Support Element JWICS Joint Worldwide Intelligence Communication System L2 Lessons Learned MAF Mobility Air Forces MAJCOM Major Command MICT Management Internal Control Toolset MILDEC Military Deception MOE Measures of Effectiveness MOP Measures of Performance MOU Memorandum of Understanding MSEL Master Scenario Events Listing NKO Non-kinetic Operations OEA OPSEC External Assessment O&M Operations & Maintenance OWG OPSEC Working Group OPLAN Operation Plan OPORD Operation Order OPR Office of Primary Responsibility OPSEC Operations Security OST OPSEC Support Team PA Public Affairs

51 PE Program Element PEM Program Element Manager PII Personally Identifiable Information PM Program Manager POM Program Objectives Memorandum PWS Performance Work Statement MISO Military Information Support Operations RDT&E Research, Development, Test and Evaluation SAC Self-Assessment Communicator SAV Staff Assistance Visit SCI Sensitive Compartmented Information SEI Special Experience Identifier SIPRNet Secret Internet Protocol Router Network SM Signature Management SME Subject Matter Expert SOP Standard Operations Procedures SOW Statement of Work T-0 Tier 0 Waiver Authority Outside of the AF T-1 Tier 1 Waiver Authority MAJCOM CC with HAF/A3T Concurrence T-2 Tier 2 Waiver Authority MAJCOM CC T-3 Tier 3 Waiver Authority Wing/DRU/FOA CC TFAT Total Force Awareness Training TIP Tactics Improvement Proposal

52 TTP Tactics, Techniques, and Procedures UEI Unit Effectiveness Inspection WIT Wing Inspection Team

53 Terms Acceptable Level of Risk An authority's determination of the level of potential harm to an operation, program, or activity due to the loss of information that the authority is willing to accept. Acquisition Program A directed, funded effort that is designed to provide a new, improved, or continuing material, weapons system, information system, or service capability in response to a validated operational need. Activity A function, mission, action, or collection of actions. Adversary An individual, group, organization or government that must be denied critical information and indicators. Synonymous with competitor/enemy. Association The characteristic of an indicator that makes it identifiable or causes it to stand out. Key signature properties are uniqueness and stability. Conduit A pathway over which data or information is collected, passed, analyzed and delivered to decision makers. Contrast The characteristic of an indicator that refers to differences observed between an activity s standard profile and it s most recent or current actions. Counterintelligence Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons or their agents, or international terrorist organizations or activities. (JP 1-02) Critical Information Specific facts about friendly intentions, capabilities, or activities needed by adversaries to plan and act effectively against friendly mission accomplishment. Critical Information and Indicators List A combination of mission-specific facts, evidence, and detectable actions from which an adversary or potential adversary could accurately deduce friendly activity, capability, or intent to a level of unacceptable risk to mission accomplishment. The key output of the Identify Critical Information step in the OPSEC process. Critical Program Information Elements or components of a research, development and acquisition (RDA) program that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability. Includes information about applications, capabilities, processes, and end-items; information about elements or components critical to a military system or network mission effectiveness; and technology that would reduce the U.S technological advantage if it came under foreign control.

54 Essential Secrecy The condition achieved from the denial of critical information and indicators to adversaries through the combined efforts of traditional security programs and the operations security process. Essential Secret Specific aspects of planned friendly operations that, if compromised, would lead to adversary identification of exploitable conditions and potential failure to meet the commander s objectives and/or desired end state. Exposure The characteristic of an indicator that refers to when and for how long an indicator is observed. External-facing Available via the Internet to authorized users from any location. A DoD Internet service being external-facing has no bearing on whether it is public or private, i.e., both public and private DoD Internet services may be external-facing. (DoDI ) Focused Look Assessment Includes any number of Information Defense Priorities specific to a single Air Force core function, organization, mission set, capability, or weapon system. A Focused Look Assessment can cover multiple organizations, installations, or locations. Human Intelligence (HUMINT) A category of intelligence derived from information collected and provided by human sources. Indicator Detectable actions and information that can be interpreted and pieced together to reach conclusions or estimates concerning friendly intentions, capabilities, or activities. Information Operations (IO) The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own. JP (Actions taken to affect adversary information and information systems while defending one's own information and information systems.) Information Related Capability (IRC) A tool, technique, or activity employed within a dimension of the information environment that can be used to create effects and operationally desirable conditions. JP (Capabilities, techniques, and activities employed within a dimension of the information environment that can be used to achieve a specific end(s). Internal-facing Existing on DoD information systems for an internal DoD or United States Government, non-public audience. Not available to or from the general public Internet. (DoDI ) Measures of Effectiveness (MOE) A criterion used to assess changes in system behavior, capability, or operational environment that is tied to measuring the attainment of an end state, achievement of an objective, or creation of an effect (AFD Annex 3-0) Measures of Performance (MOP) A criterion used to assess friendly actions that are tied to measuring task accomplishment (AFD Annex 3-0)

55 Node An element of a conduit that represents a person, place, or physical thing through which information passes. Nodes may or may not inject bias during their handling and retransmission of data or information. Observable Activities apparent to observers and/or collectors that might be analyzed and used by the decision maker. The combination of an indicator and an opposing force conduit or open source reporting. Operations Security (OPSEC) An information related capability that preserves friendly essential secrecy by identifying, controlling, and protecting critical information and indicators that would allow adversaries or potential adversaries to identify and exploit friendly vulnerabilities leading to increased risk and potential mission failure. OPSEC Compromise The disclosure of critical information which has been identified by the information owner (commander/director) and any higher headquarters that jeopardizes the unit s ability to execute its mission or to adequately protect its personnel and/or equipment. Critical information that has been compromised and is available in open sources and the public domain should not be highlighted or referenced publicly outside of intra-governmental or authorized official communications because these actions provide further unnecessary exposure of the compromised information. OPSEC Coordinator An individual trained in OPSEC located at a subordinate level, who works in coordination with the OPSEC program manager or primary representative. DoDD E OPSEC Countermeasure Planned action to affect collection, analysis, delivery, or interpretation of information. OPSEC countermeasures include all activities that affect content and flow of critical information and indicators from collection to the decision maker. Countermeasures are generally offensive in nature and may require additional approval authorities and review criteria associated with choice of means employed. OPSEC Event A collection of operationally related OPSEC measures and countermeasures executed to protect a specific friendly activity. OPSEC External Assessment (OEA) The application of the OPSEC methodology by a team of subject matter experts to conduct a detailed analysis of all activities associated with a specific organization, operation, activity, exercise, or support function by employing the known collection capabilities of potential adversaries. OPSEC Indicator Friendly detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information. OPSEC Internal Assessment An evaluative process, conducted of an organization s, operations, activities, exercises, or supporting functions to determine if sufficient countermeasures are in place to protect against the loss of critical information and indicators. An

56 OPSEC Internal Assessment may include self-generated program reviews, Inspector General inspections, or higher headquarters reviews that specifically address OPSEC. OPSEC Means Methods, resources, or techniques that can be used to protect critical information and indicators. OPSEC Measure Planned action to conceal critical information and indicators from disclosure, observation or detection. OPSEC Program Manager A full-time appointee or primary representative assigned to develop and manage an OPSEC program. DoDD E. (AF Definition - An appointee or primary representative assigned to develop and manage an OPSEC program.) OPSEC Program Management Assessment An in-depth evaluation of the implementation and effectiveness of an organizations OPSEC program. OPSEC PMAs are conducted by a team of subject matter experts to provide a detailed analysis of an OPSEC program s effectiveness by completing a thorough analysis of how the program is implemented, executed, supported, and managed. OPSEC Plan The outcome of the OPSEC process that completes APEX Tab C-3-C and directs the implementation of appropriate measures and countermeasures to protect critical information and indicators. OPSEC Planner A functional expert trained and qualified to plan and execute OPSEC. DoDD E OPSEC Working Group Designated body representing a broad range of line and staff activities within an organization that provides advice and support to leadership and all elements of the organization. This can be an OPSEC, SM, threat, or public affairs working group that addresses OPSEC concerns). OPSEC practitioners Individuals charged with developing, implementing, planning, and assessing OPSEC. Includes individuals such as OPSEC Program Managers, Coordinators, OPSEC Support Teams, OPSEC Instructors, and Planners. OPSEC Protective Measure Methods and means to gain and maintain essential secrecy about critical information and indicators. Includes OPSEC countermeasures and measures. OPSEC Support Capabilities The range of capabilities used by the components to provide the required OT&E to sustain their OPSEC efforts. OPSEC Vulnerability A condition in which friendly actions provide OPSEC indicators that may be obtained and accurately evaluated by an adversary in time to prove a basis for effective adversary decision making.

57 Personally Identifiable Information (PII) A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, whether physical or electronic. Profile The characteristic of an indicator that refers to the sum of unique signatures and associations generated by a functional activity. Profiling process Defining the local operating environment and capture process points that present key signatures and profiles with critical information value. This process is the deliberate effort to identify functional areas and the observables they produce to contribute to the overall signature of day-to-day activities and operational trends. Reachback Support The process of obtaining products, services, and applications, or forces, or equipment, or material from organizations that are not forward deployed. (JP 3-30) Relevant Support Activities Can include, but are inclusive to, the following: acquisitions; treaty verification; nonproliferation protocols; international agreements; force protection operations; special access programs; and activities that prepare, sustain, or employ Military Services over the range of military operations Risk A measure of the potential degree to which protected information is subject to loss through adversary exploitation. Risk Analysis A method by which individual vulnerabilities are compared to perceived or actual security threat scenarios in order to determine the likelihood of compromise of critical information. Risk Assessment A process of evaluating the risks to information based on susceptibility to intelligence collection and the anticipated severity of loss. Sensor The collection element of the conduit or information pathway which identifies, registers, and subsequently transmits data. Signature Observable activities and operational trends that reveal critical information to adversary intelligence collection. Signature Management (SM) The active defense or exploitation of operational profiles resident at a given military installation. Defense of operational profiles is accomplished by implementing protective SM measures to deny adversary collection of critical information and indicators. Self-Assessment Communicator A two-way communication tool designed to improve compliance with published guidance and communicate risk and program health up and down the chain of command in near real-time.

58 Threat The capability of an adversary coupled with his intentions to undertake any actions detrimental to the success of program activities or operations. Threat Assessment An evaluation of the intelligence collection threat to a program activity, system, or operation. Tier Waiver Authorities Tier Waiver Authority is based on consequence of non-compliance and approval authority (AFI , Table 1.1). T-0 Waiver Authority is external to the AF (e.g., Executive Order, DoD, Joint Staff, Combatant Commands). T-1 Waiver Authority is MAJCOM/CC (delegable no lower than the MAJCOM Director), with the concurrence of the publication s Approving Official (AF/A3T). T-2 Waiver Authority is MAJCOM/CC (delegable no lower than MAJCOM Director). T-3 Waiver Authority is Wing/CC Vulnerability An exploitable condition in which the adversary has sufficient knowledge, time, and available resources to thwart friendly mission accomplishment or substantially increase operational risk. Vulnerability Analysis A process that examines a friendly operation or activity from the point of view of an adversary, seeking ways in which the adversary might determine critical information in time to disrupt or defeat the operation or activity. DoDM M Vulnerability Assessment A process that examines a friendly operation or activity from the point of view of an adversary, seeking ways in which the adversary might determine critical information in time to disrupt or defeat the operation or activity. Website A set of interconnected pages, services, and associated Internet media available at a Uniform Resource Locator (URL) and prepared and maintained as a collection of information and services by a person, group, or organization.

59 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION JUNE 2011 Operations OPERATIONS SECURITY (OPSEC) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-publishing website at for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: AF/A3Z-CI, Information Operations Division Supersedes: AFI10-701, 18 October 2007 Certified by: AF/A3Z (Maj Gen Bolton) Pages: 40 This publication implements Air Force Policy Directive (AFPD) 10-7, Air Force Information Operations. The reporting requirements in this publication have been assigned Report Control Symbol (RCS) DD-INTEL(A)2228 in accordance with DoDD , DoD Operations Security (OPSEC) Program. It applies to all Major Commands (MAJCOM), Field Operating Agencies (FOA), Direct Reporting Units (DRU), Air Force Reserve Command and Air National Guard (ANG) organizations. This publication provides guidance for all Air Force personnel (military and civilian) and supporting contractors in implementing, maintaining and executing OPSEC programs. It describes the OPSEC process and discusses integration of OPSEC into Air Force plans, operations and support activities. Refer recommended changes and questions about this publication to the Office of Primary Responsibility (OPR) using the AF Form 847, Recommendation for Change of Publication; route AF Forms 847 from the field through appropriate chain of command. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AFMAN , Management of Records, and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) located at The use of the name or mark of any specific manufacturer, commercial product, commodity, or service in this publication does not imply endorsement by the Air Force. SUMMARY OF CHANGES This document has been substantially revised and must be completely reviewed. This updated instruction adds responsibilities for MAJCOMs, FOAs and DRUs (paragraph 1.4.8), Air Combat Command (ACC) (paragraph 1.4.8), commanders (paragraph ), requirement to budget,

60 2 AFI JUNE 2011 acquire and distribute OPSEC awareness and education materials ( ), OPSEC Program Managers (PM), Signature Management Officers, Coordinators and Planners (paragraph ) and all Air Force personnel (paragraph ). Chapter 2 has been renamed Signature Management and OPSEC Process has been moved to Chapter 4. OPSEC measures have been deleted from chapter 4 and are now reflected to read countermeasures (paragraph 4.6). Acquisition planning has been removed from chapter 3, OPSEC Planning and placed within chapter 8, OPSEC Contract Requirements. OPSEC Awareness Education and Training has been moved to chapter 5, OPSEC Education and Training, and includes requirement to provide awareness information to AF family members. OPSEC assessments has been moved to chapter 6 and titled Assessments. Additions to chapter 6 include web site link to the OPSEC Core Capabilities Checklists (paragraph 6.1.5), requirements regarding the assessment of information on AF public and private web sites (paragraph 6.5), and requirement to utilize the operations security collaborations architecture (OSCAR) tool for annual assessments (paragraph 6.6.4). Air Force OPSEC annual awards is located in chapter 7 and chapter 8 includes information regarding OPSEC as a requirement within government contracts. Chapter 1 GENERAL Introduction: Operational Context:... 4 Figure 1.1. OPSEC Functional Structure Purpose: Roles and Responsibilities:... 5 Chapter 2 SIGNATURE MANAGEMENT Signature Management Wing or installation commanders will: Signature Management Officer/Signature Management Non-Commissioned Officer will: Signature Management Planning and Coordination Exploitation Countermeasures (Refer to AFI , Paragraph Chapter 3 OPSEC PLANNING General Operational Planning Support Planning Exercise Planning Acquisition Planning Chapter 4 OPSEC PROCESS General:... 21

61 AFI JUNE Identify Critical Information: Analyze Threats: Analyze Vulnerabilities: Assess Risk: Apply Countermeasures: Chapter 5 OPSEC EDUCATION AND TRAINING General All Personnel: OPSEC PMs/SMO/SMNCOs/Coordinators, Planners, Inspection Teams: Joint and Interagency OSPEC Support: Chapter 6 ASSESSMENTS General: Annual OPSEC Program Review: Staff Assistance Visit (SAV): Survey: Web Content Vulnerability Analysis: Support Capabilities: Table 6.1. OPSEC Assessment Types and Support Capabilities Chapter 7 AIR FORCE OPSEC ANNUAL AWARDS PROGRAM General: Chapter 8 OPSEC REQUIREMENTS WITHIN CONTRACTS General: Guidance and procedures: Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 34

62 4 AFI JUNE 2011 Chapter 1 GENERAL 1.1. Introduction: OPSEC is a military capability within Information Operations (IO). IO is the integrated employment of three operational elements: influence operations (IFO), electronic warfare operations and network warfare operations. IO aims to influence, disrupt, corrupt, or usurp adversarial human or automated decision-making while protecting our own. IFO employs the military capabilities of military information support operations (MISO), OPSEC, military deception (MILDEC), counterintelligence operations, public affairs (PA) operations and counterpropaganda operations to affect behaviors, protect operations, communicate commanders intent and project accurate information to achieve desired effects across the operational environment. OPSEC s desired effect is to influence the adversary s behavior and actions by protecting friendly operations and activities Operational Context: Operational Focus. The OPSEC program is an operations function or activity and its goals are information superiority and optimal mission effectiveness. The emphasis is on OPERATIONS and the assurance of effective mission accomplishment. To ensure effective implementation across organizational and functional lines the organization s OPSEC Program Manager (PM), Signature Management Officer (SMO), or coordinator will reside in the operations and/or plans element of an organization or report directly to the commander. For those organizations with no traditional operations or plans element, the commander must decide the most logical area to place management and coordination of the organization s OPSEC program while focusing on operations and the mission of the organization. Figure 1.2 illustrates the AF OPSEC functional structure. Figure 1.1. OPSEC Functional Structure