The following Joint Publication is unavailable from the Defense Technical Information Center (DTIC) website. Though it does not have any markings indicating a distribution restriction, the DTIC website lists the document as being available through the Joint Doctrine, Education, & Training Electronic Information System (JDEIS) which is restricted to U.S. military personnel.
Joint Publication 3-13.3 Operations Security
- 75 pages
- January 4, 2012
Joint forces often display personnel, organizations, assets, and actions to public view and to a variety of adversary intelligence collection activities, including sensors and systems. Joint forces can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed to the field conducting actual operations. In addition, the adversary could compile and correlate enough information to facilitate predicting and countering US operations.
The purpose of operations security (OPSEC) is to reduce the vulnerability of US and multinational forces from successful adversary exploitation of critical information. OPSEC applies to all activities that prepare, sustain, or employ forces. The OPSEC process is a systematic method used to identify, control, and protect critical information and subsequently analyze friendly actions associated with military operations.
Tailored to the OPSEC process, joint intelligence preparation of the operational environment is a useful methodology for intelligence professionals to support the OPSEC planner. The intelligence professional will perform mission analysis on friendly operations. This provides great insight into potential areas where the adversary could collect information and the identity of essential elements of friendly information (EEFIs). Identification of EEFIs will assist the OPSEC planner in ensuring all OPSEC-related critical unclassified information is included in the critical information list.
OPSEC’s most important characteristic is that it is a process. It is an analytical process that can be applied to any operation or activity for the purpose of denying critical information to an adversary. Unlike security programs that seek to protect classified information and controlled unclassified information, OPSEC is concerned with identifying, controlling, and protecting unclassified information that is associated with specific military operations and activities.
3. Purpose of Operations Security
a. The purpose of OPSEC is to reduce the vulnerability of US and multinational forces from successful adversary exploitation of critical information. OPSEC applies to all activities that prepare, sustain, or employ forces.
b. The OPSEC process is a systematic method used to identify, control, and protect critical information and subsequently analyze friendly actions associated with military operations and other activities to:
(1) Identify those actions that may be observed by adversary intelligence systems.
(2) Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.
(3) Select countermeasures that eliminate or reduce vulnerability or indicators to observation and exploitation.
(4) Avoid patterns of behavior, whenever feasible, and thus preclude the possibility of adversary intelligence constructing an accurate model.
(5) Prevent the display or collection of critical information, especially during preparation for and execution of actual operations.
(6) Avoid drastic changes as OPSEC countermeasures are implemented. Changes in procedures alone will indicate to the adversary that there is an operation or exercise starting.
6. Operations Security and Information Operations
OPSEC as a capability of information operations (IO) denies the adversary the information needed to correctly assess friendly capabilities and intentions. It is also a tool, hampering the adversary’s use of its own information systems and processes and providing the necessary support to all friendly IO capabilities. In particular, OPSEC complements military deception (MILDEC) by denying an adversary information required to both assess a real plan and to disprove a deception plan. OPSEC and MILDEC have the same ultimate goal—affecting the adversary’s decision-making process and leading it to an erroneous decision. OPSEC does it by concealing important information, and MILDEC does it by putting misleading information into the environment. These are two related processes. For IO capabilities that exploit new opportunities and vulnerabilities, such as electronic warfare and computer network attack, OPSEC is essential to ensure friendly capabilities that might be easily countered are not compromised. The process of identifying critical information and applying measures to mask them from disclosure to adversaries is only one part of a defense in-depth approach to securing friendly information. To be effective, other types of security must complement OPSEC. Examples of other types of security include physical security, programs in IA, computer network defense, and personnel programs that screen personnel and limit authorized access. In particular, COMSEC plays a vital role in OPSEC. While COMSEC’s primary purpose is to protect classified materials, it can assist with identifying vulnerabilities to loss of critical information through monitoring communications within legal constraints.
5. Risk Assessment
a. This action has three components. First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC countermeasures for each vulnerability. Second, the commander and staff estimate the impact to operations such as cost in time, resources, personnel or interference with other operations associated with implementing each possible OPSEC countermeasure versus the potential harmful effects on mission accomplishment resulting from an adversary’s exploitation of a particular vulnerability. Third, the commander and staff select specific OPSEC countermeasures for execution based upon a risk assessment done by the commander and staff.
b. OPSEC countermeasures reduce the probability of the adversary either observing indicators or exploiting vulnerabilities, being able to correctly analyze the information obtained, and being able to act on this information in a timely manner.
(1) OPSEC countermeasures can be used to prevent the adversary from detecting an indicator or exploiting a vulnerability, provide an alternative analysis of a vulnerability or an indicator (prevent the adversary from correctly interpreting the indicator), and/or attack the adversary’s collection system.
(2) OPSEC countermeasures include, among other actions, cover, concealment, camouflage, deception, intentional deviations from normal patterns, and direct strikes against the adversary’s intelligence system.
(3) More than one possible measure may be identified for each vulnerability. Conversely, a single measure may be used for more than one vulnerability. The most desirable OPSEC countermeasures are those that combine the highest possible protection with the least adverse effect on operational effectiveness. Chapter III, “Operations Security Planning,” provides a detailed discussion of OPSEC countermeasures.