DOE‐HDBK‐1233‐2019 June 2019 DOE HANDBOOK OPERATIONS SECURITY (OPSEC) U.S. Department of Energy AREA SANS Washington, DC 20585 DISTRIBUTION STATEMENT A: Approved for public release; distribution is unlimited. This page intentionally left blank. DOE-HDBK-1233-2019 FOREWORD The protection of classified information, projects, and missions is of paramount importance in fulfilling security responsibilities in connection with the Department of Energy (DOE). Operations Security (OPSEC) involves a process of determining unclassified or controlled critical information that may be an indicator or pathway to classified or sensitive activities requiring protection, whether for a limited or prolonged time. To ensure protection, employees should know and follow the applicable procedures and processes outlined in national and departmental policies. This handbook does not establish new requirements and any existing requirements are explicitly referenced from national policy or a DOE Order using the terms “must” or “shall.” It is not intended to replace DOE Order 471.6, Information Security, other departmental rules, or national directives. This handbook describes one way to fulfill requirements for OPSEC within DOE. Section 1 identifies the purpose, history and basic understanding of OPSEC. Section 2 describes the general OPSEC Program and the specific OPSEC Program Plan and its components. Section 3 discusses the OPSEC five-step process. It provides methods to identify critical information, the potential threat, vulnerabilities, and types of countermeasures that may be used. Section 4 describes the on-going activities that keep the critical information and related information and threats up to date. Trainings, briefing and awareness activities are provided. Appendix A is a copy of National Security Decision Directive 298, National Operations Security Program. Appendix B contains a sample OPSEC plan. Appendix C provides a sample OPSEC assessment report. Appendix D provides a sample threat statement. Appendix E contains a sample website review template. Appendix F provides the IOSS OPSEC program implementation tiers. In addition to the sample plans, reports and posters described above, additional resources and information may be found under Security Policy Guidance Documents on DOE Powerpedia at https://powerpedia.energy.gov/wiki/Office_of_Security_Policy. Samples may also be submitted for consideration and inclusion, as appropriate. Beneficial comments (recommendations, additions, and deletions), as well as any pertinent data that may be of use in improving this document, should be emailed to [email protected] or addressed to: Office of Security Policy (AU-51) Office of Environment, Health, Safety and Security (AU) U.S. Department of Energy 1000 Independence Avenue, SW Washington, DC 20585 i DOE-HDBK-1233-2019 TABLE OF CONTENTS FOREWORD .......................................................................................................................... i ACRONYMS ........................................................................................................................ vi 1.0 INTRODUCTION .......................................................................................................... 7 1.1 Purpose ............................................................................................................................... 7 1.2 Understanding OPSEC ....................................................................................................... 8 1.2.1 History ..................................................................................................................... 8 1.2.2 Current Application ................................................................................................. 8 2.0 ESTABLISH AN OPSEC PROGRAM ......................................................................... 9 2.1 OPSEC Program Plan......................................................................................................... 9 2.2 Identification of Roles and Responsibilities ..................................................................... 10 2.2.1 Site – Federal, Contractor, and Tenant Organizations .......................................... 10 2.3 Establish an OPSEC Working Group ............................................................................... 11 2.4 Coordination and Communication ................................................................................... 12 2.4.1 Office of Intelligence/Counterintelligence ............................................................ 12 2.4.2 Internal and External Organizations ...................................................................... 12 2.4.3 Foreign Visits and Assignments ............................................................................ 13 3.0 APPLY THE OPSEC FIVE-STEP PROCESS ............................................................ 14 3.1 Step 1 – Identification of Critical Information ................................................................. 15 3.1.1 Development and Prioritization of Critical Information List ................................ 15 3.1.2 Elements of Critical Information ........................................................................... 16 3.1.3 Indicators and Pathways ........................................................................................ 16 3.1.4 OPSEC Reviews .................................................................................................... 18 3.1.5 Public Release Review .......................................................................................... 18 3.2 Step 2 – Analysis of Threats ............................................................................................ 21 3.2.1 Intelligence Cycle .................................................................................................. 22 3.2.2 National Threats .................................................................................................... 24 3.2.3 Site-Specific Threats ............................................................................................. 26 3.2.4 Collection Techniques ........................................................................................... 27 3.3 Step 3 – Analysis of Vulnerabilities ................................................................................. 32 3.3.1 OPSEC Assessments ............................................................................................. 33 3.3.2 Phase 1 – Planning and Preparation ...................................................................... 36 3.3.3 Phase 2 – Team Orientation .................................................................................. 37 3.3.4 Phase 3 – Introductory Briefing ............................................................................ 37 3.3.5 Phase 4 – Field Data Collection ............................................................................ 37 3.3.6 Phase 5 – Data Analysis ........................................................................................ 47 iii DOE-HDBK-1233-2019 3.3.7 Phase 6 – Draft Report .......................................................................................... 47 3.3.8 Phase 7 – Exit Briefing .......................................................................................... 48 3.3.9 Phase 8 – Final Report .......................................................................................... 48 3.3.10 Phase 9 – Follow-on Tasks .................................................................................... 48 3.3.11 Summary ............................................................................................................... 48 3.4 Step 4 – Assessment of Risks ........................................................................................... 49 3.4.1 NSDD 298 ............................................................................................................. 49 3.4.2 Risk Determination ............................................................................................... 49 3.5 Step 5 - Application of Countermeasures......................................................................... 50 4.0 MAINTAIN THE PROGRAM .................................................................................... 52 4.1 Management Updates ....................................................................................................... 52 4.2 Recordkeeping .................................................................................................................. 53 4.3 Annual Review/Verification of Critical Information Lists .............................................. 53 4.4 OPSEC Awareness ........................................................................................................... 53 4.4.1 Briefings ................................................................................................................ 54 4.4.2 Learning Styles ...................................................................................................... 54 4.4.3 Activities ............................................................................................................... 55 4.4.4 Concerns ................................................................................................................ 55 4.4.5 Delivering the OPSEC Message............................................................................ 56 4.5 OPSEC Training ..............................................................................................................