Army Releases New OPSEC Regulation
April 19, 2007
WASHINGTON (Army News Service, April 20, 2007) - Changes to the Army's operations security regulation address accountability, new technology and the inclusion of all Army personnel in OPSEC practices.
The revised Army Regulation 530-1, "Operations Security," provides updated definitions; aligns the Army's policies, terms and doctrine with the Defense Department; and brings Army Contractors into the fold while addressing the role Army Family Members have in OPSEC.
"The change includes Army Civilians and Contractors, who are not subject to the Uniform Code of Military Justice," said Maj. Ray Ceralde, the Army OPSEC program manager and author of the revision. "The reason we included Contractors in the regulation is they're more involved in operations today than ever before. If you have all your Soldiers and DA Civilians practicing OPSEC and your Contractors - who are an integral part of your operations - aren't ... well, you have a gaping hole in security that could affect everyone's lives."
Maj. Ceralde said OPSEC is a "total Army concept" and includes Families and friends though he acknowledged they aren't subject to a commander's orders.
"We felt it necessary to actively encourage those demographics," he said. "Much of the practice of OPSEC will be conveyed from the commander down to the Soldier who we hope will pass on the importance that what a Family Member or friend puts up on the Web can unwittingly be used against us."
Regulation changes also address how technology, specifically the Internet, has changed the face of OPSEC since the last major revision to the regulations in 1995. A 2005 revision addressed new technology, but the new revision addresses technological concerns not covered in the 2005 revision.
"The Internet, personal Web sites, blogs (Web logs) - those are examples of where our adversaries are looking for open-source information about us," said Maj. Ceralde. "Open-source information isn't classified and may look like nothing more than innocuous bits of information, a piece here, a piece there, like pieces of a puzzle. But when you put enough of the pieces together you begin to realize the bigger picture and that something could be going on."
Outside of technology, Maj. Ceralde cited an example of how "innocuous" bits of information can give a snapshot of a bigger picture. He described how the Pentagon parking lot had more parked cars than usual on the evening of Jan. 16, 1991, and how pizza parlors noticed a significant increase of pizza to the Pentagon and other government agencies. These observations are indicators, unclassified information available to all, Maj. Ceralde said. That was the same night that Operation Desert Storm began.
While Army personnel may maintain their own Web sites or post information on blogs, Maj. Ceralde said they have to be careful about what they write and what they post because even unclassified information can provide significant information to adversaries.
"For example, photos of deployed Soldiers to share with Family and friends are acceptable. However, when the photo includes a background of the inside of their camp with force protection measures in plain view, an adversary who is planning to attack their camp and sees a photo like this on the Internet now knows how to counter their force-protection measures," Maj. Ceralde said.
The regulation also puts a greater emphasis on commanders' responsibilities to implement OPSEC.
"We tell commanders what they must to do to get their people to understand what's critical and sensitive information and how to protect it, but commanders have to make that perfectly clear in the form of orders and directives," Maj. Ceralde said. "The other part of this tells Soldiers that if they fail to comply they may be punished under article 92 of the Uniform Code of Military Justice for disobeying a lawful order."
Other key changes to the regulations include the addition of punitive measures for violations of specific directives, the designation of "For Official Use Only" as a standard marking on all unclassified products that meet at least one exemption of the Freedom of Information Act, directing encryption of e-mail messages that contain sensitive information on unclassified networks, and emphasizing operations security in contracts and acquisitions.
"OPSEC is not traditional security, such as information security like marking, handling and classifying information; it's not the physical security of actually protecting classified information though they're all related and part of OPSEC," Maj. Ceralde said. "OPSEC is different from traditional security in that we want to eliminate, reduce and conceal indicators, unclassified and open-source observations of friendly activity that can give away critical information."