January is OPSEC month: protect critical information

By Chad MenegayJanuary 18, 2023

January is OPSEC month: protect critical information
In 2021, the National Operations Security Program office and the Under Secretary of Defense for Intelligence and Security designated January as “National Operations Security Awareness Month." The purpose of this designation is to bring attention to the importance of protecting sensitive data and other information critical to the mission of the Army. (U.S. Army photo by Chad Menegay) (Photo Credit: Chad Menegay) VIEW ORIGINAL

Each new year fosters renewed interest in the cultivation of good habits and best practices.

While Operations Security (OPSEC) may not be at the top of most peoples’ list of resolutions, Fort Lee officials encourage you to prioritize it appropriately— which is to make it a primary concern.

January’s National OPSEC Awareness Month, as set forth in the 2021 National Security Presidential Memorandum (NSPM)-28, is in its second year recognizing government requirements that support the establishment, implementation and standardization of OPSEC programs.

“OPSEC is important enough that it should be celebrated every month,” said Bryan Hunlock, garrison OPSEC officer and operations specialist for the Fort Lee Directorate of Plans, Training, Mobilization and Security. “However, that is a little unrealistic. Having January be the focus month and coinciding with the new year gives everyone a chance to reflect and refocus the effort on protecting that information that is unclassified but sensitive in nature and reacquaint themselves with the Critical Information List (CIL).”

The awareness month focuses on policy and procedures governing the protection of sensitive and unclassified information, an opportunity for government agencies, public and private-sector entities, and individuals to reflect on ways to mitigate the various vulnerabilities, risks, and threats to their organizations.

The theme this year is ‘protect what’s ours’ or ‘protect critical information,’ which is the heart of OPSEC, as all OPSEC measures are implemented to protect critical information.

To protect critical information, local OPSEC orders, directives and policies identify what needs protecting, how to protect it and expressly note that the release of critical or sensitive information is punitive.

To identify critical information and know what to protect, it is key to consult your organization’s CIL, which catalogs info in such categories as capabilities, activities, limitations and intentions. Critical Information can also include personal items such as Personal Identifiable Information (PII), health information and travel plans.

Much of today’s intelligence comes from the collection and analysis of open source data, while a smaller percentage comes from clandestine collection efforts, such as human spies, intercepted communications, etc.

So, maintaining security on devices like computers and cell phones is foremost with considerations like network defense and information assurance software and hardware.

Common sense is another key mitigation defense.

“Be aware of your surroundings and maintain your situational awareness, especially with cell phones, whether it’s government or personal,” Hunlock said.

Cell phone conversations in public may be overheard, providing indicators that point to critical information about missions.

Alongside eavesdropping, other issues of concern with cell phones include geolocation and ease of interception.

Mobile device best practices include disabling Bluetooth® when not using, not connecting to public Wi-Fi networks and using strong lock-screen pins/passwords.

Protecting passwords by only sharing them on a need-to-know basis also is an advisable mitigation practice. One obvious, but often not practiced, mitigation would be to not store passwords on, say, a sticky note under a laptop on your desk.

“Passwords and personally identifiable information need to be protected,” Hunlock said.

One should use unique passwords for all of one’s social media accounts and use the highest privacy setting available.

Other things to consider in protecting social media accounts include:

- Being selective with fiend/connection requests

- Turning off location settings features

- Avoiding clicking on suspicious messages or links

- Reporting any scam posts or messages

- Not posting personal details that can give too much information to the wrong people

“Social media is a big way to leak information and let it slip out,” Hunlock said. “Be wary of what you're posting and where you're posting it to.”

Using countermeasures will help you to protect your critical information while using social media.

As always, practice good OPSEC to minimize risk to you, your family and the people in your organization. Place people first at the top of your list of resolutions.