Operations Security or OPSEC is an analytical process used to deny or delay our adversaries of Sandia National Laboratories’ (Sandia) critical information. Using OPSEC enhances mission success. OPSEC is not just a program—it supplements Sandia’s security disciplines by using the five-step process.

Goals of OPSEC

  • Identify vulnerabilities in programs and activities
  • Determine the impact on the loss of critical information
  • Where appropriate, provide OPSEC measures to protect the information from inadvertent release or intentional disclosure
  • To raise operations security awareness
  • Make intelligence or information gathering more difficult
  • To attempt to stop adversaries from obtaining classified or unclassified sensitive and critical information
  • Determine overall risk associated to the loss of critical information and assist managers making risk-management-based decisions

The OPSEC Process

  • Determine critical information
  • Analyze the threat
  • Determine vulnerabilities
  • Analyze the risk
  • Develop and implement countermeasures

OPSEC Good Practices

  • Have an OPSEC Plan
  • Properly handle and destroy sensitive and critical unclassified information
  • Be aware that phones, faxes, radios, and mobile devices (smart phones, tablet, watches, fitness devices, etc.) are subject to interception or other exploitation
  • Be security-minded when doing activities
  • Use the most secure means of communicating
  • Guard against unsolicited inquiries to obtain unclassified sensitive and critical information (by person, phone, email, or social sites)
  • Ensure unclassified sensitive and critical information is not put in recycling or trash but properly destroyed as soon as possible
  • When off of SNL premises, secure your badge and keep it out of sight
  • Don’t reveal unclassified sensitive and critical info on Internet social networking sites and other apps
  • Avoid listing your SNL association
  • Observe the need-to-know principle
  • Be careful of applications you install on mobile devices
  • Be adversary aware, the threat is real

OPSEC Simplified

Three Steps: Think. Assess. Protect.

  • Think about the information you need to protect and the adversaries who want it
  • Assess the ways they can acquire the information and risk if it is lost
  • Protect the information by implementing appropriate OPSEC Measures