Agencies are on the hook to increase ‘operations security’ training, education

Agencies across government face new requirements to develop “operations security” programs to help reduce the risk of employees inadvertently exposing sensitive but unclassified information.

“OPSEC” activities have traditionally been linked with military and intelligence agencies. But in a national security presidential memorandum signed in January 2021, outgoing President Donald Trump directed all executive branch departments and agencies to implement OPSEC programs, according to Rebecca Morgan, deputy assistant director for insider threat the National Counterintelligence and Security Center.

“We know that adversaries, whether that’s foreign intelligence entities or criminal enterprises, are targeting U.S. government information,” Morgan said in an interview. “And they don’t always go after the classified.”

The NCSC defines OPSEC as the “systematic and proven security discipline for denying adversaries the ability to collect, analyze, and exploit information, including capabilities and intentions.”

Examples of unclassified information officials are concerned about, Morgan said, include pre-decisional regulatory decisions that could allow someone to manipulate markets. It could also be information about a federal data system that could leave it to susceptible to a ransomware attack.

Officials are also concerned about personally identifiable information and the potential for adversaries to build “targeting packages” on government employees that could make phishing emails and other scams more effective, Morgan said.

Trump’s memorandum, which isn’t public, shifted responsibility for leading the whole-of-government OPSEC program from the National Security Agency to the NCSC, Morgan said. The center already oversees the implementation of insider threat programs across agencies.

Requirements for agencies “range from everything from specific training and awareness for the workforce . . . to actually conducting OPSEC assessments within the departments and agencies; the ability to identify critical information; to assess threats and vulnerabilities to the organization, analyze the risk, and then deploy appropriate countermeasures,” Morgan said.

And like insider threat activities, OPSEC is “multidisciplinary,” she added.

“You can’t effectively do an OPSEC assessment, meaning understand your threats and vulnerabilities, if you don’t talk to your cyber people, your insider threat people,” Morgan said. “So we really have promoted that multidisciplinary aspect.”

The NCSC is raising warnings about ways in which employees could be targeted, ranging from unsolicited calls and emails to listening in on public conversations. Much of the guidance centers on the use of social media and mobile applications, with employees being urged to pay attention to privacy settings, such as turning off location services on a mobile phone.

And while there are more security rules around classified information, Morgan also said the response shouldn’t be to classify more government information.

“Not only does over-classifying materials impede the ability to complete the mission and make it harder to get our jobs done, but we really take seriously that balance between transparency and secrecy,” she said. “There are certainly materials that are classified for good reason, and they remain so. But we have to go through a process to do that, we can’t just arbitrarily classify.”

The NCSC has distributed multiple bulletins this month describing OPSEC and associated best practices. The center is focused on providing training and resources, Morgan said, since OPSEC requirements are largely unfunded, with agencies often financing their programs through other security-related budgets.

Morgan said the NCSC is advocating for the National Security Council and the Office of Management and Budget to request a specific OPSEC appropriations line from Congress.

“I couldn’t say what dollar amount would be right because it’s different in every department and agency, but we really want to impress upon leadership, as well as individual leadership at departments and agencies, how crucial these programs are,” she said.

And requirements vary across agencies depending on their missions, the size and layout of their respective workforces, and the types of information they need to protect.

“We had just recently a progress report due from departments and agencies,” Morgan said. “Some are flying down the road and doing great. Some are still trying to get the training wheels on the bike. But that’s OK. People were starting at really different places. And we will continue to work with them.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.