relevant data in the form of communications or noncommunications monitoring reports, or computer-based
analysis of particular elements of the operation. Whether the data is provided to the team in the form of
finished reports, or in a less formal format, is irrelevant. The data, however, may contribute to a further
refinement of individual functional outlines; more importantly, it can serve to verify vulnerabilities which
would otherwise be speculative or tenuous. In incorporating the data into the final report, the team should be
selective and use only that data that is relevant to the operation or activity being relevant to the operation or
activity being surveyed, rather than attributed to the individual commands. Across-the-board security
evaluations of a given command are the function of other security disciplines. OPSEC focuses upon an entire
operation or activity.
IDENTIFICATION OF VULNERABILITIES. The chronological portrayal of events which occur in the
surveyed operation or activity provide a basis for analysis to identify vulnerabilities. Actual sources of
adversary exploitation may also be identified. The vulnerabilities and actual sources will relate to information--
CLASSIFIED or UNCLASSIFIED--that could be used to degrade the effectiveness of the particular operation
or activity, now or in the future, rather than information per se. This relates directly to the essential elements of
friendly information--in the truest sense the critical information that must be denied to the adversary--that were
identified prior to or in the course of the survey.
The vulnerabilities are identified by assuming the adversary's view-point to figuratively look through the
adversary's eyes at the detectable events that occur in the chronological time-phased unfolding of the operation
or activity. In this respect, the OPSEC team must recognize that there is usually more than one adversary and
that detection alone does not necessarily indicate a vulnerability. Rather, detection must be accompanied by an
ability to process and react to the information in sufficient time and manner to degrade the effectiveness or
contribute to a data base which will ultimately enable such degradation. The basic criterion for identifying a
vulnerability is that there is a threat, and that the derivable information is truly an essential element of friendly
OPSEC SURVEY REPORTS
The report of the OPSEC Survey is addressed to the commander(s) of the surveyed operations or activity.
Lengthy reports should be accompanied by an executive summary.
There is no set format for OPSEC Survey reports; however, a suggested format does follow this discussion.
Whatever the format, it is important that vulnerabilities are clearly explained and substantiated. Although a
primary objective of any OPSEC report is to provide a basis for corrective actions, some vulnerabilities are
virtually impossible to eliminate or reduce. They should, however, be included in the report, since they will
enable a commander to more realistically assess his own operation.
A threat statement should be included in each report. The length and classification of the statement need only
be adequate to substantiate the vulnerabilities (or actual sources of adversary information) described in the
report. This statement may be included in the main body of the report or in an annex to the report. Portions of
the threat that are applicable to a particular vulnerability "finding" may be concisely stated in a paragraph
preceding or following the explanation of the finding. The threat statement should be concise and need only be
adequate to substantiate the finding. In those cases where the threat statement is classified to the extent that it
will impede the desired distribution and handling, the threat statement, or portions thereof, should be affixed as
an annex that can be included only in copies of the survey report provided to recipients with adequate clearance.
A concise description of the operation or activity may also be included in the report. Because of the scope of an
OPSEC survey, an OPSEC team can often describe the total evolution in a manner that will be of considerable
interest to commands whose activities comprise but a part of the overall operation. Such a description will