The section of the report which describes the team's findings of vulnerabilities or actual sources is the crux of
the report and should be adequately explained so that the reader comprehends the underlying logic. The
vulnerabilities may be presented in several ways. They can, for example, be presented in a sequence which
correlates with their significance; they can be presented in an order which coincides with their appearance in the
chronological unfolding of the surveyed operation; or they can be grouped according to functional area. A
particular vulnerability can be introduced by a headline, followed by an adequate description of the finding.
This can be accomplished by a description of the portion of the operation which includes the vulnerability, and
may include a reference to the relevant threat.
Corrective actions are the prerogative of the command or commands associated with the surveyed operation or
activity. OPSEC teams may include recommendations for corrective actions in the report in conjunction with
the vulnerability findings. The team should not, however, feel impelled to accompany each vulnerability
finding with a recommendation. In some instances, the team may not be qualified to devise the corrective
action. In others, they may be limited in resources and options of a particular command. In some cases, the
team may be more effective by presenting the recommendation informally, rather than including it in the survey
report. Recommendations of the OPSEC team may, however, be particularly valuable in those instances where
a vulnerability crosses command lines and cannot be attended by a single command. Corrective action
recommendations of this type should be included in the survey report. Identified vulnerabilities are subject to
exploitation by foreign intelligence services. The commander must assess this threat against the effectiveness
of his operation. He must then decide whether to implement corrective actions or whether he can accept the risk
the vulnerability poses.
Annexes and appendices to OPSEC survey reports will generally be comprised of items which support the
vulnerability findings and the conclusion. For example, a threat annex may be included if it is not incorporated
into the actual text. Also, reports or portions of any empirical studies may also be affixed as annexes. Maps,
diagrams, and other illustrative materials may also be affixed to the report.
The report may end with a conclusion or summation of the survey and its findings. In writing this, the team
should avoid using evaluative phraseology vis-a-vis the commands and organizations involved in the surveyed
operation or activity. This is the purview of other security disciplines.
Distribution of the survey team's report should be limited to the principal commands responsible for the conduct
of the surveyed operation or activity. In due course, after the commands have had a reasonable amount of time
to assess the report and devise and implement corrective actions, consideration may be given to requests for
additional distribution. Abstracts from the report may be provided for lessons-learned documents on a
nonattribution basis.
Figure 1-2 on the following page shows a suggested OPSEC survey sequence and checklist, while Figure 1-3
shows an outline for a suggested report format.