A new report from the National Research Council of the National Academies concludes that, while the Department of Homeland Security has established a framework for risk analysis, the Department in most respects continues to lack analytical tools to appropriately support decision-making. Moreover, the report found that "it is not yet clear that DHS is on a trajectory for development of methods and capability that is sufficient to ensure reliable risk analysis other than for natural disasters."

The report, which was commissioned by Congress in 2008, examined six risk analysis models and processes, including risk analysis of natural hazards, for critical infrastructure protection and for allocation of homeland security grants; the Terrorism Risk Assessment and Management (TRAM) and Biological Threat Risk Assessment (BTRA) models; and DHS's Integrated Risk Management Framework. The committee was composed of experienced engineers from academia and the public and private sectors, and led by John F. Ahearne, the former chair of the Nuclear Regulatory Commission.

The report can be found here, and there will be several presentations on the report both from the National Academies and from DHS at our annual conference next week.

Dear Colleagues,

As many of you may be aware, in May 2010 the Secretary for Homeland Security, Janet Napolitano, signed a policy statement establishing integrated risk management (IRM) as a fundamental concept for the operation of the Department of Homeland Security. The adoption and implementation of IRM at DHS is a major advancement toward unifying efforts among all homeland security partners to ensure that strategies and actions are informed by a common understanding of the homeland security risk landscape. Based on my previous conversation with SARMA in June on the topic of IRM, I wanted to provide an update that details the steps the Office of Risk Management and Analysis (RMA) has taken to implement the DHS Policy for IRM.

RMA is working with the Department's Risk Steering Committee (RSC) and all homeland security partners to execute the IRM Policy. Since the policy was signed, the RSC has provided guidance and technical assistance, including an updated DHS Risk Lexicon. Additionally, the RSC and RMA are in the process of developing a Directive for Integrated Risk Management for DHS, a Risk Management Fundamentals document, and other governance documents for improving and integrating risk management capabilities. These developments highlight the Department's dedication to incorporate IRM into the strategic framework of DHS, thereby strengthening the entire homeland security enterprise.

I would like to thank SARMA for its unwavering commitment to security risk management and providing a forum by which to keep our homeland security partners aware of recent developments and progress related to IRM. For more information regarding IRM or to share your thoughts, please visit our website or contact RMA at risk_management@hq.dhs.gov.

Respectfully,

Bob Kolasky
Assistant Director, Risk Governance and Support Division
Office of Risk Management and Analysis
U.S. Department of Homeland Security

by Arion (Pat) Pattakos

National Security Decision Directive (NSDD) 298 made it official: "...Application of the operations security (OPSEC) process promotes operational effectiveness...." The NSDD advised that "OPSEC ...is a systematic and proved process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive Government activities." The process disclosed in the NSDD "...involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures."

The NSDD provides one of the earliest national-level risk management paradigms and promotes an analytical approach to security. Yet it also helped create some definitional confusion. All too often we hear the term "operational security" when clearly the reference is to "operations security." Some of us old-timers shudder when this happens because many of us believe that they are not the same thing. Every profession has its professional lexicon, and it's incumbent upon professionals to use standard terminology to ensure effective communication and comprehension.

According to the NSDD, OPSEC is best understood as dealing with protecting critical information involving specific facts about friendly intentions, capabilities and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment.

The DoD Dictionary takes a slightly different approach and defines OPSEC as the process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: a) identify those actions that can be observed by adversary intelligence systems; b) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and c) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Note that OPSEC has a particular point of view; it deals with what can be observed by adversary intelligence systems. The five-step OPSEC process is a risk management process directed toward reducing to an acceptable level adversary exploitation of those indicators and hence determining our critical information. After all, the DoD Dictionary advises that risk management is the process of identifying, assessing and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits.

Because one set of the operational factors one should consider are the observable actions taken by an activity, using OPSEC as a vulnerability analysis tool makes sense. However, there are more operational factors of concern to an activity and this is where the idea of operational security comes into play. But since there is much confusion over the use of the term, we need a stronger and stricter definition for operational security.

Here are some ideas. To paraphrase the DoD Dictionary, an operation is an action (or actions) taken to carry out a mission. Both the word 'operation' and the word 'mission' are used in their broad contextual framework as the things one does to achieve specific objectives that may range from protecting a facility to eliminating terrorists. When conducting any type of operation or activity, it is common sense for the person in charge to protect the operation from adversary interference. To paraphrase again from the Dictionary, we must take the measures necessary to protect ourselves against acts designed to, or which may impair our effectiveness in accomplishing a mission.

The meaning of operational security that flows from these ideas suggests the operational security is bigger than OPSEC and that OPSEC is but one component of operational security. Operational security is an aggregation of security processes used to protect all critical assets associated with an operation such people, facilities, logistics, information/communication systems, equipment, technology and so forth. Putting out flanking forces for protection in a movement to contact is implementing operational security measures, as is controlling access to a facility.

As noted above, OPSEC looks at how an asset (the operation or its components) may be vulnerable to enemy exploitation from what is revealed by the asset. It is thus observable and thereby risks reduced operational effectiveness when an adversary makes those observations. Are you posting guards to protect a facility? Are there patterns that you establish when doing so that may be exploitable by an attacker? When do shifts change and how? How do guards communicate? Do the guards sleep on duty? Do they fail to patrol? The guards are a component of operational security while OPSEC is a vulnerability assessment tool that reveals how that security may be defeated.

In conclusion, here is a working definition of operational security paraphrased from the definition for security provided by the DoD Dictionary:

1. Measures taken by an organization, activity, facility or installation to protect itself against all acts designed to, or which may, impair its mission effectiveness.
2. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.

Dictionaries may not be fun to read but sometime it's necessary to promote comprehension and professionalism. We are after all, SARMA professionals.  

Pat Pattakos is a founding member and past president of the OPSEC Professionals Society as well as a SARMA founding member. He is certified as an OPSEC Professional and a Certified Protection Professional.

Editor's Note: Help us to better define operations and operational security by contributing your definitions of each term to our SARMApedia Common Lexicon.