Saturday, June 22, 2019

FSO's, OPSEC, and Protecting Sensitive Information

In our latest DoD Secure Pod Cast we continued our discussion the owners of The Management Analysis Network. This discussion is about apply Operations Security in the form of a Communication Strategy or Comms Strategy. 

The need to communicate
They explain that a comms strategy is vital to being able to communicate information about the work a cleared defense contractor is executing without giving away too much information. When developing a significant capability others may be able to observe the work and become inquisitive. Whether they are neighbors, businesses, news media or others, what people are naturally going to do is inquire about it.

Additionally, it may be necessary to present information at conferences, award ceremonies, promotions, advertisements and etc.  So the question is, how do we talk about the program to meet the requirements, to convey information to Congress, to oversight to others and to tell the good news story to the American people about how their tax dollars are being spent. At the same time it may be necessary to withhold information that is very beneficial and could help an adversary or competitor figure out what the work is and how its being executed. 

Tool to communicate
So the communication strategy is something that sets expectations for how to deal with the media or contracting or other elements. It provides left and right limits of things you want to emphasize, things you don't want to emphasize, and talking points and messages that to reiterate over and over again and areas that you want to avoid. 

The next step is to put it all together and get buy in and conduct training on the strategy. Once done, coordination with the program office, public affairs, and other partners should be incorporated. This will enable employees to go forward and talk about their program, but at the same time feel comfortable that they're not going to disclose any information that may not be classified or otherwise sensitive.

This strategy is a great tool for employees who need the guidance to feel comfortable on how to speak about their projects. Many times employees are given little guidance in the form of bumper sticker communications; "its classified", "think OPSEC", and etc. 

This strategy provides the employee with no way to communicate and therefore they may be nervous or unable to discern what to speak about or when. However, an employee with a training on the communication strategy can intellectually discuss their work while understanding what is sensitive and what is not. Additionally, business development, contracting, graphics and other departments will be able to do their jobs as well.

Building the tool
The best way to discuss a communication strategy is to begin with:

Describe what the program or project is or mission
Determine the work streams necessary to accomplish the mission.
For each work stream, determine what information is sensitive using a classification guide, OPSEC plan, DD Form 254, ITAR, or organizational documentation describing sensitive information.
Determine how to talk about the work without revealing the sensitive information
Train employees on the strategy-This may be incorporated into security awareness training or insider threat training
Develop processes to review communication to determine whether or not sensitive information is being released-review presentations, bids, emails, etc.

Not every aspect of sensitive work is sensitive. There are ways to communicate awards, accomplishments, contract wins, or share with the friends and family without revealing sensitive information. 

Listen to the pod cast for more details:

No comments: