New DOD OpSec Training Impacts Contractors
Following a series of leaks caused by operational security mishaps, Secretary of Defense Mark Esper issued a memo on July 20th detailing new operational security training requirements. Secretary Esper stated that “poor OPSEC practices within DoD in the past have resulted in the unauthorized disclosure or ‘leaks’ of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information.” The new training is comprised of four web modules and a video message from Secretary Esper. However, rollout of the new requirements has led to some confusion regarding which contractors and non-service member personnel are required to complete the training. This confusion has been compounded by the large uptick in working from home amongst defense personnel who previously had worked from secure DoD facilities. For example, there has been uncertainty about who is considered an “on-site contractor,” because contractors who may typically be working on-site are now working from home. Several Facility Security Officers with contractors have reported that they have not received news of the training from their government security representatives but have instead been told that the implementation of the training will be handled by Cognizant Security Officers and only be mandatory for personnel currently working at DoD facilities. However, this creates uncertainty around whether or not personnel who would normally be on-site are still required to complete the trainings under the guidance of a CSO.
The relatively quick rollout of the training modules has also led to some unexpected issues. The first training, “OPSEC Awareness for Military Members, DoD Employees, and Contractors,” initially referred to members of the press as “adversaries,” when the intended terminology had been “unauthorized recipients.” Because the trainings are publicly available, critics quickly noticed this terminology before it could be corrected. One module is also still unavailable. These initial issues have led some critics to opine that the quick timeline of the trainings may impede its ultimate goal, with security consultant and CIA veteran Christopher Burgess stating, “To ram these four training courses down every civilian and military personnel within the next 60 days will in essence create a situation where folks are being asked to get their boxes checked on their ‘accountability card’ and not based on the intent of retaining the knowledge.” Still, nothing about the pandemic has been straightforward, and the uptick in working from home makes understanding the importance of OpSec best practices as important as ever. These initial issues with rollout can hopefully be fixed in order to make the trainings as effective as possible in order to promote OpSec hygiene going into the future.