FORT BELVOIR, Va. –
Lax operations security habits across the Defense Department have resulted in unauthorized disclosures of sensitive, non-public information, putting employee safety at risk and degrading mission success, said Defense Secretary Mark Esper in a July 20 memorandum. (Common Access Card required)
Defense Logistics Agency Intelligence officials are reinforcing that everyone has a role in safeguarding critical, sensitive and personally identifiable information by requiring military, civilian and on-site contract employees to complete operations security training in the agency’s Learning Management System by Aug. 31.
The annual security and counterintelligence awareness course has always been mandatory for agency employees, but DOD is requiring defense agencies to report compliance status in regular intervals during its 120-day OPSEC and unauthorized disclosure campaign.
DLA Intelligence will also assess how well DLA programs protect critical unclassified information and will promote OPSEC in September with Security and Insider Threat Awareness Week, said DLA Operations Security Program Manager Erica Quinley.
Quinley said when COVID-19 precipitated mass telework in March, DLA Intelligence reinforced the importance of OPSEC by informing employees about potential incidences of unauthorized disclosures, including ways to prevent them.
“We got to work right away putting out articles via the director’s blog (DLA CAC required) and we asked DLA’s chief of staff, Ms. [Kristin] French, to sign a memo to increase awareness about information security in a telework environment,” she said, adding that DLA Intelligence also published an article outlining teleworking do’s and don’ts. (CAC required)
“We increased our awareness campaign ahead of DOD’s, knowing that telework was going to introduce some confusion,” she added.
Many employees may be unaware that digital assistants like Alexa and Echo Dots should be disabled while they’re teleworking, for example.
“Those devices are always listening, even when you don’t use the ‘wake up’ words,” Quinley said.
Other common mistakes include improperly disposing of controlled unclassified materials in recycling bins or regular trash cans, failing to shred or destroy sensitive documents, and sending unencrypted emails that contain critical information.
Employees who can’t encrypt emails should use the DOD Safe website to securely transfer sensitive, unclassified files to those who don’t have the proper certificates for encryption, Quinley said. After employees upload a file, the recipient receives an email informing them they have documents available in DOD Safe with instructions on retrieving them.
Increased need for online communications and virtual meetings during telework also raise potential OPSEC issues, she continued.
“We’ve had a lot of questions about approved teleconference resources. A lot people try to use Zoom and other applications that may have security vulnerabilities,” Quinley said.
Skype and Web RTC are approved for DOD use, she added. Although DLA Information Operations is currently building the agency’s Microsoft Teams capability, it hasn’t yet replaced Skype.
Employees can help promote good OPSEC by continually checking security hygiene habits and ensuring that information released has been approved through proper security channels, Quinley said.
“Always err on the side of caution, always be aware of the information you’re putting out and always be aware of your surroundings,” Quinley said. “We can’t ensure mission effectiveness without proper OPSEC.”