RAAUZFH1 RUEOCSA8002 0142335-UUUU--RUEASRB. ZNR UUUUU ZOV RUEOCSA0144 RELAY OF RUHHCSA8002 0142205 ZUI RHHMMCA1514 0142329 ZFH1 ALL DIRECTLY CONNECTED RUHH SUBSCRIBERS R 141553Z JAN 03 FM SECDEF WASHINGTON DC TO ALDODACT INFO RUEKJCS/SECDEF WASHINGTON DC//DASD SIO//SECURITY// BT UNCLAS ALDODACT 02/03 ADDRESSEES PASS TO ALL SUBORDINATE COMMANDS SUBJECT: WEB SITE OPSEC DISCREPANCIES 1. AN AL QAEDA TRAINING MANUAL RECOVERED IN AFGHANISTAN STATES: "USING PUBLIC SOURCES OPENLY AND WITHOUT RESORTING TO ILLEGAL MEANS, IT IS POSSIBLE TO GATHER AT LEAST 80% OF INFORMATION ABOUT THE ENEMY." AT MORE THAN 700 GIGABYTES, THE DOD WEB-BASED DATA MAKES A VAST, READILY AVAILABLE SOURCE OF INFORMATION ON DOD PLANS, PROGRAMS, AND ACTIVITIES. ONE MUST CONCLUDE OUR ENEMIES ACCESS DOD WEB SITES ON A REGULAR BASIS. 2. THE FACT THAT FOR OFFICIAL USE ONLY (FOUO) AND OTHER SENSITIVE UNCLASSIFIED INFORMATION (E.G., CONOPS, OPLANS, SOP) CONTINUES TO BE FOUND ON PUBLIC WEB SITES INDICATES THAT TOO OFTEN DATA POSTED ARE INSUFFICIENTLY REVIEWED FOR SENSITIVITY AND/OR INADEQUATELY PROTECTED. OVER 1500 DISCREPANCIES WERE FOUND DURING THE PAST YEAR. THIS CONTINUING TREND MUST BE REVERSED. 3. THE DOD WEB SITE ADMINISTRATION POLICY (LINK AT WWW.DEFENSELINK.MIL/WEBMASTERS) REQUIRES THAT INFORMATION BE REVIEWED FOR DATA SENSITIVITY PRIOR TO WEB POSTING AND PROTECTED ACCORDINGLY. THIS REVIEW IS TO BE ACCOMPLISHED IN ACCORDANCE WITH DOD DIRECTIVE 5230.9, CLEARANCE OF DOD INFORMATION FOR PUBLIC RELEASE, AND DOD INSTRUCTION 5230.29, SECURITY AND POLICY REVIEW OF DOD INFORMATION FOR PUBLIC RELEASE, AND MUST INCLUDE OPERATIONS SECURITY (OPSEC) CONSIDERATIONS AS DEFINED BY DOD DIRECTIVE 5205.2, DOD OPERATIONS SECURITY (OPSEC) PROGRAM. 4. USING THE OPSEC PROCESS IN A SYSTEMATIC WAY AND THINKING ABOUT WHAT MAY BE HELPFUL TO AN ADVERSARY PRIOR TO POSTING ANY INFORMATION TO THE WEB COULD ELIMINATE MANY VULNERABILITIES. THE INTERAGENCY OPSEC SUPPORT STAFF (IOSS) CAN PROVIDE PROFESSIONAL ASSISTANCE WITH THE OPSEC PROCESS (SEE WWW.IOSS.GOV). LIMITING DETAILS IS AN EASILY APPLIED COUNTERMEASURE THAT CAN DECREASE VULNERABILITIES WHILE STILL CONVEYING THE ESSENTIAL INFORMATION. SECURITY AND ACCESS PROTECTIONS MUST BE APPLIED ACCORDING TO THE SENSITIVITY OF DATA FOR BOTH WEB PAGES AND WEB-ENABLED APPLICATIONS. UNPUBLISHED ADDRESSES (URLS) AND UNLINKED WEB PAGES DO NOT PROVIDE SECURITY. SEE PART V, TABLE 1 OF THE WEB SITE ADMINISTRATION POLICY FOR FURTHER GUIDANCE. 5. HEADS OF COMPONENTS ARE RESPONSIBLE FOR MANAGEMENT OF INFORMATION PLACED ON COMPONENT WEBSITES. THEY MUST ENSURE THAT WEBSITE OWNERS TAKE RESPONSIBILITY FOR ALL CONTENT POSTED TO THEIR WEBSITES. WEBSITE OWNERS MUST REDOUBLE THEIR EFFORTS TO: A. VERIFY THAT THERE IS A VALID MISSION NEED TO DISSEMINATE THE INFORMATION TO BE POSTED, B. APPLY THE OPSEC REVIEW PROCESS, C. LIMIT DETAILS, D. USE THE REQUIRED PROCESS FOR CLEARING INFORMATION FOR PUBLIC DISSEMINATION, E. PROTECT INFORMATION ACCORDING TO ITS SENSITIVITY, AND F. ENSURE REVIEWING OFFICIALS AND WEBMASTERS ARE SELECTED AND HAVE RECEIVED APPROPRIATE TRAINING IN SECURITY AND RELEASE REQUIREMENTS IN SUPPORT OF DOD WEB POLICY. 6. IT IS A TEAM EFFORT AMONG THE INFORMATION ORIGINATOR, THE WEBMASTER AND THE READER(S) TO ENSURE ONLY THE INFORMATION NECESSARY TO ACCOMPLISH THE MISSION IS POSTED. THESE STEPS WILL HELP ENSURE WE ARE NOT AIDING OUR ENEMIES BY POSTING CONTENT THAT COULD PUT THE LIVES AND MISSIONS OF AMERICAN FORCES AND THOSE OF OUR FRIENDS AND ALLIES AT RISK. BT #8002