← Back to catalog
SC-38

Operations Security

System and Communications Protection (SC)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [assignment].

Discussion

Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.

Implementation guidance

No content available.

CSF 2.0 crosswalk

No CSF mappings exist for this control.