Strategics | Studies, Essays, Thesises » Digital Generation Subsystem Development and Integration, Radio Frequency Generation Subsystem Development and Integration

Attachment 9 DIGITAL GENERATION (DGEN)SUBSYSTEM DEVELOPMENT and INTEGRATION (SDI)/ RADIO FREQUENCY GENERATION (RFGEN) SUBSYSTEM DEVELOPMENT and INTEGRATION (SDI) NAVAIR OPERATIONS SECURITY (OPSEC) REQUIREMENTS 1. All work is to be performed in accordance with Department of Defense (DoD) and Department of Navy (DON) Operations Security (OPSEC) requirements, per the following: a) National Security Decision Directive 298 b) DoDD 5205.02, DoD Operations Security (OPSEC) Program c) DoD 5205.02-M, DoD Operations Security (OPSEC) Program Manual d) OPNAVINST 3432.1A, DON Operations Security 2. The contractor shall accomplish the following minimum requirements in support of the Naval Air Systems Command (NAVAIR) OPSEC Program: a) Determine Critical Information (CI) in accordance with DoD 5205.02-M (Appendix 1 through Encl 3). CI includes those facts, which individually, or in the aggregate, reveal sensitive details about NAVAIR or the contractor’s security or operations related to the support

or performance of this Statement of Work (SOW), and thus require a level of protection from adversarial collection or exploitation not normally afforded to unclassified information. b) Practice OPSEC and implement countermeasures to protect CI and other sensitive unclassified information and activities, especially those activities or information which could compromise classified information or operations, or degrade the planning and execution of military operations performed or supported by the contractor in support of the mission. Protection of CI will include the adherence to and execution of countermeasures which the contractor initiates or provided by NAVAIR, for CI on or related to the SOW. c) Sensitive unclassified information is that information marked FOR OFFICIAL USE ONLY (or FOUO), Controlled Unclassified Information (CUI), Privacy Act of 1974, COMPANY PROPRIETARY, and also information as identified by NAVAIR or NAVAIR Contracting Officer Security Representative (COSR). d)

NAVAIR has identified the following baseline CI: DAILY ACTIVITIES 1) Details regarding military operations, missions and exercises 2) Details of U.S systems supporting combat operations (numbers, timelines, locations effectiveness, unique capabilities, etc.) 3) Operational characteristics for new or modified weapon systems (Probability of Kill (PK), Countermeasures, Survivability, etc.) 4) Required performance characteristics of U.S systems using leading edge or greater technology (new, modified or existing) 5) Test or evaluation information pertaining to schedules of events during which CI may be captured 6) Details of NAVAIR unique Test or Evaluation capabilities (disclosure of unique capabilities) 7) Any material designated at Controlled Unclassified Information (CUI) such as FOUO and other distribution statement-controlled documents as well as Proprietary, or Business Sensitive Information (to include Source Selection Information or other sensitive competitive

information) 8) Known or probable vulnerabilities to any U.S system and their direct support systems SECURITY RESPONSIBILITIES 1) Government personnel information that would reveal force structure and readiness 2) Detailed facility maps or installation overhead photography (photo with annotation of Command areas or greater resolution than commercially available) 3) Force Protection specific capabilities or response protocols 4) Vulnerabilities in Command processes, disclosure of which could allow circumvention of security, financial, personnel safety, or operations procedures 5) Details of COOP, NAVAIR emergency evacuation or emergency recall procedures 6) Network User ID’s and Passwords and access codes to restricted/controlled spaces 7) Existence and/or details of intrusions into or attacks against DoD Networks or Information Systems, including, but not limited to, tactics, techniques and procedures used, network vulnerabilities exploited, and data targeted for exploitation 8)

Compilations of information that directly disclose Command CI 9) Command leadership and VIP agendas, reservations, plans/routes, etc. 3. All CI developed by the contractor and/or NAVAIR, in electronic or hardcopy form, shall be protected by a minimum of the following countermeasures: All emails containing CI must be DoD Public Key Infrastructure (PKI) signed and PKI encrypted b) CI may not be sent via unclassified fax when practical c) CI may not be discussed via non-secure phones when practical a) d) CI may not be provided to individuals that do not have a need to know it in order to complete e) f) g) h) i) their assigned duties CI may not be disposed of in recycle bins or trash containers unless made unusable (i.e shredded) CI may not be left unattended in uncontrolled areas CI in general should be treated with the same care as CUI/FOUO or Proprietary information CI must be destroyed in the same manner as CUI/FOUO CI must be destroyed at contract termination or returned to the

government at the government’s discretion 4. The contractor shall document items of CI that are applicable to contractor operations involving information on or related to the SOW. Such determinations of CI will be completed using the DoD OPSEC Five-Step process as described in National Security Decision Directive (NSDD) 298 and DoDMAN 5205.02 (App 1 to Encl 3) 5. Per DoDM 520502M (Encl 6), OPSEC training must be included as part of the contractors ongoing security awareness program. Basic OPSEC training, produced by the Interagency OPSEC Support Staff (IOSS), can be found here - OPSE1301 OPSEC Fundamentals If this link does not work, please request a CD copy via NAVAIR Operations Security Program Manager. 6. If contractor cannot resolve an issue concerning OPSEC they will contact the COR (who will consult with the appropriate OPSEC Manager or TPOC). 8. All above requirements shall be passed to all Sub-contractors