NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-38 — Operations Security
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: {{ insert: param, sc-38_odp }}.
Supplemental Guidance
Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.
Practitioner Notes
Operations security (OPSEC) means protecting information about your security posture, capabilities, and operations from adversaries. Do not reveal what defenses you have or how they work.
Example 1: Do not discuss specific security tools, versions, or configurations on public channels, social media, or in job postings. A job posting for a "Splunk administrator with CrowdStrike experience" tells attackers exactly what SIEM and EDR you use.
Example 2: Redact internal hostnames, IP addresses, and security tool names from any documents shared externally — incident reports, compliance submissions, vendor communications. Use generic terms like "our SIEM" or "our endpoint protection" instead of product names.