U.S. Department of the Treasury

DATE: January 10, 2023

SUBJECT: Delegation of Authorities Concerning the Treasury Operations Security Program

1. PURPOSE.  This Order establishes the delegation of authorities related to and the responsibility for directing and implementing the Treasury Operations Security Program (OPSEC).
2. SCOPE.  This Order applies to all bureaus, offices, and organizations within the Department of the Treasury, including the Offices of Inspector General. The provisions of this Order shall not be construed to interfere with or impede the authorities or independence of the Department’s Inspectors General.
3. DELEGATION.  By virtue of the authority vested in me as Secretary of the Treasury, including the authority in National Security Presidential Memorandum-28, The National Operations Security Program, I hereby delegate to the Assistant Secretary for Intelligence and Analysis (A/S I&A) the authority of the Secretary to exercise and perform all duties, rights, powers, and obligations under the above-referenced authority.
   1. a. This delegation includes making all determinations and appointments and issuing any regulations required to implement the Department's operations security program, except for any matter in which, by law, executive order, or regulation the personal decision of the head of the agency or principal deputy is required.
   2. b. The authority delegated by this Order may be redelegated.
4. RESPONSIBILITIES.
   1. Assistant Secretary of Intelligence and Analysis (A/S I&A). The A/S I&A is designated as the senior official with authority to provide management, accountability, and oversight of Treasury’s OPSEC program, and shall:
      1. 1) Establish and oversee the implementation of policies and procedures for the conduct of Department OPSEC.
      2. 2) Report annually to the Secretary of the Treasury on the status of the Treasury OPSEC Program.
      3. 3) Coordinate and synchronize OPSEC matters and policies affecting more than one Treasury bureau and involving other Federal agencies.
      4. 4) Develop guidance for conducting OPSEC assessments and surveys.
      5. 5) In coordination with applicable procurement officials, develop standards and procedures for the evaluation and protection, when necessary, of unclassified and classified contract efforts.
      6. 6) In coordination with the Treasury Chief Information Officer and applicable senior information system managers, develop procedures and guidelines to be implemented by the Departmental Offices and bureaus for OPSEC reviews of Treasury information shared via Internet-based capabilities.
      7. 7) In coordination with the Assistant Secretary of Management, oversee the establishment and maintenance of a professionally trained and educated OPSEC workforce as part of Information Operations (IO) staff development.
      8. 8) As the Principal Staff Assistant for IO, serve as the principal policy development, oversight, and coordinating authority for the integration of OPSEC as an operations enabler.
      9. 9) Designate agency representatives to coordinate with the National Counterintelligence and Security Center’s (NCSC) National Operations Security Program (NOP) as appropriate to support OPSEC activities.
      10. 10) Direct the performance of a self-assessment of the Department’s OPSEC posture and provide the results for NOP Office staff review.
      11. 11) Develop and implement information-sharing policies and procedures to ensure NOP-relevant information, risks, or mitigation strategies are shared with the NCSC and other authorized partners.
   2. Assistant Secretary for Public Affairs (A/S PA). The A/S PA, in addition to the responsibilities in section 4d of this Order, shall develop policy and guidance to ensure OPSEC is incorporated into the public affairs release of information process.
   3. Department of the Treasury Chief Information Officer (Treasury CIO).
      1. 1) The Treasury CIO, in addition to the responsibilities in section 4d of this Order, shall address OPSEC and classification through compilation of data when developing policies and initiatives regarding information sharing capabilities that are accessible across the Department and shall also develop procedures to mitigate risks; and
      2. 2) Conduct ongoing OPSEC assessments of DO and bureau websites.
   4. Heads of Treasury Bureaus and Offices. The heads of the Treasury bureaus and offices shall establish OPSEC programs with OPSEC program managers and coordinators to promote an understanding and practice of OPSEC among all employees. The heads of the Treasury bureaus and offices shall direct that:
      1. 1) Guidance is established for identifying and updating critical information as missions change.
      2. 2) A process is in place to report to appropriate channels within the bureau and office disclosures of critical information so that mitigating actions can be implemented.
      3. 3) Dedicated manpower, funding, and resources are available to implement the OPSEC program.
      4. 4) Annual OPSEC assessments are conducted.
      5. 5) An annual review and validation of bureau and office OPSEC programs is submitted to the A/S I&A in accordance with section 4a(1) implementing guidance.
      6. 6) Threat-based comprehensive OPSEC surveys are conducted, at a minimum, every three years.
         1. a) Activities that warrant OPSEC surveys include, but are not limited to, research, development, test, and evaluation; acquisitions; treaty verification; nonproliferation protocols; international agreements; and personnel protection operations.
         2. b) The bureaus and offices shall identify and prioritize OPSEC survey requirements and outline procedures for requesting OPSEC survey support from the appropriate organizations.
      7. 7) OPSEC support capabilities are used for program development and review, planning, training, surveys, assessments, and related support, as required.
      8. 8) OPSEC is coordinated and integrated with other U.S. Government agencies, allies, and coalition partner programs, operations, and activities, as appropriate.
      9. 9) OPSEC is integrated with counterintelligence; insider threat; CUI; cybersecurity; and international, physical, industrial, and information security programs.
      10. 10) Directives, regulations, policies, and procedures are established for the review of unclassified information for OPSEC considerations and data aggregation prior to public release.
      11. 11) The risk of exposure to critical or classified information, alone or through compilation, is mitigated by providing OPSEC awareness training and guidance to the bureau personnel who use Treasury Internet services, other Internet-based capabilities, emerging technologies, or information sharing environments that are accessible across the enterprise.
      12. 12) OPSEC program managers, coordinators, IO professionals, public affairs personnel, contracting specialists, and personnel responsible for the review and approval of information intended for public release receive specialized OPSEC training for their duties in accordance with section 4a(1) implementing guidance. All such personnel shall receive OPSEC awareness training upon initial entry to duty (to include new hires, contractors, consultants, detailees, and interns) and annually thereafter.
      13. 13) Guidance is issued to ensure that Department unclassified and classified contract requirements properly reflect OPSEC responsibilities and that those responsibilities are included in contracts, when applicable.
5. OFFICE OF PRIMARY INTEREST.  Office of Assistant Secretary for Intelligence and Analysis.