During this phase, the OPSEC team correlates the data acquired by individual members with information from any empirical studies conducted in conjunction with the survey.

1. Correlation of Data

   (1) Correlation of Functional Outlines. When the separate chronology outlines for each functional area are correlated, the chronology of events for the operation or activity as a whole will emerge. During the field survey or analytic phases, conflicts of data must be clarified.

   (2) Functional Outlines. The purpose of constructing the functional outlines is to describe the time-phased unfolding of the operation or activity; to depict the manner in which separate commands, organizations, and activities interact and perform their roles in the operation or activity; and to trace the flow of information through electrical and nonelectrical communications media from its origin to its ultimate recipients. It is important that the team members present the information in a manner that facilitates analysis. The net result of the correlation will be a portrayal of the entire operation or activity.

   (3) Correlation of Empirical Data. In addition to correlating data acquired from the observations of individual team members, the survey team may also use relevant, empirically derived data to refine individual functional outlines. More importantly, these data can also verify vulnerabilities that would otherwise be exceedingly speculative or tenuous. Empirical data are extremely important to a comprehensive survey.

2. Identification of Vulnerabilities
   (1) The correlation and analysis of data help the team to refine the previously identified preliminary vulnerabilities or isolate new ones. This analysis is accomplished in a manner similar to the way adversaries would process information through their intelligence systems.

   (2) Indicators that are potentially observable are identified as vulnerabilities. Vulnerabilities point out situations that an adversary may be able to exploit. The key factors of a vulnerability are observable indicators and an intelligence collection threat to those indicators.

   (3) The degree of risk to the friendly mission depends on the adversary's ability to react to the situation in sufficient time to degrade friendly mission or task effectiveness.

3. OPSEC Survey Report. The report of the OPSEC survey is addressed to the commander of the surveyed operation or activity. Lengthy reports (more than 15 pages) should be accompanied by an executive summary.
   (1) There is no special format for OPSEC survey reports; a suggested format is at the Tab. Whatever the format, the report should provide a discussion of identified critical information, indicators, adversaries and their intelligence capabilities, OPSEC vulnerabilities, risk analysis, and recommended OPSEC measures to eliminate or reduce the vulnerabilities. Although some vulnerabilities may be virtually impossible to eliminate or reduce, they should be included in the report to enable commanders to assess their operation or activity more realistically.

   (2) Each report should contain a threat statement. Its length and classification need only be adequate to substantiate the vulnerabilities (or actual sources of adversary information) described in the report. The statement may be included in the main body of the report or as an annex to it. Portions of the threat that apply to a particular vulnerability finding may be concisely stated as substantiation in a paragraph preceding or following the explanation of the observation. If the threat statement is so classified that it will impede the desired distribution and handling, the statement, or parts of it, should be affixed as an annex that can be included only in copies of the survey report provided to appropriately cleared recipients.

   (3) The section that delineates vulnerabilities can be presented in a sequence that correlates with their significance, in an order that coincides with their appearance in the chronological unfolding of the surveyed operation or activity, or grouped together according to functional area (logistics, communications, personnel, etc.). A particular vulnerability can be introduced by a headline followed by an adequate description of the finding and accompanied by identification of that portion of the operation or activity that includes the vulnerability. As stated earlier, a vulnerability observation may also include relevant threat references.

   (4) If possible, OPSEC teams should include recommendations for corrective actions in the report. However, the team is not compelled to accompany each vulnerability finding with a recommendation. In some situations, the team may not be qualified to devise the corrective action; in others, it may not have an appreciation of the limitations in resources and options of a particular command. It may sometimes be more effective for the team to present the recommendation informally rather than including it in the survey report. Recommendations of the OPSEC team may be particularly valuable in situations in which a vulnerability crosses command lines. Ultimately, commanders or the responsible officials must assess the effect of possible adversary exploitation of vulnerabilities on the effectiveness of their operation or activity. They must then decide between implementing corrective actions or accepting the risk posed by the vulnerability.

   (5) Appendixes and annexes to OPSEC survey reports may be added to support the vulnerability findings and conclusions. Sections, such as a threat annex, may include empirical studies (or parts of them). Maps, diagrams, and other illustrative materials are some ways to substantiate OPSEC vulnerabilities.

   (6) The report may end with a conclusion or summary of the survey and its findings. The summary should not include judgments about compliance with standing security practices of the organizations. Such judgments are the purview of security disciplines.

   (7) Distribution of the survey team's report should be limited to the principal commands responsible for the surveyed operation or activity. After the commands have had time to assess the report and take corrective actions, they can consider additional distribution. Abstracts from the report may be provided for lessons-learned documents or data bases on a nonattribution basis.

   (8) Because they contain vulnerability information, OPSEC survey reports must be controlled from release to unauthorized persons or agencies. Affected portions of the report must be controlled in accordance with applicable security classification guides. For those portions of the report not controlled by security classification guides, administrative control of the release of survey report information must be considered. Likewise, the notes, interviews, raw data, etc., used to build a survey report must be subject to the same controls as the finished report.

1. Overview

1. Background. Address the purpose and scope of the survey as well as the results of the threat and vulnerability assessments.

2. Conduct of Survey. Brief discussion of methodology, team composition, major commands visited, and timeframe of survey.

3. Critical Information

4. Threat

3. Analysis, Conclusions, and Findings. This is the body of the report. Discussions and findings may be listed chronologically, by command, or chronologically within commands.

4. Suggested Format for Each Finding

1. Observation

2. Analysis and discussion

3. Conclusion or recommendation