SA-12(9) — Operations Security

Apply operations security (OPSEC) to your supply chain processes. Information about your security infrastructure, deployment schedules, and vendor relationships should not be publicly available.

Example 1: Do not publicly disclose specific security products and versions in use (e.g., on job postings, social media, or website metadata). Attackers use this information to tailor their attacks to your specific technology stack. Keep infrastructure details internal.

Example 2: When communicating with vendors about security requirements, use secure channels (encrypted email, secure portals) rather than standard email. Sensitive procurement details, security architecture information, and vulnerability data should never travel over unprotected channels.