
SEC-02-03
Building Your Critical Information List
What you are actually protecting — and how to define it precisely
A Critical Information List is a short, specific, prioritized list of facts that would give an adversary operational advantage if they obtained them. Building it requires you to think like the adversary first — asking what information they need, not what information you value. Most people overload their CIL, which defeats its purpose. An effective CIL is short enough to actually protect.
What Critical Information Is
Definition and Scope
Critical information is defined as specific facts about your intentions, capabilities, activities, or limitations that, if obtained by an adversary in time to act on them, would allow that adversary to interfere with your plans or cause you harm. The DoD definition is precise on two points: the information must be specific (not categories) and the adversary must be able to act on it in time to matter.
This is distinct from sensitive information, which is information you prefer to keep private for general reasons. Sensitive information becomes critical information only when it fits the definition above — specific, actionable by an adversary, time-relevant. Your home address is sensitive information. It becomes critical information when your threat model includes an adversary who would benefit from knowing your location and has both the intent and capability to act on that knowledge.
The distinction matters because protecting everything is operationally impossible. The CIL exists to tell you where to concentrate resources.
The Adversary-First Method
How to Build the List
The standard military method for building a CIL is to adopt the adversary’s perspective first. Ask: “If I were my adversary, trying to harm or disrupt this person or group, what specific information would I need to execute that effort?” This is called identifying your Essential Elements of Friendly Information (EEFI) — the questions your adversary is trying to answer about you. Your CIL is the list of answers you do not want them to have.
Work through these categories of adversary interest when building your list. What are your plans and intentions — where you are going, what you are preparing for, when you will act? What are your capabilities and resources — what equipment you have, how many people you can field, what your logistical situation is? What are your limitations and vulnerabilities — what you cannot do, where you are exposed, what would stop you? What are your locations and patterns — where you are, where you go, at what intervals?
From those categories, your CIL entries should be specific facts, not categories. “Location” is not a CIL entry. “The location of our primary cache site” is a CIL entry. “Personnel” is not a CIL entry. “The identities of the three members with medical training” is a CIL entry.
The most common CIL error is treating it as a general privacy list and populating it with categories — “communications,” “finances,” “locations,” “schedules.” This is a list of areas, not a list of specific critical information. A CIL with 25 vague categories provides no guidance on where to concentrate protection. A good CIL has 8 to 12 specific entries, each describing a concrete fact that would give your adversary operational advantage. If you cannot say specifically what information, why an adversary needs it, and what they would do with it — it does not belong on your CIL yet.
Prioritizing the List
Once you have your candidate entries, rank them by impact. If this adversary obtained this information, how severely would it affect your operations or safety? High-impact items go to the top. Items where the adversary could obtain them but cannot actually act on them in time — or where the impact is minor — go toward the bottom or off the list entirely.
Your CIL is a living document. It should be revisited when your operations change, when your threat environment changes, or on a set schedule — quarterly is a reasonable starting point for most preparedness contexts. An OPSEC CIL that is never updated is slowly becoming inaccurate and therefore protecting the wrong things.
CIL construction: before and after
Before (category list, unusable): Locations. Communications. Finances. Personnel. Equipment. Schedule. Plans. Security measures.
After (specific CIL, actionable): 1. The location of our secondary resupply cache at the northeast property line. 2. The identities of our two members with current medical certifications. 3. The date and route of our next resupply run. 4. That our comms primary is a Baofeng on 462.625 with a CTCSS tone of 100.0. 5. The fact that our access road is impassable in wet conditions above a certain point.
The second list tells you exactly what to protect and why each entry matters. The first list tells you nothing you did not already know.
Draft a preliminary CIL for your household or group. Start with this question: “If someone wanted to disrupt my household’s safety or plans, what five specific facts would give them the most advantage?” Write those five facts down as specific statements — not categories.
You will refine this list in Lessons 4 and 5 as you assess your threat environment and identify which entries are actually vulnerable to collection.
Which of the following is a properly constructed CIL entry?
I understand the difference between sensitive information and critical information.
I can explain the adversary-first method for building a CIL.
I understand why CIL entries must be specific facts, not categories.
I have drafted a preliminary CIL for my household or group.
I know that a CIL requires periodic review and updating.
Next →Lesson 4 of 7: Threat Analysis — Who Is Watching