13.8. Horizontal Protection

DEFENSE ACQUISITION GUIDEBOOK
Chapter 13 – Program Protection

13.8. Horizontal Protection

13.8.1. Acquisition Security Database (ASDB)

13.8.2. Horizontal Protection Process

13.9. Foreign Involvement

13.9.1. Programs with Foreign Participation

13.9.2. Defense Exportability Features (DEF)

13.8. Horizontal Protection

Horizontal protection analysis is the process that determines if critical defense technologies, to include Critical Program Information (CPI), associated with more than one Research, Development, and Acquisition (RDA) program, are protected to the same degree by all involved DoD activities (DoDI 5200.39). DoD horizontal protection requires that all those who develop, process or store the same or similar Critical Program Information (CPI) use the same or equally effective:

• Classification standards
• Export Control guidelines
• Foreign disclosure arrangements
• Anti-tamper protections
• Information Assurance standards
• Physical Security Standards

Horizontal protection is necessary to ensure that an investment made by one program to protect Critical Program Information (CPI) is not diminished due to another program exposing the same Critical Program Information (CPI) or a similar technology with great risk. The goal of the adjudication process is an agreement on a common risk mitigation level among affected programs for the same Critical Program Information (CPI) or similar technologies, not a common protection requirement. The adjudication step in the horizontal protection process will only be necessary in rare cases.

13.8.1. Acquisition Security Database (ASDB)

The Acquisition Security Database (ASDB) is designed to support PMs, Research and Technology Protection (RTP), Anti Tamper (AT), Counterintelligence, Operations Security (OPSEC), and Security personnel supporting Acquisition Programs. It provides automated tools and functionality to enable efficient and cost-effective identification and protection of Critical Technologies (CT) and Critical Program Information (CPI). It offers a federated search capability and facilitates a standardized identification, implementation, and tracking of Critical Program Information (CPI) countermeasures.

The Acquisition Security Database (ASDB) supports program protection and specifically the horizontal protection process by providing a repository for Critical Program Information (CPI) and Countermeasures and offering a collaboration environment for programs, counterintelligence, security Subject Matter Experts (SMEs), and enterprise individuals supporting the program protection planning effort. The use of the Acquisition Security Database (ASDB) by DoD Components was directed by an Acquisition, Technology, and Logistics (AT&L) memo on July 22, 2010 which directed “DoDI 5200.39 establishes policy to conduct comparative analysis of defense systems' technologies and align Critical Program Information (CPI) protection activities horizontally throughout the DoD.”

The Acquisition Security Database (ASDB) supports the horizontal protection process in three ways. First, the Acquisition Security Database (ASDB) features a federated search that will allow enterprise individuals to search for similar Critical Program Information (CPI) based on name, Military Critical Technology List (MCTL), or technology type. The search results include the names of Program Protection Plans (PPPs) that match the search criteria. The Critical Program Information (CPI) description within the Program Protection Plan (PPP) can be reviewed and the assessment made as to whether or not the two Critical Program Information (CPI) are similar enough to require similar risk mitigation levels. Second, after the same or similar Critical Program Information (CPI) have been identified and determined to require equivalent risk mitigation, the protections lists in the Program Protection Plans (PPPs) can be analyzed for applicability. Third, the Acquisition Security Database (ASDB) provides the collaboration environment for discussions about the comparison of Critical Program Information (CPI), counterintelligence threats, and planned protections.

The program Acquisition Security Database (ASDB) record should be created as soon as Critical Program Information (CPI) is identified and updated periodically, as changes occur, and at each subsequent milestone. Critical Functions/Components are not identified in the Acquisition Security Database (ASDB).

To request access to the Acquisition Security Database (ASDB), please do the following from a SIPRNET Terminal:

0. Navigate to the Acquisition Security Database (ASDB) Public Site: https://asdb.strikenet.navy.smil.mil/default.aspx.
0. Select "Register" (on left menu).
0. Fill out User Information.
0. Click "Submit Information".

Your access request will be placed into the workflow process for approval. Once approved you will receive a SIPR and NIPR email from the Acquisition Security Database (ASDB) Technical Team.

If you need assistance, please contact the Acquisition Security Database (ASDB) Technical Team at (252) 464-5914 or DSN 451-5914.

13.8.2. Horizontal Protection Process

Programs should be continuously doing horizontal protection as soon as Critical Program Information (CPI) is identified. Below is the high-level horizontal protection process that shows how to protect Critical Program Information (CPI) to the same degree across the Services and programs.

Figure 13.8.2.F1. Horizontal Protection Process

The process for doing horizontal protection during Program Protection Plan (PPP) creation, update, or review is outlined below:

0. Request Acquisition Security Database (ASDB) access at https://asdb.strikenet.navy.smil.mil/default.aspx.
0. Create a record and fill out appropriate fields.
0. Use the search capabilities in the Acquisition Security Database (ASDB) to identify other programs with potentially similar Critical Program Information (CPI). Consider threat and vulnerability differences between programs.
0. Compare planned countermeasure protection against the similar Critical Program Information (CPI) and consider threat and vulnerability differences between programs.
0. If there are perceived discrepancies or concerns, adjudicate the differences at the lowest organizational level.
0. If the discrepancies are not resolved, escalate to an executive decision making organization as determined by Acquisition, Technology, and Logistics (AT&L).
0. Incorporate the results of adjudication into the Program Protection Plan (PPP).

If you have any questions or need assistance, please contact the Acquisition Security Database (ASDB) Technical Team.

Phone: (252) 464-5914 or DSN 451-5914

NIPR E-Mail: W_SPAWAR_CHRL_SSCLANT_ChPt_TEAM_US@navy.mil

SIPR E-Mail: webmaster@strikenet.navy.smil.mil

13.9. Foreign Involvement

13.9.1. Programs with Foreign Participation

The Department of Defense, by law, is to consider cooperative opportunities with the North Atlantic Treaty Organization (NATO), NATO member nations, NATO organizations, non-NATO major allies, and other friendly countries for major defense acquisition programs. In general, DoD policy encourages foreign participation in DoD acquisition programs. Foreign participation ranges for cooperative research and development through production (i.e. foreign industrial participation), acquisition of the system through direct commercial sales (DCS) or foreign military sales (FMS), and other follow-on support.

When it is likely that there will be foreign involvement or access to the resulting system or related information, the Program Manager must plan for this foreign involvement to assist in identifying vulnerabilities to foreign exposure and developing technology security and foreign disclosure guidance to ensure that foreign access is limited to the intended purpose for that involvement while protecting critical program information and mission-critical functions and components and other sensitive information.

Some considerations to forecast potential foreign involvement includes:

• Cooperative research and development with allied or friendly foreign countries
• An allied system may be adopted
• System will replace/upgrade a system that had been previously sold to allies and friends
• System interoperability will be needed for use in future coalition operations

The Program Manager should consult with their international programs organization and technology security and foreign disclosure offices (i.e. National Disclosure Policy, Low Observable/Counter Low Observable (LO/CLO), Defensive Security Systems (DSS), Anti-Tamper (AT), Communication Security (COMSEC), Intelligence, etc.) to obtain assistance in addressing this matter. An integrated product team might be established for this purpose. International considerations to be addressed include the following, many of which should be available from the analysis used in developing the International Cooperation section of the Technology Development Strategy:

• Summarize any plans for cooperative development with foreign governments or cognizant organizations.
• Summarize plans to increase the opportunity for coalition interoperability as part of the developing DoD program.
• Assess the feasibility from a foreign disclosure and technology security perspective.
• Prepare guidance for negotiating the transfer of classified information and critical technologies involved in international agreements.
• Identify security arrangements for international programs.
• Coordinate with the disclosure authority on development of Delegation of Disclosure Authority Letter (DDL).
• Assist with development of Program Security Instruction (PSI) for a cooperative development program in support of program.
• Support decisions on the extent and timing of foreign involvement in the program,
• Foreign sales, and access to program information by foreign interests.
• Specify the potential or plans for Foreign Military Sales (FMS) and/or Direct Commercial Sales (DCS) and the impact upon program cost due to program protection and exportability features.
• Identify/nominate for consideration as a Defense Exportability Features (DEF) candidate.

13.9.2. Defense Exportability Features (DEF)

Defense Exportability Features (DEF) was established in the fiscal year 2011 National Defense Authorization Act to develop and incorporate technology protection features into a system or subsystem during its research and development phase. By doing this, exportable versions of a system or subsystem could be sold earlier in the Production and Development phase, thereby (1) enabling capability to be available to allies and friendly companies more rapidly and (2) lowering the unit cost of DoD procurements. Prior to the Engineering and Manufacturing Development Phase, programs should investigate the necessity and feasibility (from cost, engineering, and exportability perspectives) of the design and development of differential capability and enhanced protection of exportable versions of the system or subsystem. See Chapter 11.2.1.2. International Considerations within the Acquisition Management Framework for summary of Defense Exportability Features (DEF) nomination and feasibility assessment.

Top of page