4.3.18.24. System Security Engineering
4.3.18.24. System Security Engineering
System Security Engineering (SSE) activities allow for identification and incorporation of security design and process requirements into risk identification and management in the requirements trade space.
SSE is the integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability or supply chain exploit/insertion, battlefield loss, and unauthorized or inadvertent disclosure throughout the acquisition life cycle. The SSE process captures SSE analysis in the system requirements and design documents, and SSE verification in the test plans, procedures, and results documents. The Program Protection Plan (see DAG Chapter 13 Program Protection) documents the comprehensive approach to system security engineering analysis and the associated results.
SSE is the functional discipline within systems engineering that ensures security requirements are included in the engineering analysis with the results being captured in the Program Protection Plan (PPP), provided at each Systems Engineering (SE) technical review (SETR) event (see DAG Chapter 13 Program Protection) and incorporated into the SETR-related SE requirements and the functional, allocated, and product baselines. The PPP is approved by the Milestone Decision Authority (MDA) at each milestone decision review and at the Full-Rate Production/Full-Deployment (FRP/FD) decision, with an approvable draft at the pre–Engineering and Manufacturing Development (EMD) review. The analysis should be used to update the SE baselines prior to each SETR and key knowledge point throughout the life cycle.
The Program Manager is responsible for developing a PPP that ensures the program complies with program protection policy and system requirements. The Systems Engineer and/or System Security Engineer is responsible for ensuring a balanced set of security requirements, designs, testing, and risk management are incorporated and addressed in the their respective trade spaces.
The Systems Engineer and/or System Security Engineer is responsible for facilitating cross-discipline system security working groups and is typically responsible for leading the SSE analysis necessary for development of the PPP. The cross-discipline interactions reach beyond the SSE community to the test and logistics communities. The Test Lead is responsible for incorporating sufficient system security test requirements into the Test and Evaluation Strategy (TES) and Test and Evaluation Master Plan (TEMP). The logistics community is responsible for continuing the protections and risk management activities initiated in acquisition throughout the Operations and Support (O&S) phase.
SSE processes inform the development and release of each request for proposal (RFP) (see DAG Chapter 13 Program Protection) by incorporating SSE process requirements into the Statement of Work (SOW) and the system security requirements into the Requests for Proposal (RFP) requirements document. Contractor responsibilities include developing plans to ensure that the system security protections are implemented in the development environments, system designs, and supply chains. The early and frequent consideration of SSE principles reduces rework and expense resulting from late-to-need security requirements (e.g., anti-tamper, exportability features, supply chain risk management, secure design, defense-in-depth, and information assurance implementation).
DAG Tutorial 
