13.0. Overview
Program Protection is the integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability, or supply chain exploitation/insertion, battlefield loss, and unauthorized or inadvertent disclosure throughout the acquisition lifecycle.
At its core, Program Protection protects technology, components, and information from compromise through the cost-effective application of countermeasures to mitigate risks posed by threats and vulnerabilities. In a simple sense, Program Protection seeks to defend warfighting capability by “keeping secret things from getting out” and “keeping malicious things from getting in.” Where the capability is derived from advanced or leading-edge technology, Program Protection mitigates the risk that the technology will be lost to an adversary; where the capability is derived from integration of commercially available or developed components, Program Protection mitigates the risk that design vulnerabilities or supply chains will be exploited to degrade system performance. The Program Protection Plan (PPP) is the milestone acquisition document that describes the plan, responsibilities, and decisions for all Program Protection activities.
13.0.1. Purpose
This chapter provides guidance and expectations for the major activities associated with Program Protection.
13.0.2. Contents
Chapter 13 addresses the following topics:
The Program Protection Process
The Program Protection Plan (PPP)
Critical Program Information (CPI) and Mission-Critical Functions and Components
Intelligence and Counterintelligence (CI) Support
Vulnerability Assessment
Risk Assessment
Countermeasures
Horizontal Protection
Foreign Involvement
Managing and Implementing Program Protection Plans (PPP)
Compromises
Costs
Contracting
Detailed Systems Security Engineering (SSE)
Program Protection Plan (PPP) Review/Approval
Program Protection Plan (PPP) Classification Guidance
13.1. The Program Protection Process
Program Protection is an iterative risk management process within system design and acquisition, composed of the following activities:
Additional considerations (Defense Exportability Features, Program Protection Plan (PPP) Approval, etc.) are covered in subsequent sections.
Commanders, Program Executive Officers, S&T Project Site Directors, Program Managers (PMs) (used throughout this chapter to include program/project leaders prior to official PM designation), systems engineering, system security, information assurance, Test and Evaluation (T&E), and acquisition personnel should be aware of the Program Protection process and should be engaged in supporting it. Program Managers are responsible with complying with this process holistically such that protection decisions are made in the context and trade space of other cost, schedule, and performance considerations. It is important to implement this process across the full acquisition lifecycle in order to build security into the system. The process is repeated at each of the following points in the lifecycle, building on the growing system maturity:
- Systems Engineering Technical Reviews (SETR) (see Section 13.10.2 for further elaboration on specific Systems Engineering Technical Reviews event expectations), starting Pre-Milestone A with the Alternative Systems Review (ASR)
- Systems Engineering (SE) analyses that support preparation for each Acquisition Milestone (see Sections 13.7.6 and 13.14 for further elaboration on how this process is tied to lifecycle phase-related Systems Security Engineering (SSE)
- Development and release of each Request for Proposal (RFP) (see Section 13.13.1 for further details on what should be incorporated in the Request for Proposal (RFP) package)
At each of these points, the process is iterated several times to achieve comprehensive results that are integrated into the system design and acquisition. This process applies to all programs and projects regardless of acquisition category (ACAT) or status (i.e., all acquisition categories (ACATs), Quick Reaction Capability (QRC), Request for Information (RFI), Joint Capability Technology Demonstration (JCTD), Science and Technology (S&T) or Authority to Operate (ATO)), or whether the technology is meant for Government and or military use.
13.2. The Program Protection Plan (PPP)
Program Protection is the Department's holistic approach for delivering trusted systems and ensures that programs adequately protect their technology, components, and information. The purpose of the Program Protection Plan (PPP) is to ensure that programs adequately protect their technology, components, and information throughout the acquisition process during design, development, delivery and sustainment. The scope of information includes information that alone might not be damaging and might be unclassified, but that in combination with other information could allow an adversary to clone, counter, compromise or defeat warfighting capability.
The process of preparing a PPP is intended to help program offices consciously think through what needs to be protected and to develop a plan to provide that protection. Once a PPP is in place, it should guide program office security measures and be updated as threats and vulnerabilities change or are better understood.
It is important that an end-to-end system view be taken when developing and executing the PPP. External, interdependent, or government furnished components that may be outside a program managers' control must be considered.
The PPP is the focal point for documentation of the program protection analysis, plans and implementation within the program for understanding and managing the full spectrum of the program throughout the acquisition lifecycle. The PPP is a plan, not a treatise; it should contain the information someone working on the program needs to carry out his or her Program Protection responsibilities and it should be generated as part of the program planning process.
The Program Protection Plan Outline and Guidance, established as expected business practice through a July 18, 2011 Principal Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) policy memo, can be found at: http://www.acq.osd.mil/se/docs/PDUSD-ATLMemo-Expected-Bus-Practice-PPP-18Ju....