Program Protection Implementation Plans PPIP

1
Program Protection Implementation Plans (PPIP)

• George Quin CPP, ISP
• Lockheed Martin Aeronautics

2
UNCLE SAM WANTS YOUR
PROTECTION PLAN !
3
Agenda

• Why PPIP?
• DoD Acquisition Management and You
• The Acronym Game PPDP-PPP-PPIP
• Crafting a security partnership PPDP
• Creating a core security document PPP
• Walking the security talk PPIP
• The pitfalls of managing your PPIP
• Questions

4
Why Program Protection Planning?

• DEPSECDEF Memo on 6 June 2003
• Make OPSEC a priority.
• Integrate OPSEC into your training awareness
  programs.
• Recognize risks associated with compromising
  critical information the countermeasures needed
  to mitigate.
• Continually assess ability to apply OPSEC
  practices daily.
• Obvious implication to defense industry
• If you want to do business with a
  defense customer, then you must help them meet
  these security requirements.

5
Program Protection OPSEC

• DoDD 5205.2 DoD Operations Security (OPSEC)
  Program
• Extraordinary protection of DoD acquisition
  programs and their attendant costs for
  maintaining essential secrecy are balanced
  against the potential loss to mission
  effectiveness.
• Ensure compliance with OPSEC requirements
  incorporated into classified contracts during
  scheduled reviews performed under the NISP
  shall protect critical or sensitive information.
• shall provide management, annual review, and
  evaluation of their OPSEC programs.
• shall ensure that OPSEC requirements are
  included in contracts when applicable.

6
OPSEC 101 Refresher

• 1. Identify critical information that needs
  protection.
• 2. Analyze the threat.
• 3. Analyze the vulnerabilities.
• 4. Assess the risk.
• 5. Apply the appropriate countermeasures .

7
Weve Been Down This Road Before

• DoDD 5000.2 Defense Acquisition Management
  Policies Procedures made the first reference
  to a Program Protection Plan (PPP) on February
  23, 1991.
• A comprehensive protection of technology program
  shall be established for each defense acquisition
  program.
• A program protection plan will be developed
  prior to Milestone I and updated for subsequent
  milestones.
• Areas to be addressed will be (1) System
  Description and protected elements, (2)
  Protection Threats and Vulnerabilities, (3)
  Countermeasures, (4) Protection Costs, and (5)
  Other Considerations.

8
DoD Acquisitions Your Company
9
Key Acquisition Security References

• DoDD 5000.1 The Defense Acquisition System
• Overview document defining DoD acquisition
  policies terms.
• DoDD 5000.2 Operation of the Defense Acquisition
  System
• Cancelled DoD 5000.2-R basis for major defense
  acquisitions and equivalent acquisition category
  (ACAT) programs prior to May 2003.
• Describes a weapons program lifecycle and
  milestones.
• DoDD 5200.1 DoD Information Security Program
• Core security policy document for all DoD
  components.

10
More Acquisition Security References

• DoDD 5200.39 Security, Intelligence, and
  Counterintelligence Support to Acquisition
  Program Protection
• Establishes policy assigns responsibilities to
  various activities to protect previously
  identified critical program information (CPI).
• DoD 5200.39- R (Draft) Mandatory Procedures for
  Research and Technology Protection within the
  DoD
• Proposed requirements for protecting critical
  research technology, dual-use technology, leading
  edge military technology, and critical program
  information throughout DoD.
• DoD 5200.1-M Acquisition Systems Protection
  Program
• The security bible for DoD acquisition managers.

11
Acquisition Systems Protection Program

• DoD 5200.1 ASPP Manual
• Provides protection standards for preventing
  foreign intelligence collection unauthorized
  disclosure of essential program information,
  technologies, and systems during DoD acquisition
  lifecycle.
• Mandatory use for DoD Components.
• Referenced in DoD contracts where required.
• Program Goals
• Selectively effectively apply security
  countermeasures to protect essential program
  information, technologies, and/or systems
  (EPITS).
• Reduce costs and administrative burden of
  security.
• EPITS in 1990s CPI in 2000s.

12
Protecting the Crown Jewels"

• Critical Program Information (CPI)
• Engineering, design, or manufacturing processes
  technologies system capabilities and
  vulnerabilities and other information that give
  your system its distinctive operational
  capability.
• CPI Criteria
• Gives an adversary the capability to counter,
  kill, or reduce the effective combat life of
  your system.
• Provides information sufficient to "clone a
  like system or rapidly skip ahead to develop a
  superior system.
• Adversary exploitation would necessitate further
  RD funding to replace a unique system capability
  lost to the war fighter.
• If the Program Manager determines your program
  doesnt have any CPI then your Protection Plan
  can be very short!

13
Acquisition Systems Protection Planning

• Applies to collateral programs only, but SAP must
  meet standards before transitioning to a
  collateral arena.
• Protect during lifecycle from compromise
  inadvertent loss from establishment of a
  Mission Needs Statement (MNS) to final system
  demilitarization.
• Chapter 3 outlines required program protection
  planning defines existence of a collection
  threat when
• A foreign entity is assessed with a requirement
  for your controlled program information
• Has the capability to acquire this program
  information
• And, the acquisition of such information would be
  detrimental to U.S. interests.

14
Acquisition Philosophies Acronyms
VS

• PPDP Program Protection Development Plan
  (Gathering for plan.)
• PPP Program Protection Plan (Creating the
  plan.)
• PPIP Program Protection Implementation Plan
  (Working the plan.)

15
PPDP Crafting a Security Partnership

• Program Protection Development Plan (PPDP)
• Created by DoD Program Office with significant
  contractor input for government products.
• Purpose
• Provide road map for development of Program
  Protection Plan.
• Identify measures to protect combat effectiveness
  of system throughout life cycle in most cost
  effective manner.
• Serve as baseline for development evaluation of
  security products.
• Provide common methodology for planning,
  budgeting tracking security-related
  expenditures.

16
PPDP Crafting a Security Partnership

• Organization
• Section I Philosophy of program security.
• Section II Methodology of integrating security
  into program.
• Section III Security products to be developed
  during SDD phase by both contractors and
  government, with description and supporting
  tables.
• Annex Program Protection Integrated Product
  Team (P2IPT) Charter.
• Classification From FOUO to Secret / NOFORN.

17
PPDP Government Security Products

• Critical Program Information (CPI) Provides
  basis for classification decisions controlling
  cost.
• Security Classification Guide (SCG) Provides
  consistent classification guidance.
• Program Security Directive (PSD) Provides
  directions for special access information.
• Technology Targeting Assessment (TTA)
  Identifies foreign entities with interest,
  motivation, capability to pursue program
  gathering information strategy.
• Security Cost Estimation and Tracking Guide
  Provides framework for tracking program costs.
• Technology Assessment Control Plan (TA/CP)
  Identifies information sensitive to foreign
  access and plan to control that assess.

18
PPDP Government Security Products

• Threat Assessment Describes potential system
  security threats and vulnerabilities during the
  program lifecycle.
• Preliminary System Security Concept (PSSC)
  Provides security concept of operations for
  utilization of the system from a war fighters
  perspective.
• Open Source Analysis Assesses quantity and
  quality of open source information on the
  program.
• Program Wide Assessment (PWA) Assesses trends
  of potential threat, vulnerability, cost, and
  contractor issues to assist Program Office in
  determining most cost effective means to protect
  data.
• Multi-Disciplined Counter Intelligence Threat
  Assessment (MDCI) Assesses threat data on
  collection efforts usually listed by
  methodology and country.

19
PPDP Government Security Products

• Anti-Tamper (AT) Provides guidance for
  incorporation of AT measures in program.
• System Security Authorization Agreement (SSAA)
  Provides information for making appropriate
  security accreditation decisions.
• Key Description Document Provides guidance on
  use of cryptographic systems in program.
• Program Protection Plan (PPP) Comprehensive
  integrated management oversight plan
  consolidating all program security related
  requirements.
• System Security Policy Provides set of
  practices and rules regulating how program will
  manage, protect, and distribute both unclassified
  and classified information.

20
PPDP Contractor Security Products

• Program Protection Implementation Plan (PPIP)
  Comprehensive integrated plan derived from PPDP
  PPP. Describes how contractor will implement the
  protections.
• Program Protection Integrated Product Team
  (P2IPT) Outlines contractor participation in
  P2IPT and various supporting working group
  meetings.
• Certification Accreditation (C A) Evidence
  Provides information to support DoD Information
  Technology Security Certification and
  Accreditation Process (DITSCAP) of program
  systems.
• Anti-Tamper (AT) Provides description of
  approach and cost-benefit analysis.
• Critical Program Information (CPI) Provides
  recommended CPI to Program Office.

21
PPDP Contractor Security Products

• Security Costs Provides tool for making
  security risk management decisions.
• TEMPEST Provides a program control plan and
  system emissions profiles.
• Key Management Systems Describes unique
  system cryptographic interfaces.
• Foreign Disclosure Describes information
  release procedures to foreign entities.
• System/ Security Engineering Environment (S/SEE)
  Certification Describes how system is meeting
  NISPOM Chapter 8 requirements to process national
  security information.
• Communications Security (COMSEC) Certification
  Endorsement Provides COMSEC information for
  NSA certification endorsement of system.

22
P2IPT Working the Partnership

• Program Protection Integrated Product Team (
  P2IPT) Composed of security representatives
  from various government and contractor
  organizations.
• Functions
• Provide a forum for identify and resolve
  protection issues.
• Integrate operational users into the requirements
  generation process.
• Standardize interpretations of security policy.
• Serve as vehicle for an informed decision-making
  process.
• Structure
• Comprised of multiple functional area working
  groups tied to common contractor-government
  security products.
• P2IPT Lead is usually the Program Security
  Director.

23
PPP Creating a Core Security Document

• Program Protection Plan Required under the
  authority guidance of DoDD 5200.1 The Defense
  Acquisition System.
• Government is responsible for issuing and
  updating PPP. Identifies CPI and provides for
  integrated security management to protect system
  combat effectiveness.
• PPP focuses on protecting CPI through
• Acquisition process.
• Countering changing Intelligence collection
  threats.
• Controlling technology transfers.
• Building security into operational systems.
• Classification as appropriate FOUO to Secret /
  NOFORN.
• Refer to your SAF/AAZ Program Planning
  Handbook handout for a better understanding of
  the program protection process.

24
PPP Typical Contents

• Introduction
• System Description
• CPI
• Program Technology Threat Assessment
• Countermeasures
• Technology Assessment/Control Plan
• System Security Engineering
• Program Protection Costs
• Annexes
• P2IPT
• PPDP
• Security Classification Guide
• Technology Targeting/Threat Assessments
• Program Wide Assessment
• Preliminary System Security Concept
• Anti-Tamper
• System Security Authorization Agreements
• Program Key Description Document

25
PPIP Walking the Security Talk

• Program Protection implementation Plan (PPIP)
• Prime Contractor responsible for PPIP creation
  and revision.
• Basis for all contractor program security plans
  and procedures.
• Prime Contractor is responsible for flow down of
  contractual security responsibilities and
  coordinating program security effects across
  entire contract team.
• Prime contractor responsible for coordinating
  annual PPIP review, revision, and submission to
  Program Security Director in fulfillment of
  Contract Data Requirements List (CDRL).
• Inputs are included from principle partners to
  ensure all aspects of program security are
  addressed, including unique partner capabilities.

26
PPIP Walking the Security Talk

• PPIP includes two critical elements of security
• Program Security Providing protection measures
  for personnel, data, equipment, and facilities
  involved in program.
• System Security Engineering Developing the
  security features that implement DoD requirements
  in the delivered system.
• Classification can vary FOUO to Secret / NOFORN.

27
PPIP Typical Contents

• Introduction
• Program Protection Implementation Plan sections
• Program Protection Integrated Product Team
  sections
• DoD Information Technology Security Certification
  and Accreditation Process sections
• Anti-Tamper sections
• Security Costs
• TEMPEST sections
• Crypto Key Management sections
• Foreign Disclosure sections
• System/Software Engineering Environment sections
• Communication Security Certification and
  Endorsement sections
• Annexes CPI and AIS Connectivity Matrices

28
Avoiding the Pitfalls of a PPIP

• Create a separate PPIP to edit during your review
  cycle. Keep original version pristine until the
  final approved update is posted .
• Establish a PPIP editing team with
  representatives from key PPIP ownership groups
  within your organization and partner companies.
  Then identify the specific chapter and section
  responsibilities for each participating group to
  review. Keep it the same from year to year.
• Create a shared access file folder on-line, with
  the viewing rights restricted to editing team
  members only.
• Ensure you allow a long lead time for the review
  process. Clearly establish and promulgate your
  PIPP editing milestones.

29
Avoiding the Pitfalls of a PPIP

• Use your organizations Proposal Development
  Center for edit work. You provide the changes
  and they incorporate them. Then repost the
  updated PPIP with proposed changes to your team
  folder. (Freeze this folder during each off-line
  editing session.)
• Keep careful track of all proposed text changes
  and diagram changes on summary spreadsheets.
  Include these sheets when posting final version
  of PPIP.
• If Prime Contractor, your program security
  manager should be given final edit approval.
  Signoff on PPIP coversheet should include your
  principle partners program security managers.
• Identify beforehand your own organizations
  internal document review protocols. Know who must
  approve for PPIPs formal release to government.

30
Additional Training Resources

• Defense Acquisition University (DAU) Guidebook
  with on-line tutorial.
• http//akss.dau.mil/DAG/
• Marine Corps System Command Program Protection
  Plans Course.
• http//www.marcorsyscom.usmc.mil/sites/security/ed
  ucation
• Your DoD Program Security Office.

31
Our Moral Obligation as Security Professionals
Delivering an uncompromised weapon system to
our customers.
32
The Price of Our Failure
33
Questions?