Does ASA/ALT have authority to waiver the DoD PPP requirement for ICT if no CPI is identified? There seems to be conflicting guidance or a mis-understanding from some PMs in the Army.
DODI 5000.02 was updated and signed January 7, 2015. There were significant changes in the area of Program Protection Planning and Cybersecurity from the prior signed version of DODI 5000.02 dated December 8, 2008. I point this out as some acquisition programs may still reference/use the prior document within their program protection strategy. In addition, there may be program managers that only have this prior knowledge and limited focus on program protection. The 2008 version of DODI 5000.02 had only four references to program protection and stated, "CPI shall be identified and shall inform the preparation of the Program Protection Plan (PPP)." This earlier version focused PPPs primarily on Critical Program Information (CPI); enclosure 4 stated "Program Protection Plan (PPP) (for programs with critical program information.)" There were no references to Cybersecurity.
Open full Question Details
The signed January 2015 version of DODI 5000.02 has a much more increased emphasis, with 12 references, on program protection. In addition, the recent DODI 5000.02 also references new policy on cybersecurity and the Risk Management Framework (RMF) with DODI 8500.01 (March 14, 2014) and DODI 8510.01 (March 12, 2014). All three of these DODIs provide increased acquisition focus on program protection and cybersecurity; and they also changed the focus of PPPs to cover more than just CPI. In Enclosure 3, Paragraph 11, it states, "Software assurance vulnerabilities and risk based remediation strategies will be assessed, planned for, and included in the Program Protection Plan (PPP)." In Enclosure 3, Paragraph 13, it states "Where a DoD capability advantage derives from the integration of commercially available or custom-developed components, program protection manages the risk that design vulnerabilities or supply chains will be exploited to destroy, modify, or exfiltrate critical data, degrade system performance, or decrease confidence in a system." Also in Enclosure 3, Paragraph 13, it states " Program managers will employ system security engineering practices and prepare a PPP to guide their efforts and the actions of others to manage the risks to critical program information and mission-critical functions and components associated with the program. The PPP will be submitted for MDA approval at each milestone review, beginning with Milestone A." In Enclosure 11, paragraph 6, the key aspect of cybersecurity is added by, " All acquisitions of systems containing IT, including NSS, will have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP) that satisfies the statutory requirement in section 811 of P.L. 106-398 for mission essential and mission critical IT systems. Beginning at Milestone A, the Program Manager will submit the Cybersecurity Strategy to the cognizant Component CIO for review and approval prior to milestone decisions or contract awards." A Trusted Systems and Networks (TSN) analysis is also required. Enclosure 11, paragraph 7, states, " TRUSTED SYSTEMS AND NETWORKS (TSN). Program managers of NSS; systems that have a high impact level for any of the three security objectives, Confidentiality, Integrity, or Availability; or other DoD information systems that the Component Acquisition Executive or Component CIO determines to be critical to the direct fulfillment of military or intelligence missions must identify and protect mission critical functions and components as required by DoD Instruction 5200.44. TSN plans and implementation activities are documented in PPPs and relevant cybersecurity plans and documentation." In the recent DODI 5000.02, there is more for us to include in PPPs.
Lastly, the question mentioned Information and Communications Technology (ICT) programs/projects for space satellite and missile defense capabilities. While I have no specifics into these acquisitions, my general assessment would be that ICT, satellites and missile defense capabilities should involve both program protection and cybersecurity.