Who determines Critical Program Information and Is there a role that Criticality Analysis has for determining CPI? Are these findings captured in any place besides the PPP?
Also, who are the service leads for both determining CPI and conducting criticality analysis?
Just FYI - I teach Systems Security Engineering (SSE) and cybersecurity for DAU, was involved with development of ACQ160 and ENG260, and I had direct work experience within Program Protection (PP) for many years prior to being a DAU professor.
1. Question: Who determines Critical Program Information and Is there a role that Criticality Analysis has for determining CPI?
Answer: In an older Oct 2019 version of DODI 5000.02, Operation of the Defense Acquisition System, this was covered in the section on Design for Cyber Threat Environments. Here it stated, "Program Managers will... Identify and protect CPI, capabilities that contribute to the warfighters’ technical advantage, throughout the life cycle in accordance with DoDI 5200.39." I'm not able to find the transition of this requirement within more recent DODI 5000.02T or other DoD guidance. While your training should state that CPI, TSN analysis and cybersecurity are each major areas/elements (stovepipes) of PP and SSE; there are some overlapping of these areas/elements. Having said that, CPI can and should occur very first in the PP/SSE process and does not necessarily require assistance of the prime contractor. The PM and PP/SSE staff should understand the critical requirements and technologies and/or processes involved and document CPI, they should understand what needs to be protected as CPI and also determine what/if countermeasures are required and have these in the contract. The Government usually informs the prime contractor of what we have designated CPI - wither with the list of CPI or a draft Program Protection Plan (PPP). The PM and PP/SSE should then manage risk associated with CPI and of course the contractor can add to the CPI once on contract. In my experience, CPI does not have to be tied directly to a system's architecture products. For the TSN analysis and cybersecurity (the critically analysis [CA] plays a part here) the prime is absolutely needed and required here with these . In my experience, TSN and cybersecurity DO need to be tied to a system's architecture products and thus the prime contractor also needs to be engaged. Architecture products are usually presented by the contractor at the Preliminary Design Review (PDR). So while the criticality analysis is directed tied to program protection, it is not necessarily or directly tied to the development or documentation of CPI within the PPP. Regarding who leads the CA, DOD INSTRUCTION 5000.82, ACQUISITION OF INFORMATION TECHNOLOGY (IT), just released on April 21, 2020 has this answer. In paragraph 3.7, this instruction states: "Program Managers (PMs) will manage TSN risk by...conducting a criticality analysis (CA) to identify mission critical functions and critical components and reducing the vulnerability of such functions and components through secure system design." The contractor should be involved with the CA, TSN analysis, supply chain risk management, cybersecurity as well as the vulnerability assessment. The CA is an important feeder to all of these activities.
2. Question: Are these findings captured in any place besides the PPP?
Answer: Yes. CPI and the CA should also influence the program's Cybersecurity Strategy (CSS), Risk Management Framework Security Plan (RMF SP) and risk management slides/mitigations. A related note on this: The program's Milestone Decision Authority (MDA) signs and approvals almost everything and is the approval authority for the PPP. However, two other "sheriffs" (if you will) have been added and are now involved with the cybersecurity, TSN and CA aspects. The Service or DoD Chief Information Officer (CIO) will approve the program's CSS, and the appropriate cybersecurity Service Authorizing Official (AO) will sign the program's RMF SP. So when considering the flow down of CPI and information from the CA, these two documents may be affected as well. As you know, these PPP/SSE/CPI/TSN/Cyber risks need to be managed and mitigated by the program office as part of the risk management process throughout the lifecycle.
3. Question: Who are the service leads for both determining CPI and conducting criticality analysis?
Answer: There are two service leads identified in DOD INSTRUCTION 5200.39; Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E). 5200.39; updated November 17, 2017; provides the following information on leads:
- The "UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE (USD(I))... establishes policy and provides oversight for counterintelligence (CI), intelligence, and security support to CPI identification and protection. USD(I) also serves as the DoD focal point and OSD Principal Staff Assistant to the Secretary and Deputy Secretary of Defense on all CPI matters in coordination with the USD(AT&L) [now divided into A&S and R&E] and in coordination with the Under Secretary of Defense for Policy (USD(P)) on matters pertaining to CPI protection in international programs. USD(I) also oversees and directs the Defense Intelligence Components in the production of threat assessments to help mitigate the risk of CPI compromise."
- In addition, USD(AT&L) [now divided into A&S and R&E] "Establishes policy and guidance, in coordination with the USD(I) and the DoD Component heads, for the identification, protection, and reassessment of CPI. Develops training for RDT&E personnel required to identify and protect CPI, in coordination with the USD(I) and DoD Component heads."