Two key points and references.  First, the Adaptive Acquisition Framework (AAF) shows the Program Protection Plan (PPP) as required for all ACAT-level programs -regardless of size.  Please see AAFDID, https://www.dau.edu/aafdid/Pages/Milestone-and-Phase-Information-Requirements.aspx, this is the authoritative table for documentation requirements for Acquisition Category (ACAT)  programs for Major Capability Acquisition, as well as all the other acquisition pathways of DoDI 5000.02, Operation of the  AAF.  Regardless of the project's or program's size or complexity or pathway, the AAF shows Cybersecurity as a requirement to be considered as an arrow to the left of the AAF pathways.  This arrow implies that cybersecurity (a key aspect of program protection) must be considered for all AAF pathways.

Second, DoDI 5000.83 TECHNOLOGY AND PROGRAM PROTECTION TO MAINTAIN TECHNOLOGICAL ADVANTAGE dated July 2020, addresses the key aspects that drive needing a PPP: Critical Program Information (CPI), Mission-Critical Functions and Components (CF/CC) and Cybersecurity.  While we addressed cybersecurity above, these other two aspects (CPI and CF/CC) aspects should also be considered, as I expect that COTS equipment or even very slightly modified COTS may have aspects that need to be protected or CF/CC electronics.  The DODI also discusses the requirements for submittal and approval of the PPP in paragraph 3.4: "The PPP will be submitted for approval, in accordance with Major Capability Acquisition, Operation of Middle Tier Acquisition, Urgent Operation Needs, and Software Acquisition at each acquisition pathway decision points. The cybersecurity strategy will be submitted as an appendix, in accordance with DoDI 5000.82." 

https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500083p.pdf?ver=fmz4Sx5tYVXnJZNKIoPoUQ%3d%3d 

Hope this information helps - two DAU professors collaborated on this AAP reply.  Please feel free to reach out if you have any additional questions.