The IA&E Aspects of the New DoDI 5000.83 (Technology and Program Protection)
Bottom Line Up Front (BLUF)
The new DoDI 5000.83 establishes policy, assigns responsibilities, and provides procedures for Science and Technology (S&T) managers and lead systems engineers to manage system security and cybersecurity technical risks resulting from various types of omnidirectional threats in order to develop and implement measures to protect:
- DoD-sponsored research and technology that is in the interest of national security.
- DoD warfighting capabilities.
This new DoDI also illustrates the substantive impact of the separation of the previous UnderSecDef (Acquisition, Technology & Logistics) organization with respect to the program protection area:
- USD (Acquisition & Sustainment (A&S)), who is responsible for Defense Acquisition System (DAS) oversight and management.
- USD (Research & Engineering (R&E)), who is responsible for oversight and management of defense acquisition science, research, and technology development efforts.
Overview
For those readers unfamiliar with the broad areas involved in DoD acquisition and its International Acquisition and Exportability (IA&E) aspects, here’s an admittedly simplistic (but hopefully helpful) description of how the new DoDI 5000.83 will impact overall DoD acquisition program protection activities across the DoD acquisition life-cycle at the “30,000 foot” level:
DoD Program Protection Efforts | S&T and RDT&E Activities (1) | ATD RDT&E Activities (2) |
Acquisition Program RDT&E Activities (3) |
Who Leads | S&T Managers | Mix of S&T Mgrs, Lab Engineers, and System Engineers | Lead System Engineers supporting Program Managers (PMs) |
Primary Focus | Establish S&T Tech Area Program Protection Plans (TAPPs) | Establish/implement S&T Projection Plans for specific projects | Establish/implement Program Protection Plans (PPPs) for specific programs.(4) |
Desired Outcome | Ensure existing and emerging new/evolving tech is protected | Ensure transitioning new/evolving tech is protected at the project level | Ensure fielded new/evolving tech is protected in fielded and deployed systems |
- DoD Science & Technology (S&T) activities – which are aligned with the RDT&E Budget Activities (BAs) 6.1. and 6.2 per the DoD Financial Management Regulations, Volume 2B, Chapter 5, para 050105) – are conducted independent of DoD acquisition program RDT&E efforts.
- DoD Advanced Technology Development (ATD) activities – which are aligned with RDT&E BAs 6.3 and 6.4 – focus on transition of new technology into DoD acquisition programs.
- DoD Acquisition RDT&E activities – which are aligned with RDT&E BAs 6.4, 6.5, and 6.7 -- focus on integration of new technology into new or existing DoD systems and equipment that is fielded and used by DoD operational forces.
- DoD acquisition programs include the entire range of DoD AAF acquisition efforts, including Urgent Capability Acquisition (DoDI 5000.81), Middle Tier of Acquisition (DoDI 5000.80), and Major Capability Acquisition (DoDI 5000.85) efforts.
Comparative Analysis
Part I -- The Old Approach
The DoDI 5000.02 approach (circa 2015) made the Program Manager (PM) responsible for program protection in DoD acquisition programs – including Program Protection Plan (PPP) preparation -- while S&T managers were assigned the responsibility for S&T-related technology protection in DoD S&T technology base and RDT&E project efforts. The ASD(R&E) staff element of the previous USD(AT&L) organization worked with DoD Component HQ acquisition organizations to assist S&T managers, RDT&E personnel in labs and warfare centers, and the systems engineers supporting PMs to achieve these objectives.
Beginning in 2015, ASD(R&E) began promoting use of a “Three Pillars” program protection approach by PMs and their Integrated Product Team (IPT) – including the IPT’s system’s engineering and systems security engineering functions -- in the areas of Cyber and Information Security, Critical Program Information (CPI) projection using Anti-Tamper (AT), and Trusted Systems and Networks (TSN) protective measures. This ‘Three Pillars’ program protection approach was included as an integral part of OUSD(AT&L)’s Defense Exportability Integration efforts during this time period.
Part II -- The New Approach
The new DoDI 5000.83 focuses on establishing S&T manager and lead systems engineering responsibilities in the program protection area as well as providing the DoD acquisition workforce with a new approach to S&T project and acquisition program protection planning.
With respect to DoD Acquisition Category (ACAT) ID programs – which are the responsibility of the USD(A&S) acting as the Defense Acquisition Executive --USD(R&E) is now the PPP approval authority at DAS milestone decisions. However, there are very few ACAT ID programs remaining as a result of the delegation of Milestone Decision Authority (MDA) to the DoD Components for all other ACAT/AAF acquisition programs. For all the rest of these DoD Component-managed programs, “the PPP will be submitted for approval [to the MDA], in accordance with Major Capability Acquisition, Operation of Middle Tier Acquisition, Urgent Operation Needs, and Software Acquisition [DoD 5000 series policies] at each acquisition pathway decision point.”
Another major change is that PPPs developed for acquisition programs from this point onward are supposed to be based on any relevant Technology Area Protection Plans (TAPPs) implemented through corresponding S&T Protection Plans.
TAPPs
A TAPP will be established and maintained by USD(R&E) for each S&T modernization priority area. They will inform S&T research at the appropriate BA level, or at Technology Readiness Levels 1-6 and PPPs. They will be designed to reduce compromise or loss of critical technologies and protect against unwanted technology transfer and used to guide DoD acquisition efforts in: S&T; export controls; international agreements; security; counterintelligence; and U.S. law enforcement activities.
S&T Protection Plans
S&T managers in the DoD Components will prepare S&T Protection Plans as a management tool to guide S&T protection activities at the S&T and RDT&E project level. Such projects, when associated with critical technology or modernization priority areas, will need to develop an S&T Protection Plan that includes: critical technology elements and enabling technologies; threats to, and vulnerabilities of, these items; and, selected countermeasures to mitigate associated risks. These S&T Protection Plans are supposed to be developed and submitted prior to each S&T/RDT&E project’s approval – and updated, as appropriate -- based on procedures defined by each DoD Component.
Impact on Program Protection Training
DoDI 5000.83 makes USD(A&S) – in coordination with the USD(R&E) – responsible for incorporating technology and program protection activities in Defense Acquisition University (DAU) education and training.
DAU’s existing courses in this area – which focus on the Three Pillars program protection approach, including its relationship to defense exportability planning and implementation -- include ACQ 160 (Program Protection Planning Awareness), ENG 260 (Program Protection for Practitioners), and DAU’s Program Protection Credential (which requires completion of ACQ 160, ENG 260, and a Summation Exam).
These will presumably have to be modified to reflect the new DoDI 5000.83 policy guidance, including the new emphasis on TAPPs and S&T Protection Plans serving as the basis for AAF acquisition program PPPs from this point onward.
Potential Implementation Challenges
In my experience, sweeping new DoD policy issuances like DoDI 5000.83 take time to implement throughout the Department. This new DoDI calls for several substantive changes to the status quo regarding how program protection measures will be identified, developed, and fielded throughout the DoD acquisition program lifecycle. Here are a few areas that could prove challenging, particularly at the DoD Component project and program level.
Development and Update of TAPPs: TAPPs are a new concept which will provide top level DoD foundational ‘building blocks’ for development of S&T Protection Plans for each specific DoD Component S&T and RDT&E project that requires program protection measures. Until TAPPs are developed and issued, implementation of DoDI 5000.83 principles and processes at the DoD Component S&T and RDT&E project level will likely be impacted due to lack of overarching TAPP guidance across the entire DoD S&T/RDT&E domain.
DoD Component S&T Protection Plans: The scale, scope, and diversity of S&T and RDT&E project efforts across the DoD acquisition enterprise is immense. As a result, the breadth and depth of the number of S&T Protection Plans that will have to be developed and approved has yet to be defined, and DoD Component approval processes for such plans have yet to be developed.
Role of the Program Manager: DoDI 5000.83 essentially shifts the responsibility for acquisition program PPPs from the PM to the program’s lead systems engineer. Notably, the term “program manager” is used only once in the new DoDI 5000.83, “After the full-rate production or full-deployment decision, the PPP will transition to the program manager [PM] responsible for system sustainment and disposal.” However, during a system’s development phases PMs will remain responsible for making AAF program-level recommendations to MDAs regarding cost, schedule, and performance design trades -- including cost/benefit choices in the program protection area -- based on advice provided by the lead systems engineer and other IPT members.
DoD Component MDA Approval Process for PPPs: Under the new set of AAF DoD 5000 series policies, DoD Components have been delegated the responsibility for almost all program level milestone decision making. As a result, almost all of the program-level PPP approvals required by the new DoDI 5000.83 will be made by DoD Component MDAs at various organizational levels. Many of these decisions will be made at the Program Executive Officer (PEO) level for smaller AAF programs. Who will provide PEOs (and their supporting staff organizations) with training and decision support to help them evaluate and approve PM recommendations regarding investment in and implementation of program protection measures on a program-by-program basis?
Impact on IA&E: The recently published DoDI 5000.85 makes IA&E planning and implementation mandatory for DoD Major Capability Acquisition (MCA) programs. As outlined in a recent blog on this subject, DoD’s new MCA acquisition policy places particular emphasis on the importance of “building in exportability” in DoD’s new and modified systems, and makes DoD Component MDAs responsible for implementing this guidance. Experience has shown that the best way to build exportability into new and modified DoD systems is to include ‘one size fits all’ program protection – including cybersecurity, anti-tamper, and trusted systems & networks measures – to the maximum extent possible during the early stages of development. The ‘one size fits all’ program protection concept provides a robust foundation for future domestic and exportable system versions. As a result, it’s essential that proposed DoDI 5000.83-based program protection measures are aligned with proposed DoDI 5000.85-based defense exportability features in future AAF program milestone decisions (or equivalent).
Summary
There are many ‘greater goods’ that PMs must address in their programs in areas such as regulatory compliance, interoperability, and program protection. These areas are often referred to as ‘unfunded mandates’ since compliance is required but no additional funding beyond the program’s authorization and appropriations is typically provided. Moreover, it can be quite challenging to define and decide ‘how much’ of one of these ‘greater goods’ is enough since absolute compliance in each area -- if there is such a thing -- is often neither achievable nor affordable. The need to make difficult decisions during a program’s development phases regarding system-level cost/benefit tradeoffs – even for ‘greater good’ areas such as program protection – frequently occurs.
This reminds me of an earlier blog I published concerning Lashly’s Laws of DoD system program management which explain why:
- You can have anything you want [but] …
- You cannot have everything you want [since] …
- You decide what you [really] want by what you are willing to give up to get it [and, most importantly] …
- If you are unwilling to give up anything, what you will get is nothing that anyone would want.
The new DoDI 5000.83 establishes high standards regarding the implementation of program protection measures in DoD S&T/RDT&E projects and acquisition programs for the greater good. The new DoDI 5000.85 establishes high standards regarding building exportability into new and modified DoD systems as well. While we can all appreciate the overall DoD benefits that will result from the implementation of both these DoDIs, it appears that evaluating and making program protection and building exportability cost/benefit tradeoff decisions at the deckplate level during the development phase of AAF programs will pose even greater challenges for the DoD acquisition workforce in the future. We are already working on new DAU learning content to support such efforts.
Until next time, Prof K
P.S. – If you’re interested in additional insights on this important subject, please consider participating in an upcoming DAU webinar “Adaptive Acquisition Framework: DoDI 5000.83 Technology and Program Protection to Maintain Technological Advantage” on September 15, 2020 from 1200 – 1330.