U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

System Security Engineering

System Security Engineering 

System Security Engineering (SSE) is an element of systems engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities. SSE activities allow for identification and incorporation of security design and process requirements into risk identification and management in the requirements trade space. The SSE process should ensure that cybersecurity system attributes are included in the requirements documents. Program Protection is the Department’s integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability or supply chain exploit/insertion (see Technology and Program Protection (T&PP) Guidebook, Section 3.8), battlefield loss and unauthorized or inadvertent disclosure throughout the acquisition life cycle. The Program Protection processes capture SSE analysis in the system requirements and design documents and SSE verification in the test plans, procedures and results documents. The PPP (see T&PP Guidebook, Sections 3.4 and 3.5) documents the comprehensive approach to SSE analysis and the associated results.  


SSE analysis results should be captured in the PPP, provided at each technical review and audit (see T&PP Guidebook, Section 3.4) and incorporated into the technical review assessment criteria as well as the functional, allocated and product baselines. For programs in the Major Capability Acquisition pathway, the PPP is approved by the MDA at each milestone decision review and at the FRP/FD decision, with a draft PPP (as defined in the AAFDIT and DoDI 5000.83, Section 3.4.c.) due at the Development RFP Release Decision Point. For other programs, PPPs are developed and submitted as directed by components for Operation of Middle Tier Acquisition, Urgent Capability Acquisition, and Software Acquisition programs The analysis should be used to update the technical baselines before each technical review and key knowledge point throughout the life cycle. It should also inform the development and release of each RFP (see T&PP Guidebook, Section 5) by incorporating SSE process requirements and the system security requirements into the appropriate solicitation documentation. 


For more information on System Security Engineering as a design consideration, see the Systems Engineering Guidebook, Section 5.24.  Also, see DoDI 5000.83 for more information on SSE and Program Protection in Defense acquisition. 

Community