| 2.3.12-16-1 Ensure that the process for identifying Critical Program Information and Critical Components conforms with guiding government instructions |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D2 |
Phase D3 |
|
Ensure identification of current best practices and Government guidance to address Critical Program Information (CPI) and Critical Components (CC). The process should be in accordance with DoDI 5200.39 "Critical Program Information (CPI) Protection Within the Department of Defense" and with DoDI 5200.44 "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)" and should follow the process documented in Aerospace TOR-2013-00825 "Program Protection Plan Content Rich Template". Analysis should be performed for the end-to-end system, including considerations for inherited CPI. Also refer to AFMAN 63-113.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; Critical Program Information (CPI) Protection Within the Department of Defense, DoDI 5200.39; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-16-2 Ensure that a multi-disciplinary team participates in Critical Program Information identification and Critical Components (CC) criticality analysis |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D2 |
Phase D3 |
|
This government team should include engineers from multiple specialties including systems, software, hardware, and cyber security, as well as program management. All stakeholders should be represented.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; Critical Program Information (CPI) Protection Within the Department of Defense, DoDI 5200.39; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-16-3 Ensure that Critical Program Information (CPI) inherited from other programs are identified as such and that the program implements sufficient countermeasures for inherited CPI |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D2 |
Phase D3 |
|
Ensure programs are identified from which CPI is inherited (and to which CPI is conveyed). Ensure countermeasure implementation review is conducted to address implementation strategies and potential issues. The program office should have an approach for implementing the originating program's countermeasures or else have an alternate approach for countermeasure implementation. For countermeasure implementation variances, the program should address the impact and resolve issues internally and/or with other programs.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; Critical Program Information (CPI) Protection Within the Department of Defense, DoDI 5200.39; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-16-4 Ensure that all Critical Program Information and Critical Components are identified and that a proper analysis of consequence and system impact is performed |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D2 |
Phase D3 |
|
Each Critical Program Information (CPI) consequence is determined based on the impact caused by loss/compromise of the CPI. Each Critical Components (CC) system impact is determined by the mission impact if the CC is compromised by a threat and caused to fail. The CC failure impacts the supported critical function and overall mission. This failure impact is not mitigated by CC redundancy because the redundant component would have the same failure.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; Critical Program Information (CPI) Protection Within the Department of Defense, DoDI 5200.39; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-16-5 Ensure that the identification of organic (not inherited) Critical Program Information (CPI) common with other programs is performed and determine how horizontal protection of this CPI is accomplished |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D2 |
Phase D3 |
|
The program office should have a process for identifying Critical Program Information (CPI) which has been shared outside of the program, for example CPI that a contractor has implemented across multiple programs. The program office should also have a process that describes how horizontal protection of CPI across programs is accomplished. Horizontal protection of CPI ensures that an investment made by one program to mitigate the risk of CPI compromise is not diminished or wasted due to another program exposing the same or similar CPI to much greater risk.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, T1211TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; Critical Program Information (CPI) Protection Within the Department of Defense, DoDI 5200.39; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|