| 2.3.12-18-1 Ensure that the process for selecting and implementing countermeasures is sufficiently rigorous and is followed |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure that the Program Protection Plan (PPP) process for selecting and implementing countermeasures is sufficiently rigorous and is followed. Countermeasures are defined as an action, procedure, or technique that reduces a threat, vulnerability, or risk.
|
AFMAN 63-119 A12.1.7
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013; AFMAN 63-119 or equivalent
|
| 2.3.12-18-2 Ensure that countermeasures are directed to the contractor(s) |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure full identification and allocation of countermeasures to contractor(s) and traceability down to lowest component and/or subcomponent level as required. Countermeasures require action by the contractor to implement them in order to protect CPI and CCs. Normally this is specified in the RFP by requiring a specific Contract Line Item Number (CLIN) or DID to document how the contractor has implemented countermeasures.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013
|
| 2.3.12-18-3 Ensure that the process for development of the Anti-Tamper plan is sufficient and is followed |
Phase 0 |
Phase A |
Phase C |
|
Anti-Tamper (AT) analysis should begin prior to MS A and an AT Concept Plan should be completed by MS A. The initial AT plan should be completed before the PDR and MS B. The final AT plan should be completed before MS C and the AT V&V Report should be complete by MS C. The AT plan should include a description of coordination with the SMC PEO AT Lead, the SAF/AQ AT Lead, and the AT Executive Agent. The government's AT analysis examines whether CPI exists in the operational environment. If so, the CPI is deemed to be Resident CPI (R-CPI). Each R-CPI must be examined for potential for loss or compromise and then an impact analysis must be performed to determine the consequence of loss. Based on the exposure and consequence, an AT Protection Level is determined. The AT Protection Level determines whether AT measures are necessary. For necessary AT protection, an AT architecture must be developed and implemented. See "Resident-Critical Program Information (R-CPI) Anti-Tamper Cost Effectiveness Considerations", SMC/ENP Memorandum for SMC Program Managers.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013
|
| 2.3.12-18-4 Ensure that the process for implementing the Anti-Tamper plan is sufficiently defined and is followed |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure Anti-Tamper (AT) plan fully addresses requirements and performance expectations, to include implementation requirements and schedule. Ensure contents of AT plan are consistent with best practices and current Government guidance. The SOW or other contract language should communicate AT requirements to the contractor and subcontractors. Assess that the requirements are adequately communicated and implemented. Assess the program office's coordination efforts with the SMC PEO AT Lead, the SAF/AQ AT Lead, and the AT Executive Agent. Determine whether the contractor and subcontractors have sufficient expertise to execute the AT plan and that the AT solutions are integrated with the system architecture and design.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Program Protection Plan - Outline & Guidance, v1.0, 18 July 2011, DASD(SE); Defense Acquisition Guidebook, Program Protection (Chapter 13), 15 May 2013
|
| 2.3.12-18-5 Ensure that the process for development of the Information Assurance Strategy is sufficiently defined |
Phase 0 |
Phase A |
Phase B |
Phase C |
|
Ensure Information Assurance Strategy (IAS) fully addresses requirements and performance expectations, to include implementation requirements and schedule. Ensure contents of IAS are consistent with best practices and current Government guidance. The government's IAS process should leverage existing documentation to the maximum extent possible in order to minimize duplication of effort. References to existing documentation may be used, though references to draft documents are not sufficient for IAS approval. While much of the programmatic information for the IAS can be provided through references, the IAS should list the baseline IA control sets to be implemented from DoDI 8500.01, list specific cybersecurity requirements, describe how the program adequately funds cybersecurity activities, describe the cybersecurity technical approach, describe how cybersecurity capabilities and support are acquired, describe how cybersecurity risk management is achieved and verified, and describe how cybersecurity shortfalls are handled.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Cybersecurity, 8500.01; Guide for Applying the Risk Management Framework to Federal Information Systems, National Institute of Standards and Technology (NIST) 800-37
|
| 2.3.12-18-6 Ensure that the Information Assurance Strategy is implemented |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Determine that Assurance Strategy (IAS) milestones are being met, that cybersecurity activities are being worked as part of the program's schedules (including test schedules), and that any cybersecurity shortfalls are being worked through approved mitigation plans.
|
AFMAN 63-119 A9.1.3.3
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Cybersecurity, 8500.01; Guide for Applying the Risk Management Framework to Federal Information Systems, National Institute of Standards and Technology (NIST) 800-37; AFMAN 63-119 or equivalent
|
| 2.3.12-18-7 Ensure that the process for development of Software Assurance countermeasures is sufficiently defined and is comprehensive |
Phase 0 |
Phase A |
Phase B |
Phase C |
|
Many of the contractor's activities in planning for and implementing Software Assurance (SwA) are documented in earlier MA IA & Cyber tasks, especially tasks 2.3.12-6 and 2.3.12-9. Determine that the government has required in the contract and in government program documents (such as the TEMP, SWAMP, SEP, etc.) that the contractor perform the necessary SwA tasks.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; National Institute of Standards and Technology (NIST) SP-800-64 Security Considerations in the System Development Life Cycle, Software Assurance Maturity Model A guide to building security into software development Version - 1.0; Secure Software Assurance Coding Guidance, TOR-2013-00742
|
| 2.3.12-18-8 Ensure that the Software Assurance countermeasures are implemented |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure required Software Assurance (SwA) Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) and CNSSI 1253 controls and protection mechanisms are identified, implemented, and tested. Ensure automated vulnerability analysis tools and techniques are used, and appropriate remediation strategies are identified for all vulnerabilities. Determine that the government tracks satisfactory performance of these tasks.
|
AFMAN 63-119 A15.11; AFMAN 63-119 A15.11.1
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; National Institute of Standards and Technology (NIST) SP-800-64 Security Considerations in the System Development Life Cycle, Software Assurance Maturity Model A guide to building security into software development Version - 1.0; Secure Software Assurance Coding Guidance, TOR-2013-00742; AFMAN 63-119 or equivalent
|
| 2.3.12-18-9 Ensure the sufficiency of the Supply Chain Risk Management process |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
The government must perform Supply Chain Risk Management (SCRM) for Critical Components (CC) and for components that contain or implement Information Communications Technologies (ICT). The government must require the contractor to provide CC supplier information and to notify the government if changes are made to suppliers. The government must perform SCRM prior to MS A and through operations and sustainment. The government must check for CC supplier changes at each Systems Engineering Technical Reviews (SETR). Supplier information is used by the government to submit TAC RFIs. Assess the government's process for obtaining CC supplier information, for mitigating supply chain risks, for ensuring that CCs will continue to be available to the program, and that information regarding the supply chain is sufficiently protected.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-18-10 Ensure government analysis of the need for Trusted suppliers is sufficient and government usage of Trusted Suppliers as required |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
If integrated circuit products and services are custom-designed, custom-manufactured, or tailored for a specific DoD military end use then they must be procured from a Trusted Supplier accredited by the Defense Micro Electronics Activity. Assess the analysis performed on whether a Trusted Supplier is required and, if so, the government's process for selecting a supplier and directing the supplier to the contractor.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-18-11 Ensure that sufficient counterfeit prevention countermeasures are implemented |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Assess the government process for determining counterfeit countermeasures to be implemented. The government should direct counterfeit countermeasures to contractors and subcontractors. Assess the adequacy of test methods used by the contractors and vendors to detect counterfeits. Determine whether Critical Components (CC) are procured from an OEM, Original Component Manufacturer, or authorized vendor and, if not, whether the contractor's counterfeit mitigations are adequate.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; Protection of Mission Control Functions to Achieve Trusted Systems and Networks (TSN), DoDI 5200.44
|
| 2.3.12-18-12 Ensure that the government System Security Engineering process is sufficient as applied to Program Protection |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
The primary objective of System Security Engineering (SSE) is to minimize or contain system vulnerabilities to known or expected security threats. Scientific and engineering principles are applied during design and development to identify and reduce these vulnerabilities. The basic premise of SSE is that an initial investment in "engineering out" security vulnerabilities and "designing in" countermeasures is a long-term cost saving measure. If SSE is integrated into the overall Systems Engineering program, as defined in the SEP, it should reduce risk of finding and having to fix security vulnerabilities later.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825
|
| 2.3.12-18-13 Ensure that general countermeasure implementation is comprehensive and complete |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure that the Program Protection Plan (PPP) process for general countermeasure implementation is comprehensive and complete. Table 5.3.6-1 of the PPP lists general countermeasures for any program. This assessment determines the level of risk throughout the program's life cycle based on how well the countermeasures are applied to the program.
|
NA
|
NA
|
TOR-2013-00825 Program Protection Plan Content Rich Template; AFI 10-701 Operations Security or equivalent; AFI 16-201 Air Force Foreign Disclosure and Technology Transfer Program or equivalent; AFI 31-401 Managing the Information Security Program or equivalent; AFI 31-501 Personnel Security Program Management or equivalent; AFI 31-601 Industrial Security Program Management or equivalent; AFI 33-200 Information Assurance Management or equivalent; AFI 33-201 Management of Manual Cryptosystems or equivalent; AFJI 31-102 Physical Security or equivalent; DoD 5200.2-R Personnel Security Program; DoD 5200.08-R Physical Security Program; DoD 5205.02-M Operations Security Program Manual; DoDM 5200.01 Information Security Program; DoDD 5230.11 Disclosure of Classified Military Information to Foreign Governments and International Organizations; DoDI 5200.39 Critical Program Information (CPI) Protection Within the Department of Defense; DoDI 8500.01 Cybersecurity; DoDI 8523.01 Communications Security (COMSEC); DoDI 5200.44 Protection of Mission Control Functions to Achieve Trusted Systems and Networks
|