| 2.3.12-21-1 Ensure that Program Protection Plan information is properly controlled |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Program Protection Plan (PPP) information is to be controlled per DoDM 5200.01, Volume 4, "DoD Information Security Program: Controlled Unclassified Information (CUI)", February 24, 2012
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; DoDM 5200.01 Information Security Program
|
| 2.3.12-21-2 Ensure that the Program Protection Plan is reviewed and updated, as necessary, on a scheduled basis not to exceed every five years |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Review the Program Protection Plan (PPP) publication timing/sequence (e.g. prior to milestone, prior to export decision, prior to Systems Engineering Technical Reviews (SETRs))
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825
|
| 2.3.12-21-3 Ensure that the execution of Program Protection Surveys is performed as required |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Program Protection (PP) Surveys should occur in the frequency documented in the Program Protection Plan (PPP). They should follow the methodology documented in the PPP. PP Surveys should be led by the government. Determine that the survey team is adequately trained. The PPP should describe what is required during the PP Survey in order to demonstrate compliance with the PPP. Determine if the PP Survey demonstrates that both government and contractors are complying with the PPP. Determine whether CPI and CCs continue to be adequately protected. Assess how well findings of the PP Survey are resolved.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; DoDI 5200.39 Critical Program Information (CPI) Protection Within the Department of Defense; DoDM 5200.01 Information Security Program
|
| 2.3.12-21-4 Ensure that Program Protection Plan V&V is documented and that the V&V process is followed |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Determine that Program Protection (PP) specific testing occurs throughout the system lifecycle (including sustainment), that it covers the PP items in the program's test documentation such as the TEMP, and that findings are effectively processed and closed.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825
|
| 2.3.12-21-5 Ensure that Program Protection responsibilities are transitioned from development to sustainment |
Phase C |
Phase D2 |
Phase D3 |
|
Aspects of the transition to sustainment should be documented in the Life Cycle Sustainment Plan (LCSP). Transition to sustainment should include any plans for transitioning to a sustainment contractor. If the program plans to use a depot for maintenance during sustainment, plans for addressing SCRM countermeasures should be documented. Program plans should describe how Critical Program Information (CPI) and Critical Components (CC) identification and updates, threat assessments, vulnerability assessments, and risk assessments will continue to be performed during sustainment.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825
|
| 2.3.12-21-6 Ensure that the processes for monitoring and reporting compromises is sufficient and that it is followed |
Phase 0 |
Phase A |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Determine that the process for reporting Critical Program Information (CPI) compromise and Critical Components (CC) supply chain exploits is sufficient and that the proper personnel are informed per procedures in DoDM 5200.01 and/or DoDI 5200.39. Also determine that the process for resolving such compromises is sufficient and is followed if a compromise occurs.
|
NA
|
NA
|
Program Protection Plan Content Rich Template, TOR-2013-00825; DoDM 5200.01 Information Security Program; DoDI 5200.39 Critical Program Information (CPI) Protection Within the Department of Defense
|