Security support to acquisition of weapons systems: vital to success on the battlefield - Security & Critical Program Information

Program Manager, March-April, 2003 by Arion N. Pattakos

Arion N. "Pat" Pattakos

The word security is not synonymous to a bad four-letter word. For some it may seem so if it adds further requirements, or seems to impede progress during research and development activities or the formal weapons systems acquisition process. The fact is that security, intelligence, and counterintelligence support to the acquisition of weapons systems is necessary for achieving success on the battlefield.

People in the protection business are not there to impede progress and yes, they are sensitive to the imperatives placed on program personnel dictated by cost, schedule, and performance. They are driven by the mandate to help field systems that have not been compromised, but nevertheless are open to exploitation by those not so friendly to our nation's interests. If you tend to equate security with a bad four-letter word, make it a good one such as help--a way to help field successful systems.

Program Protection Plan

DOD has now rescinded the outdated DOD 5000-series documents, and issued interim guidance pending the development and coordination of policies that are flexible and designed to more rapidly respond to warfighter needs. Such concepts as evolutionary acquisition and spiral development are now important acquisition strategies, but the essentials of the various phases associated with the Milestone (MS) A through C decision points are the same in the interim guidance.

Concept and Technology Development are based on user needs and technology opportunities. When an affordable, militarily useful capability has been identified and demonstrated in a relevant environment (and can be developed for production in normally less than five years), the System Development and Demonstration Phase is entered with a Milestone B decision. Milestone B is the point at which an acquisition program is initiated. Prior to this decision, the guidance states, is when the identification and protection of Critical Program Information (CPI) must be ensured. It is at Milestone B that a Program Protection Plan (PPP) is required once the OPI is identified (Figure 1).

Protecting CPI

When determining CPI, the term "crown jewels" should come to mind. CPI literally means that information, technology, or systems would cause significant harm if exploited by an entity inimical to our nations interests. Among the criteria for determining such harm to a weapons system are our adversaries' ability to kill it, to counter it, to copy it, to shorten its expected combat life, or to cause a significant redesign of the system and hence expenditure of more research and development dollars.

If adversaries can do one or more of these damaging actions, an acquisition program must take steps to protect the identified CPI. In the case where programs do not have CPI, program managers must so certify in writing to the Milestone Decision Authority (MDA). If CPI does not exist, a PPP is not required.

Scientists, engineers, and other program personnel are schooled in applying various analytical processes to determine and achieve goals. Increasingly, so are Security and Counterintelligence (S/CI) personnel. This community of professionals recognizes that no longer is it acceptable to impose security requirements based strictly on book specifications or regulations. Rather, it is more effective to examine security needs in their specific environments. Just as program personnel are familiar with Risk Management techniques, so too are S/CI professionals.

The analytical process for protecting CPI is embodied in the requirement that program managers or their representatives prepare a PPP (as stated in Attachment 2 to DoD's 5000-series interim guidance). The PPP is required by MS B (if CPI exists) and thus logically must be prepared during the phases associated with pre-systems acquisition following the Milestone A decision. S/Cl personnel counsel that developing the PPP as early as possible during MS A phases will avoid future security problems that might impact those project-sensitive areas of cost, schedule, and performance. The goal: our fielding of an effective system that is protected and secure from exploitation by the bad guys during combat.

PPP uses a Risk Management approach to identify recommend, and implement security countermeasures designed to reduce risk to an acceptable level at an acceptable cost. When we use the term acceptable, we mean the person responsible for the system--the one who makes the resource decisions--usually the project manager or, in some cases, the MDA. A PPP describes what must be protected and why against whom, what vulnerabilities might be exploited, and the necessary countermeasures for protecting the identified CPI.

A key step of the PPP process is the identification of what needs protection--the CPI--and why it needs protection. The "why" question is answered by establishing the adverse impact if an individual CPI is exploited based on the criteria cited (kill, counter, clone, etc). If more than one CPI is identified, metrics can be developed that establish the relative order of CPI importance. Such metrics give a clearer picture of the security risk when viewed in relationship to threat and vulnerability.