Program Protection and System Security Engineering
Systems engineering (SE) is a methodical and disciplined approach for the specification, design, development, realization, technical management, operations, and retirement of a system. SE integrates and balances contributions from engineering disciplines. One of these disciplines is Program Protection/System Security Engineering.
DoD systems have become increasingly networked, software-intensive, and dependent on a complicated global supply chain, which has increased the importance of security as a systems engineering design consideration. In response to this new reality, the DoD has established Program Protection/System Security Engineering as a key discipline to protect technology, components, and information from compromise through the cost-effective application of countermeasures to mitigate risks posed by threats and vulnerabilities. The analysis, decisions, and plans of Acquisition Programs are documented in a Program Protection Plan, which is updated prior to every Milestone decision.
Program Protection is the Department's "integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability, or supply chain exploitation/insertion, battlefield loss, and unauthorized or inadvertent disclosure throughout the acquisition lifecycle" (DAG Chapter 13).
System Security Engineering is "an element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities." (DoD Instruction 5200.44).
- DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), November 5, 2012
- DoD Instruction 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), May 28, 2015
- DoD Directive 5200.47E, Anti-Tamper (AT), September 4, 2015
- USD(AT&L) Memorandum, Document Streamlining – Program Protection Plan (PPP), July 18, 2011
- Deputy Secretary of Defense Policy Memorandum (PM) 15-001–Joint Federated Assurance Center (JFAC) Charter, February 9, 2015
- Cybersecurity in the Defense Acquisition System. Enclosure 14 of Department of Defense Instruction (DoDI) 5000.02, Operation of the Defense Acquisition System, pp. 171-187, February 2, 2017
- Program Protection Plan Outline and Guidance: Word | PDF
- Program Protection Plan Evaluation Criteria, Version 1.1, February 2014
- Defense Acquisition Guidebook Chapter 9, Program Protection | PDF Version
- Software Assurance Countermeasures in Program Protection Planning, March 2014
- Trusted Systems and Networks (TSN) Analysis, June 2014
- Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals, January 2014
- Suggested Language to Incorporate Software Assurance Requirements into Department of Defense Contracts. Working papers, February 2016.
- Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information), Version 2.0, August 2015
- Program Protection Tutorial (current as of October 2013): Presentation | Exercises | Notional Architecture Handout
- Engineering for System Assurance, Version 1.0, October 2008
- DFARS Clause 252.204-7012, "Safeguarding Unclassified Controlled Technical Information": Rule Text
Papers and Presentations
- Baldwin, Kristen, Jonathan Goodnight, John Miller, and Paul Popick, "The United States Department of Defense Revitalization of System Security Engineering Through Program Protection." Paper presented at the 6th Annual IEEE International Systems Conference, Vancouver, Canada, March 2012.
- Popick, Paul, and Melinda Reed, "Requirements Challenges in Addressing Malicious Supply Chain Threats," INCOSE Insight, July 2013.
- Reed, Melinda, "Comprehensive Program Protection Planning for the Materiel Solution Analysis (MSA) Phase." Presented at the 15th Annual NDIA Systems Engineering Conference, San Diego, CA, October 2012.
- Reed, Melinda, "System Security Engineering and Comprehensive Program Protection." Presented at the 16th Annual NDIA Systems Engineering Conference, Arlington, VA, October 2013 (Revised 4/17/2014).
- Hurt, Thomas, "DoD Software Assurance (SwA) Overview" Presented at the NDIA Program Protection Summit / Workshop, McLean, VA, May 19, 2014.
- Baldwin, Kristen, "DoD Program Protection" Presented at the NDIA Program Protection Summit / Workshop, McLean, VA, May 20, 2014.
- Reed, Melinda, "Program Protection Implementation Considerations." Presented at the NDIA Program Protection Summit / Workshop, McLean, VA, May 21, 2014.
- Reed, Melinda, "System Security Engineering and Program Protection Integration into SE." Presented at the 17th Annual NDIA Systems Engineering Conference, Springfield, VA, October 29, 2014.
- Reed, Melinda, "Vulnerability Analysis Techniques to Support Trusted Systems and Networks (TSN) Analysis." Presented at the 17th Annual NDIA Systems Engineering Conference, Springfield, VA, October 29, 2014.
- Baldwin, Kristen, "Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview." Presented at the 17th Annual NDIA Systems Engineering Conference, Springfield, VA, October 29, 2014.
- Hurt, Thomas, "DoD Software Assurance (SwA) Overview." Presented at the 17th Annual NDIA Systems Engineering Conference, Springfield, VA, October 29, 2014.
- Shanahan, Raymond, "Department of Defense (DoD) Trusted Microelectronics." Presented at the 17th Annual NDIA Systems Engineering Conference, Springfield, VA, October 29, 2014.
- Reed, Melinda, John F. Miller, and Paul Popick, "Supply Chain Attack Patterns: Framework and Catalog," Office of the Deputy Assistant Secretary of Defense for Systems Engineering, August 2014.
- Wheeler, David A., and Rama S. Moorthy, "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation," Institute for Defense Analyses Report P-5061(July 2014): Report | Appendix E (Software State-of-the-Art Resources (SOAR) Matrix) (.xlsx format)
Collaboration with Industry
DoD has teamed with the NDIA Systems Security Engineering Committee, the NDIA Cyber Division, and the INCOSE Systems Security Engineering Working Group to grow the SSE community and advance the practice of SSE across the DoD. For additional information about the DoD SSE Initiative, contact us.
Papers and briefings are reprinted with permission from: IEEE Systems Council | International Council on Systems Engineering (INCOSE) | National Defense Industrial Association (NDIA).