Defense Manual on RTP Procedures DoD 5200.39-R
DEPARTMENT OF DEFENSE
MANDATORY PROCEDURES FOR RESEARCH AND TECHNOLOGY PROTECTION WITHIN THE DOD
- Draft -
MARCH 2002
ASSISTANT SECRETARY OF DEFENSE
FOR
COMMAND, CONTROL, COMMUNICATIONS, AND INTELLIGENCE
ASD (C3I)
Draft - December 20, 2001
March 2002
FOREWORD
This Regulation is issued under the authority of Department of Defense (DoD) Directive 5200.39, “Research and Technology Protection (RTP) within the Department of Defense” (reference (a)) and is effective immediately. This Regulation establishes mandatory procedures for protecting specified critical research technology (CRT) and critical program information (CPI) throughout the DoD as well as for dual-use and leading edge military technology being developed under the auspices of the DoD. In some cases, RTP may begin at a DoD Research, Development, Test and Evaluation (RDT&E) facility and extend into and throughout the life cycle of the acquisition effort, deployment, and use until demilitarization.
Application of procedures to protect research and technology as described within this Regulation achieves several goals:
- Provides increased leverage for an effective and informative measured sharing of intelligence and defense systems/technology with foreign countries during negotiations to obtain base rights agreements for a U.S. response to terrorist actions.
- Allows sharing developmental costs and production investments with other countriesľyet protects U.S. end-items throughout their life cycle by incorporating system security engineering (SSE) and anti-tamper (AT) techniques.
- Maintains U.S. dual-use and leading-edge military technology superiority.
- Optimizes capital investments in the U.S. military / U.S. industrial complex.
- Increases U.S. and corporate strength during routine business negotiations abroad.
- Leverages U.S. advantage during treaty negotiations (i.e., anti- or counter-terrorism).
- Avoids lead-time for research, and the need for additional RDT&E appropriations, to replace compromised technology.
- Establishes the U.S. warfighter advantage for success, superiority, and safety in the battlespace and during exigent coalition operations.
This Regulation applies to the Office of the Secretary of Defense, the Military Departments , the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense, the Defense Agencies, and DoD Field Activities (hereafter referred to collectively as “the DoD Components”).
This Regulation is for use by all DoD Components. The Heads of DoD Components should issue supplementary instructions, when necessary, and provide examples of their plans or implementation procedures. These supplementary instructions and examples should be included in the Defense Acquisition Deskbook (DAD)and the Specialized C3I Operating Reference (SCOR).
The Defense RTP Council (DRTPC) shall receive and consider proposals for, and, as necessary, generate changes to this Regulation. The DRTPC shall submit proposed changes to the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) (ASD(C3I)); the Under Secretary of Defense (Acquisition, Technology, and Logistics) (USD(AT&L)); and, the Director of Operational Test and Evaluation (DOT&E), who have sole authority to change this Regulation. All three officials shall jointly sign changes. The Director of Security, Office of the Deputy Assistance Secretary of Defense (Security and Information Operations) (ODASD(S&IO))/OASD(C3I), shall maintain administrative control of this Regulation and shall publish all signed changes.
Send recommended changes to this Regulation to:
Deputy Director for Research and Technology Protection
Security Directorate
Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, ASD(C3I)
6000 Defense Pentagon
Washington, DC 20301-6000
__________________ ________________ ____________
E. C. Aldridge Jr. John P. Stenbit Thomas P. Christie
Under Secretary Assistant Secretary Director of
of Defense of Defense Operational Test
(Acquisition, Technology, (Command, Control, and Evaluation
& Logistics) Communications, and Intelligence)
TABLE OF CONTENTS
Page
Foreword 1
Table of Contents 3
References 9
DL1. Definitions 11
AL1. Abbreviations and Acronyms 17
PART I - GENERAL
C1. CHAPTER 1 - GENERAL INFORMATION 23
C1.1. Purpose 23
C1.2. General 23
C1.3. Application 24
C1.4. Defense Research and Technology Protection Council 25
C1.5. RTP Protection Planning 25
C1.6. Marking, Dissemination, and Destruction of CRT and CPI 26
C1.7. Overview – Protection of CRT at RDT&E Activities 29
C1.8. Overview – Protection of CPI in Acquisition 29
C1.9. Overview - Security Support Plan (SSP) 31
C1.10. Overview - Counterintelligence Support Plan (CISP) 31
C1.11. Anti-Tamper 31
C1.12. Defense Acquisition Deskbook (DAD) 31
C1.13. Specialized C3I Operating Reference (SCOR) 32
C1.14. Economic Espionage 32
C1.15. Information Reporting Requirements 33
C1.16. Technology Protection Resource Directory 33
C1.17. Regulation Overview 33
PART II - PROTECTION OF RESEARCH TECHNOLOGY AT RDT&E ACTIVITIES
C2. CHAPTER 2 - RDT&E ACTIVITY PROTECTION STRATEGY 37
C2.1. General 37
C2.2. Protection Approaches 37
C3. CHAPTER 3 - PROTECTION PLANNING FOR RDT&E ACTIVITIES 39
C3.1. General 39
C3.2. Identification of Critical Research Technology (CRT) 39
C3.3. Protection Training and Awareness 39
C3.4. Application of Safeguards 39
C3.5. Security Support Plan 42
C3.6. Counterintelligence (CI) Support Plan 42
C3.7. Information Assurance 42
C4. CHAPTER 4 - COUNTERINTELLIGENCE SUPPORT TO RDT&E ACTIVITIES
C4.1. CI Support at DoD RDT&E Activities 43
PART III - PROTECTION OF CPI IN ACQUISITION PROGRAMS
C5. CHAPTER 5 - PROGRAM PROTECTION STRATEGY 45
C5.1. General 47
C5.2. Program Protection Strategy 47
C6. CHAPTER 6 - PROGRAM PROTECTION PLANNING 49
C6.1. General 49
C6.2. Critical Program Information (CPI) 50
C6.3. Coordination 52
C6.4. Program Protection Plan (PPP) 53
C6.5. System and Program Descriptions 55
C6.6. Foreign Collection Threat 55
C6.7. Vulnerabilities 56
C6.8. RTP Countermeasures 57
C6.9. Security Classification Guides 59
C6.10. Protection Costs 59
C7. CHAPTER 7 – MULTIDISCIPLINE CI THREAT ASSESSMENT 61
C7.1. General 61
C7.2. Threat Analysis 61
C8. CHAPTER 8 - TECHNOLOGY ASSESSMENT/CONTROL PLAN (TA/CP) 63
C8.1. General 63
C8.2. Purpose 63
C8.3. Content 64
C9. CHAPTER 9 - CONTRACTING AND RESOURCES 67
C9.1. Early Coordination 67
C9.2. Pre-contract Award 67
C9.3. Post Contract Award 68
C9.4. Contractor Performance Monitoring 68
C9.5. Contractor Costs 69
C9.6. Providing Documentation to Contractors 69
C9.7. Support from Cognizant Government Industrial Security Offices 69
C10. CHAPTER 10 – RTP COSTING AND BUDGETING 71
C10.1. General 71
C10.2. RTP Costing 71
C10.4. RTP Budgeting 71
C11. CHAPTER 11 - EXECUTION OF THE PPP 73
C11.1. General 73
C11.2. Distribution of the PPP 73
C11.3. Assessment of PPP Effectiveness 73
C12. CHAPTER 12 – SYSTEMS SECURITY ENGINEERING 75
C12.1. General 75
C12.2. Purpose 75
C12.3. System Security Engineering Planning 75
C12.4. System Security Engineering Process 76
C12.5. Military Handbook 1785 76
C12.6. Security Engineering for International Programs 76
PART IV – PROTECTION ACTIVITIES
C13. CHAPTER 13 - SECURITY SUPPORT PLAN 79
C13.1. General 79
C13.2. Purpose 79
C13.3. Process 79
C14. CHAPTER 14 - COUNTERINTELLIGENCE SUPPORT PLAN 81
C14.1. General 81
C14.2. CI Actions at RDT&E Activities 81
C14.3. CI Support Plan 82
C15. CHAPTER 15 - ANTI-TAMPER TECHNIQUES 83
C15.1. General 83
C15.2. Application of AT 83
C15.3. AT Implementation 84
C15.4. AT Verification and Validation 85
C15.5. Sustainment of AT 86
C15.6. Guidelines for AT Disclosure 86
C15.7. Review of AT 87
C16. CHAPTER 16 - HORIZONTAL ASSESSMENT AND PROTECTION 88
C16.1. General 88
C16.2. Horizontal Assessments 88
C16.3. Horizontal Protection 89
C16.4. Reporting Requirements 89
C17. CHAPTER 17 - RTP ASSESSMENT AND INSPECTION 91
C17.1. General 91
C17.2. Assessments 91
C17.3. Inspections 91
C18. CHAPTER 18 – INFORMATION ASSURANCE 93
C18.1. General 93
C18.2. System Security Authorization Agreement 94
APPENDIX
AP1. Export Control Decision Guide 95
FIGURE
Figure Title Page
C5.F1. Acquisition Program Schedule 48
REFERENCES
(a) DoD Directive 5200.39, “Research and Technology Protection within the Department of Defense,” March XX, 2002 (being prepared)
(b) DoD Instruction 5000.2, “Operation of the Defense Acquisition System,” January 4, 2001, authorized by DoD Directive 5000.1, October 23, 2000
(c) DoD 5200.1-R, “Information Security Program,” January 1997, authorized by DoD Directive 5200.1, December 13, 1996
(d) DoD Directive 5240.2, “DoD Counterintelligence (CI),” May 22, 1997
(e) 22CFR Part 120.11 of the International Traffic in Arms Regulations (ITAR)
(f) Section 2778 of title 22 United States Code, Arms Export Control Act
(g) Executive Order 12958, “Classified National Security Information,” April 17, 1995, as amended
(h) National Security Decision Directives 189, “National Policy on the Transfer of Scientific, Technical, and Engineering Information,” September 21, 1985
(i) Sections 271 et seq. of title 15, United States Code, “Computer Security Act of 1987”
(j) DoD Directive 2040.2, “International Transfers of Technology, Goods, Services, and Munitions,” January 17, 1984
(k) DoD Directive 5230.11, “Disclosure of Classified Military Information to Foreign Governments and International Organizations,” June 16, 1992
(l) DoD Directive 5230.20, “Visits, Assignments, and Exchanges of Foreign Nationals,” August 12, 1998
(m) DoD Directive 5530.3, “International Agreements,” June 11, 1987
(n) DoD Directive 5000.1, “The Defense Acquisition System, October 23, 2000
(o) DoD 5000.2-R, “Mandatory Procedures for Major Defense Acquisition Programs (MDAPs) and Major Automated Information System (MAIS) Acquisition Programs,” January 4, 2001, authorized by DoD Directive 5000.1, October 23, 2000
(p) DoD 5400.7-R, “DoD Freedom of Information Act Program,” September 1998, authorized by DoD Directive 5400.7, September 29, 1997
(q) DoD Directive 5240.1, “DoD Intelligence Activities,” April 25, 1988
(r) DoD 5240.1-R, “Procedures Governing the Activities of DoD Intelligence Components that Affect United States Persons,” December 1982, authorized by DoD Directive 5240.1, April 25, 1988
(s) DoD Directive O-5205.7, “Special Access Program (SAP) Policy,” January 13, 1997
(t) DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM),” January 1995
(u) Chapter 21 of title 44, United States Code, “National Archives And Records Administration”
(v) Chapter 31 of title 44, United States Code, “Records Management by Federal Agencies”
(w) Chapter 33 of title 44, United States Code, “Disposal of Records”
(x) DoD 7000.14-R, Volume IIB, Department of Defense Financial Management Regulation (Budget Presentation and Formulation), July 1998, authorized by DoD Instruction 7000.14, November 15, 1992
(y) Chairman of the Joint Chiefs of Staff Instruction 3170.01B, “Requirements Generation System,” April 15, 2001
(z) Section 1831 et seq. of title 18, United States Code
(aa) DoD Instruction 5240.4, “Reporting of Counterintelligence and Criminal Violations,” September 22, 1992
(bb) DoD Directive 5200.1, “DoD Information Security Program,” December 13, 1996
(cc) DoD Directive 5230.24, “Distribution Statements on Technical Documents,” March 18, 1987
(dd) DoD Directive 5230.25, “Withholding of Unclassified Technical Data from Public Disclosure,” November 6, 1984
(ee) Export Administration Regulation (EAR), 50 U.S.C. app 2410
(ff) Militarily Critical Technologies List (MCTL), June 1996
(gg) National Disclosure Policy-1, “National Policy and Procedures for the Disclosure of Classified Military Information to Foreign Governments and International Organizations” (short title: National Disclosure Policy (NDP-1)), October 1, 1988, as amended
(hh) Federal Information Processing Standard 140-2, “Security Requirements for Cryptographic Modules,” May 25, 2001
(ii) DoD Directive 5200.27, “Acquisition of Information Concerning Persons and Organizations not Affiliated with the Department of Defense,” January 7, 1980
(jj) Director of Central Intelligence Directive 1/7, “Security Controls on the Dissemination of Intelligence Information, (FOUO),”June 30, 1998
(kk) Director of Central Intelligence Directive 5/6, “Release of Intelligence and Intelligence-Related Information,” June 30, 1998
(ll) National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 8, “National Policy Governing the Release of INFOSEC Products or Associated INFOSEC Information to Foreign Governments (U) (FOUO),” February 13, 1997
(mm) Section 2011 et seq. of title 42, United States Code, “Atomic Energy Act of August 30, 1954,” as amended
(nn) DoD Instruction S-5230.28, “Low Observable (LO) and Counter Low Observable (CLO) Programs (U),” May 12, 1997
(oo) National Information Disclosure Policy Committee Policy Statement, “Foreign Release of Low Observable and Counter Low Observable Information and Capabilities (U),” PS-1/96, August 22, 1996
(pp) Defense Federal Acquisition Regulation (DFAR) Supplement, current edition
(qq) Military Handbook 1785, “System Security Engineering Program Management Requirements,” August 1, 1995
(rr) DoD O-5200.1-I, “Index of Security Classification Guides,” September 1996, authorized by DoD Directive 5200.1, December 13, 1996
(ss) OMB Circular A-130, “Management of Federal Information Resources,” February 1996
(tt) DoD Global Information Grid Information Assurance Policy Memorandum No. 6-8510, June 16, 2001
(uu) DoD Instruction 5200.40, “DoD Information Technology Security Certification and Accreditation Process (DITSCAP), December 30, 1997
(vv) DoD 8510.1-M, “Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual,” July 2000
(ww) Section 1401 et seq. of title 40, United States Code, “Clinger-Cohen Act of 1996”
DL1. DEFINITIONS
DL1.1. The terms used in this Regulation are defined below:
DL1.1.1. Acquisition Program. A directed, funded effort designed to provide a new, improved, or continuing materiel, weapon, or information system or service capability in response to a validated operational or business need. Acquisition programs are divided into different categories that are established to facilitate decentralized decision-making, execution, and compliance with statutory requirements. Technology projects are not acquisition programs. (DoD Instruction 5000.2, reference (b))
DL1.1.2. Adversary. A foreign interest (see DL1.1.15) or U.S. insider that conducts, or has the intent and/or capability to conduct, activities to collect Critical Research Technology and/or Critical Program Information.
DL1.1.3. Anti-Tamper (AT). The system engineering activities intended to prevent and/or delay exploitation of critical technologies in U.S. systems. These activities involve the entire life cycle of systems acquisition, including research, design, development, testing, implementation, and validation of anti-tamper measures. Properly employed, anti-tamper measures will add longevity to a critical technology by deterring efforts to reverse-engineer, exploit, or develop countermeasures against a system or system component. (DoD Instruction 5000.2, reference (b))
DL1.1.4. Automated Information System (AIS). An acquisition program that acquires
Information Technology (IT), except IT that:
DL1.1.4.1. Involves equipment that is an integral part of a weapon or weapons system; or
DL1.1.4.2. Is a tactical communication system
(DoD Instruction 5000.2, reference (b)).
DL1.1.5. Compromise. The unauthorized or inadvertent disclosure, destruction, transfer, alteration, or loss of critical research technology, critical program information, or classified information or material.
DL1.1.6. Controlled Unclassified Information. Any information, the loss, misuse, or unauthorized access to which would or could adversely affect the organizational and/or national interest, but which does not meet classification criteria specified in DoD 5200.1-R (reference (c)).
DL1.1.7. Counterintelligence (CI). Information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities (DoD Directive 5240.2, reference (d)).
DL1.1.8. Counterintelligence Support Plan (CISP). A formally coordinated action plan that outlines CI support for protecting research and technology at specific DoD RDT&E facilities, DoD acquisition programs with critical program information, or organizations that fund work efforts external to DoD (e.g., Defense Advanced Research Projects Agency, Office of Naval Research, Air Force Office of Scientific Research).
DL1.1.9. Critical Program Information (CPI). Research, science, technology, or program information, technologies, processes, applications, or end items that, if compromised, would: degrade system combat effectiveness; compromise the program or system capabilities; shorten the expected combat-effective life of the system; significantly alter program direction; or, require additional research, development, test, and evaluation resources to counter the impact of a CPI compromise. This includes classified military information or controlled unclassified information about such programs, research, technologies, processes, applications or end items. CPI may also be unclassified information restricted by statutes (e.g., export controlled data, intellectual property, trade secrets). (DoD Directive 5200.39, reference (a))
DL1.1.10. Critical Research Technology (CRT). RDT&E information identified, marked, and prioritized by site directors and managers that may be important to maintaining the U.S. warfighters’ operational advantage when the resulting capability becomes part of a future DoD acquisition program or system. CRT may be included in technology projects and may also be unclassified information restricted by statutes (e.g., export controlled data, intellectual property, trade secrets). (DoD Directive 5200.39, reference (a))
DL1.1.11. Defense Acquisition Deskbook. An automated repository of information that consists of an electronic desk reference set, a tool catalog, and a forum for the exchange of information. The reference set organizes information into two main categories: mandatory guidance and discretionary information. (Hereafter referred to as the “Deskbook”).
DL1.1.12. Defense system. A combination of elements that function together to produce the capabilities required to fulfill a DoD mission need, whether strategic or tactical, offensive or defensive, to include hardware, software, equipment, or any combination thereof.
DL1.1.13. Delegation of Disclosure Authority Letter (DDL). A letter issued by the appropriate designated disclosure authority describing classification levels, categories, scope, and limitations related to information under a DoD Component’s disclosure jurisdiction that may be disclosed to specific foreign governments or their nationals for a specific purpose.
DL1.1.14. Foreign Collection Threat. The potential of a foreign interest to overtly or covertly collect information about U.S. research, technologies, acquisition program and systems, capabilities, and methods of employment that may be used to develop a similar defense system or countermeasures to the U.S. system or related operations.
DL1.1.15. Foreign Interest. Any foreign government, agency of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered or incorporated under the law of any country other than the United States or its possessions and trust territories, and any person who is not a citizen or national of the United States.
DL1.1.16. Fundamental Research. Defined by 22 CFR Part 120.11 of the International Traffic in Arms Regulations (ITAR) (reference (e)), which implements the Arms Export Control Act (AECA) (reference (f)), as: “basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls.” 22 CFR 120.11 places fundamental research in the public domain. However, research is not considered fundamental research if “it is funded by the U.S. Government and specific access and dissemination controls protecting information resulting from the research are applicable.” [Note: Executive Order 12958, (reference (g)), states in Sec 1.8 (b) that “basic scientific research information not clearly related to the national security may not be classified.” See also NSDD 189 (reference (h)) for additional related information.]
DL1.1.17. Horizontal Assessment and Protection. The process that ensures research and technology associated with CPI in more than one acquisition program, or CRT associated with more than one DoD RDT&E activity, is protected to the same degree by all involved DoD Components. (DoD Directive 5200.39, reference (a))
DL1.1.18. Information. Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government. “Control” means the authority of the agency that originates information, or its successor in function, to regulate access to the information (DoD 5200.1-R, reference (c)).
DL1.1.19. Milestone Decision Authority (MDA). The individual designated in accordance with criteria established by the USD(AT&L), or by the ASD(C3I) for AIS acquisition programs, to approve entry of an acquisition program into the next phase of the acquisition process. (DoD Instruction 5000.2, reference (b)).
DL1.1.20. Militarily Critical Technologies List (MCTL). A detailed and structured compendium of the technologies DoD assesses as critical to maintaining superior U.S. military capabilities. It is a documented snapshot in time of the continuous MCTL process. The DoD develops the MCTL with participation from other U. S. Government agencies, U.S. industry, and academia, and updates it on an ongoing basis.
DL1.1.21. Multidiscipline CI (MDCI) Threat Assessment. An assessment made by the cognizant DoD Component that describes those foreign interests that have the intent and capability to collect information about research and technology and/or a system under development.
DL1.1.22. Operations Security (OPSEC). A process of analyzing friendly actions attendant to military operations and other activities to do the following:
DL1.1.22.1. Identify those actions that can be observed by adversary intelligence systems.
DL1.1.22.2. Determine the indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries.
DL1.1.22.3. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.
DL1.1.23. Program Protection Plan (PPP). A comprehensive plan to safeguard CPI that is associated with a defense acquisition program. The level of detail and complexity of the PPP will vary based on the criticality of the program or system, the CPI, and the phase of the acquisition process being addressed. (DoD Directive 5200.39, reference (a)).
DL1.1.24. Program Security Instruction (PSI). A set of procedures to rationalize and standardize security requirements for multinational cooperative programs.
DL1.1.25. RDT&E Site. An installation or facility housing one or more DoD research, development, test, and evaluation (RDT&E) organizations involved with CRT and/or CPI.
DL1.1.26. Research and Technology Protection (RTP). The safeguarding of selected DoD research and technology anywhere in RDT&E and the acquisition process, to include the support systems for that research and technology (e.g., test and simulation equipment). This protection activity involves integrating all security disciplines, counterintelligence, and other defensive methods to protect CRT and CPI from intelligence collection and unauthorized disclosure.
DL1.1.27. RTP Countermeasures. The employment of devices and/or techniques that negate an adversary’s ability to exploit vulnerabilities or impair the effectiveness of foreign interests or related activities.
DL1.1.28. Risk Assessment. An organized, analytical process of identifying vulnerabilities, quantifying and assessing associated risks, and implementing and/or controlling the appropriate approach for preventing or handling each risk identified.
DL1.1.29. Security Support Plan (SSP). A formally coordinated action plan that outlines security support for protecting CRT and CPI at specific DoD RDT&E sites and organizations that fund work efforts external to DoD, and/or within acquisition programs.
DL1.1.30. Sensitive Information. Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. (Computer Security Act of 1987, reference (i)).
DL1.1.31. Special Access Program (SAP). A DoD program or activity (as authorized in E. O. 12958 (reference (g)), employing enhanced security measures (e.g., safeguarding, access requirements) exceeding those normally required for collateral information at the same level of classification. (DoD 5200.1-R, reference (c)).
DL1.1.32. System Security Engineering (SSE). An essential element of system engineering that applies scientific and engineering principles to identify and reduce system susceptibility to damage, compromise, or destruction; the identification, evaluation, and elimination or containment of system vulnerabilities to known or postulated security threats in the operational environment.
DL1.1.33. System Security Management Plan (SSMP). A formal document that fully describes the planned security tasks required to meet system security engineering requirements, including organizational responsibilities, methods of accomplishment, milestones, depth of effort, and integration with other program engineering, design and management activities, and related systems.
DL1.1.34. System Threat Assessment. An assessment of the potential foreign threat expected to be encountered by the U.S. defense system once it is deployed in its operational environment.
DL1.1.35. Technology.
DL1.1.35.1. The information and know-how (whether in tangible form (e.g., models, prototypes, drawings, sketches, diagrams, blueprints, manuals) or in intangible form (e.g., training or technical services)) that can be used to design, produce, manufacture, utilize, or reconstruct goods, including computer software and technical data, but not the goods themselves (50 U.S.C. 2401 et seq., reference (XX)).
DL1.1.35.2. The technical information and know-how that can be used to design, produce, manufacture, use, or reconstruct goods, including technical data and computer software. The term does not include the goods themselves (DoD Directive 2040.2, reference (j)).
DL1.1.36. Technology Assessment/Control Plan (TA/CP). This document identifies and describes sensitive program information; the risks involved in foreign access to the information; the participation in the program or foreign sales of the resulting system; and the development of access controls and measures necessary to protect the U.S. technological or operational advantage of the system, as prescribed in DoD Directive 5230.11, DoD Directive 5230.20, and DoD Directive 5530.3 (references (k), (l), and (m)).
DL1.1.37. Technology Transfer. The intentional communication or sharing of knowledge, expertise, facilities, equipment, and other resources whether for application to military or non-military systems. Technology transfer activities shall include, but is not limited to, the following:
DL1.1.37.1. Activities that demonstrate DoD technology; e.g., commercial, viability of technologies already developed or being developed for U.S. national security purposes. The primary purpose of those activities, which encompass technology transfer, is to promote and make available existing DoD-owned or -developed technologies and technical infrastructure to a broad spectrum of non-DoD applications.
DL1.1.37.2. Dual-use science and technology and other related activities that develop technologies with both DoD and non-DoD applications.
DL1.1.37.3. Activities that demonstrate the U.S. national security application of technologies developed outside of the Department of Defense. The goal is to incorporate the innovative technology into military systems to meet mission needs.
DL1.1.38. Vulnerability. The susceptibility of being open to exploitation, attack, or damage.
AL1. ABBREVIATIONS AND ACRONYMS
AL1.1. The following abbreviations and acronyms are used in this Regulation:
AL1.1.1. AECA Arms Export Control Act.
AL1.1.2. AIS Automated Information System.
AL1.1.3. APB Acquisition Program Baseline.
AL1.1.4. ASD(C3I) Assistant Secretary of Defense for Command, Control, Communications, and Intelligence.
AL1.1.5. AT Anti-Tamper.
AL1.1.6. CA Certification Authority.
AL1.1.7. CAC Common Access Card.
AL1.1.8. CARD Cost Analysis Requirements Document
AL1.1.9. CDRL Contract Data Requirements List.
AL1.1.10. CFR Code of Federal Regulations.
AL1.1.11. CI Counterintelligence.
AL1.1.12. CMI Classified Military Information.
AL1.1.13. CIO Chief Information Officer.
AL1.1.14. CISP Counterintelligence Support Plan.
AL1.1.15. CO Contracting Officer.
AL1.1.16. COD Cooperative Opportunities Document.
AL1.1.17. COR Contracting Officer’s Representative.
AL1.1.18. CPI Critical Program Information.
AL1.1.19. CRD Critical Requirements Document or Capstone Requirement Document.
AL1.1.20. CRT Critical Research Technology.
AL1.1.21. CUI Controlled Unclassified Information
AL1.1.22. DAA Designated Approval Authority.
AL1.1.23. DCID Director of Central Intelligence Directive.
AL1.1.24. DDL Delegation of Disclosure Authority Letter.
AL1.1.25. DFARS Defense Federal Acquisition Regulation Supplement.
AL1.1.26. DIA Defense Intelligence Agency.
AL1.1.27. DID Data Item Description.
AL1.1.28. DITSCAP DoD Information Technology Security Certification and Accreditation Process.
AL1.1.29. DoD Department of Defense.
AL1.1.30. DOT&E Director of Operational Test and Evaluation.
AL1.1.31. DRTPC Defense Research and Technology Protection Council.
AL1.1.32. DSS Defense Security Service.
AL1.1.33. DT&E Developmental Test and Evaluation.
AL1.1.34. EAA Export Administration Act.
AL1.1.35. EAR Export Administration Regulation.
AL1.1.36. E.O. Executive Order.
AL1.1.37. FAR Federal Acquisition Regulation.
AL1.1.38. FOUO For Official Use Only.
AL1.1.39. GIG Global Information Grid.
AL1.1.40. IA Information Assurance.
AL1.1.41. IG Inspector General.
AL1.1.42. IPT Integrated Product Team.
AL1.1.43. IT Information Technology.
AL1.1.44. ITAR International Traffic in Arms Regulations.
AL1.1.45. JCAG Joint Counterintelligence Assessment Group.
AL1.1.46. JROC Joint Requirements Oversight Council.
AL1.1.47. MAIS Major Automated Information System.
AL1.1.48. MCTL Militarily Critical Technologies List.
AL1.1.49. MDA Milestone Decision Authority.
AL1.1.50. MDAP Major Defense Acquisition Program.
AL1.1.51. MDCI Multidiscipline Counterintelligence.
AL1.1.52. MNS Mission Needs Statement.
AL1.1.53. NSDD National Security Decision Directive.
AL1.1.54. NSTISSP National Security Telecommunications and Information Systems Security Policy.
AL1.1.55. OASD(C3I) Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence.
AL1.1.56. OCA Original Classification Authority
AL1.1.57. ODASD(S&IO) Office of the Deputy Assistant Secretary of Defense for Security and Information Operations.
AL1.1.58. OIPT Overarching Integrated Product Team or Overarching Integrated Process Team.
AL1.1.59. OMB Office of Management and Budget.
AL1.1.60. OPSEC Operations Security.
AL1.1.61. ORD Operational Requirements Document.
AL1.1.62. OT&E Operational Test and Evaluation.
AL1.1.63. OUSD(AT&L) Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics.
AL1.1.64. P3I Preplanned Product Improvement.
AL1.1.65. PEO Program Executive Officer.
AL1.1.66. PM Program Manager (also Project or Product Manager).
AL1.1.67. POC Point of Contact.
AL1.1.68. PPIP Program Protection Implementation Plan.
AL1.1.69. PPP Program Protection Plan.
AL1.1.70. PSI Program Security Instruction.
AL1.1.71. R&D Research and Development.
AL1.1.72. RDT&E Research, Development, Test, and Evaluation.
AL1.1.73. RFP Request for Proposal.
AL1.1.74. RTP Research and Technology Protection.
AL1.1.75. S&T Science and Technology.
AL1.1.76. SAE Service Acquisition Executives.
AL1.1.77. SAF/AQL Director, Special Programs, Office of the Secretary of the Air Force.
AL1.1.78. SAP Special Access Program.
AL1.1.79. SCG Security Classification Guide.
AL1.1.80. SEMP System Engineering Management Plan.
AL1.1.81. SCG Security Classification Guide
AL1.1.82. SCOR Specialized C3I Operating Reference.
AL1.1.83. SOW Statement of Work.
AL1.1.84. SSAA System Security Authorization Agreement.
AL1.1.85. SSE System Security Engineering.
AL1.1.86. SSEM System Security Engineering Manager.
AL1.1.87. SSEWG System Security Engineering Working Group.
AL1.1.88. SSMP System Security Management Plan.
AL1.1.89. SSP Security Support Plan.
AL1.1.90. STA System Threat Assessment.
AL1.1.91. ST&S Director of Strategic and Tactical Systems, OUSD(AT&L).
AL1.1.92. TA/CP Technology Assessment / Control Plan.
AL1.1.93. U.S.C. United States Code.
AL1.1.94. USD(AT&L) Under Secretary of Defense for Acquisition, Technology, and Logistics.
AL1.1.95. USD(P) Under Secretary of Defense for Policy.
AL1.1.96. WBS Work Breakdown Structure.
AL1.1.97. WIPT Working-level Integrated Product Team.
PART I
GENERAL
C1. CHAPTER 1
GENERAL INFORMATION
C1.1. PURPOSE
This Regulation prescribes procedures for identifying, marking, and protecting Department of Defense (DoD) research and technologies, to include critical research technology (CRT) and critical program information (CPI), in accordance with DoD Directive 5200.39, DoD Directive 5000.1, DoD Instruction 5000.2, DoD 5000.2-R, and DoD 5400.7-R (references (a), (n) (b), (o), and (p)).
C1.1.1. CRT and CPI may include classified military information and/or controlled unclassified information.
C1.1.2. Both CRT and CPI require protection to prevent unauthorized or inadvertent disclosure, destruction, transfer, alteration, or loss (hereafter referred to as “compromise”).
C1.1.3. CRT must be safeguarded in order to sustain or advance the DoD technological lead in the warfighter’s battlespace or joint operational arena.
C1.1.4. The CPI, if compromised, will significantly alter program direction; unauthorized or inadvertent disclosure of the program or system capabilities; shorten the combat effective life of the system; or require additional research, development, test, and evaluation (RDT&E) resources to counter the impact of its loss. See DL1.1.9 for CPI definition.
C1.2. GENERAL
C1.2.1. The DoD actively seeks to include foreign allies and friendly foreign countries as partners in the development, acquisition, and life-cycle management of defense systems. Early involvement with foreign partners is encouraged by DoD, and such cooperative foreign government partnerships should begin at the requirements definition phase whenever possible. Successful execution of cooperative programs will promote the desirable objectives of standardization, commonality, and interoperability. The U.S. Government and its foreign government partners in these endeavors will benefit from shared development costs, reduced production, procurement costs realized from economies of scale, and strengthened domestic industrial bases. Similarly, the DoD plays a key role in the execution of security cooperation programs that ultimately support national security objectives and foreign policy goals. U.S. defense system sales are a major aspect of security cooperation.
C1.2.2. Increasingly, the U.S. Government relies on sophisticated technology in its defense systems for effectiveness in combat. Technology is today’s and will be tomorrow’s force multiplier, and technology improves the warfighter’s survivability. It is prudent and practical to protect technologies deemed so critical that their exploitation will diminish or neutralize a U.S. defense system’s effectiveness. Protecting critical technologies preserves the U.S. Government’s resources in research and development as an investment, rather than as an expense, and enhances U.S. industrial base competitiveness in the international marketplace.
C1.2.3. Procedures and guidance in this Regulation are designed to protect CRT and CPI against compromise throughout RDT&E life cycle at all involved locations or facilities.
C1.2.4. The ultimate goal is to selectively and effectively apply RTP countermeasures and counterintelligence (CI) support activities that are cost effective and consistent with risk management principles to protect CRT and CPI.
C1.2.5. Anti-Tamper (AT) techniques and application of system security engineering (SSE) measures allow the United States to meet foreign customer needs for advanced systems and capabilities while ensuring the protection of U.S. technological investment and equities. AT techniques and SSE measures are examples of protection methodologies that DoD programs use to protect critical system technologies.
C1.2.6. Each DoD Component will establish RTP working groups at all RDT&E sites and appropriate headquarters to ensure comprehensive, integrated RTP programs.
C1.3. APPLICATION
C1.3.1. This Regulation applies to all the DoD Components that:
C1.3.1.1 Manage RDT&E activities,
C1.3.1.2. Are involved in requirements generation and the acquisition of DoD systems, in accordance with DoD Directive 5000.1 (reference (n)), or
C1.3.1.3. Are involved in providing security, intelligence, or CI support to DoD acquisition activities, DoD RDT&E activities, or DoD contractors in accordance with DoD Directive 5200.39 (reference (a)). All intelligence and CI support must comply with DoD Directive 5240.1 and DoD Regulation 5240.1-R (references (q) and (r)).
C1.3.2. This Regulation does not apply to acquisitions by the DoD Components that involve SAPs created under the authority of E. O. 12958 (reference (g)). The unique nature of SAPs requires compliance with special security procedures of DoD Directive O-5205.7 (reference (s)). If the program or system contains CPI, the SAP PM will prepare and implement a PPP prior to transitioning to collateral or unclassified status. Security, intelligence, and CI organizations should assist the SAP PM in developing the PPP. The PPP will be provided to the offices responsible for implementing protection requirements before beginning the transition.
C1.3.3. This Regulation should be applied at all locations (to include contractor locations) where CRT and CPI are developed, produced, analyzed, maintained, employed, transported, stored, or used in training, as well as during its disposal.
C1.4. DEFENSE RESEARCH AND TECHNOLOGY PROTECTION COUNCIL
C1.4.1. The Defense Research and Technology Protection Council (DRTPC) will provide oversight for continued protection of CRT and CPI within DoD from research through acquisition and operation to disposal.
C1.4.2. The DRTPC will be chaired by an Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) representative and consist of representatives from Under Secretary of Defense for Policy (USD(P)), Director of Defense Research and Engineering (DDR&E), ASD(C3I), Director of Operational Test and Evaluation (DOT&E), and appropriate DoD Components.
C1.4.3. The DRTPC will have the following responsibilities.
C1.4.3.1. Ensure that DoD-funded critical research, technologies, and development activities are appropriately protected as outlined in DoD Directive 5200.39 (reference (a)) and this regulation.
C1.4.3.2. Approve DoD RTP training within all DoD Components.
C1.4.3.3. Ensure that Defense Service Management College and DoD Components consistently incorporate mandatory training on DoD RTP in updated course curriculum.
C1.4.3.4. Provide recommendations on RTP policy, procedures, and processes, as appropriate.
C1.4.3.5. When the same CRT or CPI exists under two or more managers, in two or more acquisition programs, or is associated with two or more DoD RDT&E activities, and the managers cannot reach agreement on a consistent protection measure, the issue will be raised to the DRTPC for adjudication. This will ensure that all involved DoD Components protect similar CRT or CPI to the same degree.
C1.5. RTP PROTECTION PLANNING
C1.5.1. Protection planning begins with the identification of dual use and military application of research and technology and extends through to demilitarization. Therefore, CRT and CPI will be protected from their point of identification through their life cycle to property disposal.
C1.5.2. Research technology will be continuously reviewed and CRT identified within each of the seven subcategories of RDT&E. A Security Classification Guide (SCG) will be developed for all classified CRT and related information requiring controls as specified in the references in enclosure 3. Initial foreign disclosure guidance will be prepared, when appropriate. This information shall be updated when CRT moves between the subcategories of Science and Technology. CRT shall be updated, validated, and forwarded to the PM when incorporated into an acquisition.
C1.5.3. Identification of CPI shall begin with preparation of the Mission Needs Statement (MNS). A SCG will be developed for all classified CPI and related information requiring controls as specified in the references in enclosure 3. Initial foreign disclosure guidance will be prepared, when appropriate. This information shall be updated for the initial and subsequent Capstone Requirement Document (CRD) (if required) and the Operational Requirements Document (ORD). CPI shall be updated, validated, and forwarded for evaluation or comment prior to approval at each milestone review.
C1.5.4. Protection of CRT and CPI will range from providing threat awareness education to scientists and engineers performing fundamental research, to the implementation of a program protection plan (PPP).
C1.5.5. While CRT and/or CPI may be individually unclassified, the compilation and aggregation of CRT and CPI within information technology (IT) systems or databases may reveal classified information. SCGs must address this possibility. RDT&E Site Directors and PMs shall review all databases and IT systems processing, storing, communicating, or analyzing multiple CRT and/or CPI, which are individually unclassified, for compilation of information becoming classified as stated in their SCG. In those cases where the compilation of information reveals classified information, that IT system or database shall be appropriately marked, operated and protected as classified information in accordance with DoD 5200.1-R (reference (c)) or DoD 5220.22-M (reference (t)), as appropriate. When the review reveals no existing security classification guidance on the compilation of CRT and/or CPI that should be classified, the cognizant Original Classification Authority (OCA) shall be notified immediately for a formal security classification determination. The IT system or database will be protected as classified information until the OCA completes the formal security classification determination. All web sites containing CRT and CPI are included within the compilation review requirement.
C1.6. MARKING, DISSEMINATION AND DESTRUCTION OF CRT AND CPI.
C1.6.1. General Provisions for Marking of CRT and CPI.
C1.6.1.1. All CRT and CPI will be clearly identified by electronic labeling, marking, or similar designation. If physically marking the medium containing CRT or CPI is not possible, identification of CRT and CPI will be accomplished by other means. CRT and CPI markings must be conspicuous. The term "marking" includes other concepts of identification and is the principal means of informing holders of CRT or CPI about specific protection requirements for that information. Marking or otherwise designating CRT or CPI is the specific responsibility of the original determining or derivative authorities. CRT and/or CPI markings will be in addition to any classification markings in accordance with DoD 5200.1-R (reference (c)). Marking and designations serve these purposes:
C1.6.1.2. Alert holders to the presence of CRT and CPI.
C1.6.1.3. Identify the exact information needing protection as specifically as practicable.
C1.6.1.4. Warn holders of special control or safeguarding requirements.
C1.6.2. Exceptions. No information that is within the public domain, as defined by the ITAR (reference (e)), shall be marked as CRT or CPI. The appearance of CRT or CPI in a newspaper, magazine, or other public media is not justification for the removal of CRT or CPI markings.
C1.6.3. Marking CRT or CPI documents and other material. Material other than ordinary paper documents must have the same information either marked on it or appears on all printed copies of the CRT and CPI. CRT and CPI documents must bear the following markings:
C1.6.3.1. Any classification markings as required by DoD 5200.1-R (reference (c)).
C1.6.3.2. The agency, office of origin, and date of the determination.
C1.6.3.3. Control notice or other marking that may apply to the CRT or CPI.
C1.6.3.4. Holders of improperly marked CRT or CPI should contact the document originator to obtain the correct determination and appropriate marking.
C1.6.4. Overall CRT and/or CPI Markings. Each CRT or CPI document must be clearly marked and conspicuous to alert persons handling the document that it contains CRT or CPI. The CRT and/or CPI designation will be marked, stamped, or affixed (with a sticker, tape, etc.) on the front cover or first page at the bottom and the outside of the back cover or last page.
C1.6.5. Removal Instructions. Information designated as CRT or CPI will be protected until the original authority determines protection is no longer required. The marking shall be removed from the document and annotated by the original determination authority with the date of the determination. The original authority may issue a letter of determination to remove science, research, and technologies information from the CRT or CPI designation.
C1.6.6. CRT Markings.
C1.6.6.1. Each page of a document containing CRT shall be conspicuously marked at the bottom. These markings must stand out from the balance of the information and thus a particular size is not specified. Pages containing only CRT shall be marked, “CRITICAL RESEARCH TECHNOLOGY.” Blank interior pages will not be marked.
C1.6.6.2. Parenthetical portion markings will be (CRT). The marking “CRT” will be used in conjunction with other classification marking as specified in DoD 5200.1-R (reference (c)).
C1.6.6.3. Unless another Directive or statute prescribes different additional markings, these control notices shall be placed on the face of the document.
CRITICAL RESEARCH TECHNOLOGY
This material contains critical research technology as defined by DoDD 5200.39. Unauthorized disclosure subject to administrative and/or criminal sanctions. Requires specific formal authorization for foreign dissemination.
C1.6.7. CPI Markings.
C1.6.7.1. Each page of a document containing CPI shall be conspicuously marked at the bottom. These markings must stand out from the balance of the information and thus a particular size is not specified. Pages containing only CPI shall be marked, “CRITICAL PROGRAM INFORMATION.” Blank interior pages will not be marked.
C1.6.7.2. Parenthetical portion markings will be (CPI). The marking "CPI" will be used in conjunction with other classification marking as specified in DoD 5200.1-R (reference (c)).
C1.6.7.3. Unless another Directive or statute prescribes different additional markings, these control notices shall be placed on the face of the document.
CRITICAL PROGRAM INFORMATION
This material contains critical research technology as defined by DoDD 5200.39. Unauthorized disclosure subject to administrative and/or criminal sanctions. Requires specific formal authorization for foreign dissemination.
5 U.S.C. 552 (b)(3), (b)(4), or (b)(5) exemption applies.
C1.6.8. Military Components may develop CRT or CPI document cover sheets.
C1.6.9. CRT or CPI documents and information may be stored in lockable containers unless it is classified information, which will be in accordance with DoD 5200.1-R (reference (c)). CRT and/or CPI documents are not authorized for public disclosure nor disclosure to any foreign entity without formal review by the original determination or higher authority.
C1.6.10. DoD 5200.1-R (reference (c)) shall be revised to include these provisions upon next revision.
C1.6.11. Disposition and Destruction of CRT and CPI.
C1.6.11.1. CRT or CPI documents and other material will be retained within DoD organizations and RDT&E sites only if they are required for effective and efficient operation of the organization or if law or regulation requires their retention. Documents that are no longer required for operational purposes shall be disposed of in accordance with the provisions of the Federal Records Action (Chapters 21, 31, and 33 of 44 U.S.C.) (references (u), (v), and (w)) and appropriate implementing directives and records schedules.
C1.6.11.2. Material that has been identified for destruction shall continue to be protected, as appropriate, until it is actually destroyed.
C1.6.11.3. Destruction of CRT or CPI documents and material will be accomplished by means that eliminate risk of reconstruction of the CRT and CPI. CRT or CPI identified for destruction shall be destroyed completely to preclude recognition or reconstruction of the CRT or CPI in accordance with procedures and methods prescribed by the Head of the DoD Component or their designee. At a minimum, for unclassified information, CRT and/or CPI will be destroyed using the same standards as For Official Use Only.
C1.7. OVERVIEW - PROTECTION OF CRT AT RDT&E ACTIVITIES
C1.7.1. Protection can apply to all seven subcategories of RDT&E (see DoD 7000.14-R, Volume IIB (reference (x))). DoD Directive 5200.39 (reference (a)) recognizes the normally unrestricted nature of fundamental research, as identified in National Security Decision Directive (NSDD) 189 (reference (h)), and as further stipulated for Basic Research in Executive Order 12958 (reference (g)). The term “fundamental research” refers generally to Basic Research (6.1) and Applied Research (6.2), and is defined in the International Traffic in Arms Regulations (ITAR) (reference (e)).
C1.7.2. A site-specific CI Support Plan (CISP) and a site-specific Security Support Plan (SSP) shall be prepared for each RDT&E site.
C1.7.3. RDT&E commanding officers, site directors, or their designees (hereafter referred to as “site directors”) shall identify and prioritize their CRT, and communicate the results to CI, security, foreign disclosure, operations security (OPSEC), and intelligence organizations.
C1.7.4. Intelligence organizations shall provide information on technical capabilities of adversaries in specific RDT&E programs or projects.
C1.7.5. Working together, RDT&E, CI, security, foreign disclosure, OPSEC, and intelligence organizations shall use an interactive process to safeguard CRT from compromise in order to sustain or advance the DoD technological lead in the future battlespace.
C1.7.6. Site directors, in coordination with security, intelligence, and CI specialists, will ensure that assigned personnel receive tailored threat briefings.
C1.8. OVERVIEW - PROTECTION OF CPI IN ACQUISITION
C1.8.1. Program protection planning must begin with requirements generation as described in Chairman of the Joint Chiefs of Staff Instruction 3170.01B (reference (y)). It is an integral part of the overall acquisition strategy, which is typically developed prior to formal designation of an acquisition program. Any acquisition effort must, at a minimum, be evaluated in terms of the need to protect its CPI. The resources (e.g., personnel, fiscal, AISs) needed to accomplish that evaluation must be identified as early as possible, but not later than entry into Milestone B.
C1.8.2. Each program will be reviewed by the PM (or the responsible commander/manager if a PM has not been appointed) to determine if the program contains CPI. This examination will also consider CRT previously identified by DoD laboratories, as well as CPI inherited from another program, or as a result of non-traditional acquisition techniques (e.g., Advanced Concept Technology Demonstration, flexible technology insertion).
C1.8.3. The PM (or the responsible commander/manager if a PM has not been appointed), with the assistance of a working-level IPT (WIPT), makes the determination as to the existence of CPI that need protection. The need for research and technology protection is based on identifying critical technologies, systems, and/or information that are designated as the program’s CPI.
C1.8.3.1. If it is determined there is no CPI associated with the program (neither integral to the program nor inherited from a supporting program), a program protection plan (PPP) is not required. The PM shall make this determination in writing. The Program Executive Officer, Service Acquisition Executive, or MDA will approve this determination.
C1.8.3.2. If a program contains CPI, program protection planning (see C6. Chapter 6) will be followed. The PM (or other official as noted above), with the assistance of a WIPT and appropriate support activities, is responsible for developing and implementing a PPP. The PPP will be developed, as required, beginning in the Component Advanced Development, Pre-Systems Acquisition phase and be available to the MDA at Milestone B and at all subsequent milestones during the life cycle of the program. The PPP will be revised and updated once every three years or as required by changes to acquisition program status or the projected threat.
C1.8.4. When a program contains CPI, a multidisciplinary CI threat assessment (by Service CI organization), CPI vulnerability assessment (by supporting security organization), and technology risk assessment (by supporting intelligence organization) shall be prepared to determine the threat against the CPI. At the time of the initial evaluation to determine the program’s CPI, a determination of whether there will be foreign involvement or access to the program, system, or system information, should be made by a Joint Mission Analysis Work Group organized pursuant to Chairman of the Joint Chiefs of Staff Instruction 3170.01B (reference (y)). These assessments shall provide the basis for risk management decisions and for identification of appropriate cost-effective RTP countermeasures required to negate or minimize the threat.
C1.8.5. At any time in the requirements generation or acquisition process, when it is determined that foreign participation in system development is possible or an allied system will be used, the system to be developed is a candidate for foreign sales or direct commercial sale, the system will be used in multinational operations or other cooperative programs, a Technology Assessment/Control Plan (TA/CP) and Delegation of Disclosure Authority Letter (DDL) shall be prepared as annexes to the PPP. If foreign involvement is initiated prior to the appointment of a PM, the DoD Component that generates the system requirement shall initially prepare this documentation for validation by the Joint Requirements Oversight Council (JROC) and approval by the MDA. These requirements and the preparation of the PPP, TA/CP, DDL, and supporting documentation shall be assumed by the PM, at the time of the appointment of the PM.
C1.8.6. Regardless of the extent of protection efforts required to support an acquisition program, personnel and fiscal resource requirements should be identified early in acquisition program developments as an integral part of the overall acquisition strategy and planning.
C1.9. OVERVIEW – SECURITY SUPPORT PLAN (SSP)
C1.9.1. The SSP will identify the tailored security support for the site directors who have CRT or CPI provided by PMs.
C1.9.2. Each site, base, or installation that hosts CRT and CPI will have a SSP.
C1.9.3. The SSP will be reviewed annually and updated as necessary.
C1.10. OVERVIEW - COUNTERINTELLIGENCE SUPPORT PLAN (CISP)
C1.10.1. The CISP will identify the tailored CI support for RDT&E facilities with CRT and PMs of acquisition programs with CPI.
C1.10.2. Each individual RDT&E site with CRT and each acquisition program with CPI will have a CISP.
C1.10.3. The CISP will be signed by the customer organization and the servicing CI organization. The CISP will specify which of the CI activities will be conducted in support of the facility or program, and will provide the CI personnel with information about the program or facility to help focus the CI activities.
C1.10.4. The CISP will be reviewed annually, or as required by events, and used as the baseline for any evaluation of the program or facility and its supporting CI program.
C1.11. ANTI-TAMPER
C1.11.1. Anti-Tamper (AT) measures are to be developed and implemented by acquisition PMs to protect CRT and/or CPI in U.S. systems that may be developed with or sold to foreign governments, or that may no longer be within U.S. control (e.g., theft, battlefield loss). AT guidelines apply to system performance, materials, hardware, software, algorithms, design and production methods, maintenance and logistical support, and other facets as determined by competent acquisition authority. Although protective in nature, AT is not a substitute for appropriate program protection or other security measures.
C1.11.2. Properly employed, AT will add longevity to a critical technology by deterring efforts to reverse-engineer, exploit, or develop countermeasures against a system or system component. AT is not intended to completely defeat such hostile attempts, but it should discourage exploitation or reverse-engineering, or make such efforts so time-consuming, difficult, and expensive that even if successful, a critical technology will have been replaced by its next-generation version.
C1.11.3. AT is intended to buy time for the U.S. and its allies to further develop critical technologies so that successful exploitation of earlier generations does not constitute a threat to their military forces and capabilities.
C1.12. DEFENSE ACQUISITION DESKBOOK
Guidance on the application of program protection is included the Defense Acquisition Deskbook (DAD). The DAD is an automated reference tool that provides acquisition information for all the DoD Components across all functional disciplines. The DAD will contain DoD Directive 5200.39 (reference (a)) and this Regulation. The DoD Components may also include their local implementing guidance, with examples, in their section of the DAD.
C1.13. SPECIALIZED C3I OPERATING REFERENCE (SCOR)
SCOR is an automated reference tool similar to the DAD that provides information on security and CI areas for all the DoD Components across all related disciplines. Additional guidance for RTP and background information on protective measures is contained in the SCOR.
C1.14. ECONOMIC ESPIONAGE
C1.14.1. The Economic Espionage Act of 1996, Section 1831 et seq. of 18 U.S.C. (reference (z)) highlighted the concerns of the U.S. Government and U.S. industry on foreign economic collection and economic espionage. In an effort to reduce the loss of industrial, technical, financial, and proprietary commercial and U.S. Government information, reference (z) makes the theft or misappropriation of trade secrets a Federal criminal offense. Trade secrets include business, scientific, technical, engineering, and economic information (e.g., patterns, compilations, programs, methods, processes, and codes whether tangible or intangible).
C1.14.2. Reference (z) imposes up to a 15-year prison term and/or $500,000 fine for any person, or $10 million fine on any organization that steals or destroys a trade secret with the intent to benefit a foreign power. Penalties may also be imposed on an individual or corporation if the theft of the information is intended to economically benefit anyone other than the owner of the trade secret, or injure the owner of the trade secret. Reference (z) also requires courts to endeavor to minimize further disclosure of the trade secret during the pendency of the prosecution in order to encourage victims to report theft.
C1.14.3. The theft or misappropriation of U.S. proprietary information or trade secrets, especially to foreign governments and their agents, directly threatens the economic competitiveness of the U.S. economy. Increasingly, foreign governments through a variety of means, actively target U.S. businesses, academic centers, and scientific development to obtain critical technologies and thereby provide their own economies with an advantage. Industrial espionage, by both traditionally friendly nations and recognized adversaries, proliferated throughout the 1990s.
C1.15. INFORMATION REPORTING REQUIREMENTS
Incidents of loss, compromise, or theft of proprietary information or trade secrets involving CRT and CPI, shall be immediately reported, in accordance with DoD Instruction 5240.4, DoD Directive 5200.1, and Section 1831 et seq. of 18 U.S.C. (references (aa), (bb), and (z)). Such incidents shall be immediately reported to the Defense Security Service (DSS), the Federal Bureau of Investigation, or the applicable DoD Component CI and law enforcement organizations. If the theft of trade secrets or proprietary information might reasonably be expected to affect DoD contracting, DSS should notify the local office of the Federal Bureau of Investigation.
C1.16. TECHNOLOGY PROTECTION RESOURCE DIRECTORY
Individuals who prepare requirements documents, the JROC, IPTs, PMs, site directors, and supporting security, foreign disclosure, intelligence, and CI activities should refer to the Specialized C3I Operating Reference to identify subject matter experts from whom assistance may be obtained.
C1.17. REGULATION OVERVIEW
This Regulation is divided into four parts as follows.
C1.17.1. Part I includes general information on the purpose and scope of DoD’s RTP effort.
C1.17.2. Part II contains the procedures for RTP at RDT&E facilities.
C1.17.3. Part III contains the procedures that are to be followed to protect acquisition program technologies and information.
C1.17.4. Part IV discusses the procedures in security, CI, anti-tamper, horizontal assessment and protection, RTP assessment and inspection, and information assurance that apply to RTP activities, both at RDT&E sites and within acquisition programs.
PART II
PROTECTION OF RESEARCH AND TECHNOLOGY
AT RDT&E ACTIVITIES
C2. CHAPTER 2
RDT&E ACTIVITY PROTECTION STRATEGY
C2.1. GENERAL
The purpose of RDT&E activity protection is to safeguard DoD RDT&E information from unauthorized disclosure to foreign interests. CI and security specialists will provide a wide range of services to ensure personnel assigned to the RDT&E sites are aware of the threat from foreign intelligence services, other foreign interests, or anyone involved in the unauthorized acquisition of DoD information.
C2.2 PROTECTION APPROACHES
C2.2.1. RDT&E conducted within the DoD and by DoD contractors is covered by the following policies:
C2.2.1.1. Disclosure of both classified military information and unclassified technical data (DoD Directive 5230.11, “Disclosure of Classified Military Information (CMI) to Foreign Governments and International Organizations,” (reference (k)); DoD Directive 5230.24, “Distribution Statements on Technical Documents,” (reference (cc)); DoD Directive 5230.25, “Withholding of Unclassified Technical Data from Public Disclosure” (reference (dd)), International Traffic in Arms Regulation (reference (e)), and Export Administration Regulations, (reference (ee)).
C2.2.1.2. Control of foreign visitors (DoD Directive 5230.20, “Visits, Assignments, and Exchanges of Foreign Nationals,” (reference (l)).
C2.2.1.3. Export control (DoD Directive 2040.2, “International Transfers of Technology, Goods, Services, and Munitions,” (reference (j)).
C2.2.2. Making these policies effective within the RDT&E environment requires training and awareness of the policies, and the required procedures to be followed, as well as an integration of these efforts to ensure the identification of CRT, the identification of the applicable safeguard, and the effective application of that safeguard.
C2.2.3. To aid in the formulation of an effective protection program at each RDT&E site, a SSP and a CISP will be prepared (see C12 and C13. Chapters 12 and 13). These documents will be developed by the RDT&E site directors in concert with the support organizations (CI, security, foreign disclosure, OPSEC, and intelligence).
C3. CHAPTER 3
PROTECTION PLANNING FOR RDT&E ACTIVITIES
C3.1. GENERAL
Effective RTP planning depends on a process of identifying CRT and applying the appropriate awareness and safeguarding actions. The process consists of:
C3.1.1. Identifying, and prioritizing, whenever possible, the CRT.
C3.1.2. Conducting an awareness program to ensure that RDT&E site personnel understand the threat to U.S. research and technologies and the existing programs to counter the identified threat.
C3.1.3. Selecting appropriate countermeasures to protect the CRT.
C3.1.4. Identifying CI support to be provided at each RDT&E site.
C3.1.5. Preparing a SSP that will consolidate security actions at the RDT&E site.
C3.1.6. Preparing a CISP that will serve as the “contract” between the individual RDT&E site director and the responsible CI support activity.
C3.2. IDENTIFICATION OF CRITICAL RESEARCH TECHNOLOGY (CRT)
C3.2.1. RDT&E site directors shall identify and prioritize their CRT, and communicate them to CI, security, foreign disclosure, OPSEC, and intelligence organizations, as appropriate.
C3.2.2. The CRT will be identified in the applicable CISP.
C3.3. PROTECTION TRAINING AND AWARENESS
C3.3.1. Training is an essential part of the protection strategy for RDT&E activities. Personnel engaged in all categories of DoD RDT&E, including those involved solely in fundamental (Basic and Applied) research, should receive tailored threat awareness briefings.
C3.3.2. RDT&E, intelligence, CI, and security personnel must be knowledgeable of DoD directives that govern disclosure of both classified military information and unclassified technical data to foreign entities and into the public domain. These include DoD Directives 5230.11 (reference (k)), DoD Directive 5230.20 (reference (l)), DoD Directive 5230.24 (reference (cc)), and DoD Directive 5230.25 (reference (dd)).
C3.3.3. RDT&E, intelligence, CI, and security personnel should also be familiar with the Export Administration Regulation (EAR), 15 Code of Federal Regulations (CFR), part 730, implementing the Export Administration Act (EAA) (reference (ee)) which pertains to dual-use commodities; the International Traffic in Arms Regulation (ITAR), 22 CFR 120, (reference (e)) which implements the Arms Export Control Act (AECA), which controls the export of defense articles and services; and DoD Directive 2040.2, “International Transfers of Technology, Goods, Services, and Munitions,” (reference (j)) which implements relevant portions of the EAA and the AECA.
C3.3.4. RDT&E, intelligence, CI, and security personnel must understand restrictions on the export of munitions list items as specified in the ITAR (reference (e)) and commodities list items as outlined in the EAR (reference (ee)).
C3.3.5. It is imperative that RDT&E, intelligence, CI, and security personnel understand that dissemination of technical data related to munitions or commodities list items constitutes an export. They must know when the oral, visual, or written disclosure of technical data to a foreign national may require a “deemed” export license. Ensuring that RDT&E personnel understand and follow the guidance contained in the directives and regulations cited in paragraphs C3.3.2 through C3.3.4, will contribute significantly to the protection of research and technology in RDT&E facilities.
C3.4. APPLICATION OF SAFEGUARDS
C3.4.1. Site directors are responsible for determining the applicability of safeguards to all elements of the site’s RDT&E program. Site directors, or their designees, will:
C3.4.1.1. Review the site RDT&E program periodically and/or whenever there is a significant change.
C3.4.1.2. Identify RDT&E information within the program that has already been identified for safeguarding (e.g., export control, distribution statements, special handling caveats).
C3.4.1.3. Identify additional RDT&E information that deserves increased RTP awareness and/or training based on the potential military application, significance of the technological advances, or other factors.
C3.4.1.4. Prepare, with supporting organizations (CI, security, foreign disclosure, OPSEC, and intelligence), a CISP and a SSP that are tailored to focus the limited protection resources on the identified CRT.
C3.4.1.5. Ensure RDT&E information identified as CRT is appropriately marked and disseminated (e.g. export control, distribution statements, special handling caveats).
C3.4.2. Unclassified Technical Data . The site director will:
C3.4.2.1. Establish a process whereby RDT&E personnel determine dissemination restrictions on technical data generated in the facility. This process will apply to new RDT&E work, work in progress, completed work, and to reports and documentation resulting from completed work.
C3.4.2.2. Ensure that personnel understand the requirements to obtain approval for all public releases.
C3.4.2.3. Provide training for RDT&E personnel on DoD Directive 5230.24 (reference (cc)) and DoD Directive 5230.25 (reference (dd)).
C3.4.2.4. Ensure personnel understand the security requirements for transmitting Controlled Unclassified Information (CUI), CRT, and CPI via telephone, facsimile, and/or e-mail systems.
C3.4.3. Assignments, Visits, and Exchanges of Foreign Representatives. The site director will:
C3.4.3.1. Establish a process for approving visits by foreign nationals that will include dissemination of appropriate disclosure rules and restrictions to RDT&E personnel being visited.
C3.4.3.2. Establish a process for archiving information about foreign national visits including but not limited to, information about the visitor, reason for visit, information disclosed, and any anomaly that occurs during the visit.
C3.4.3.3. Ensure that foreign visitors are visually identifiable as required by DoD Directive 5230.20 (reference (l)). Foreign nationals will be issued and wear facility access control or physical security badges when in DoD RDT&E facilities. When DoD Identification Cards or DoD Common Access Card (CAC) for foreign nationals are employed, ensure that foreign nationals are properly trained on their usage while at DoD RDT&E sites.
C3.4.3.4. Mandate training in the handling of foreign visitors, representatives and exchange officers (DoD Directive 5230.20 (reference (l))). Ensure that a contact officer has been appointed for each foreign national and they are informed of the disclosures authorized for each visitor by category of information/data.
C3.4.3.5. Ensure that foreign nationals are appropriately connected to and identified on IT networks and systems, to include e-mail systems, in accordance DoD Directive 5230.20 (reference (l)).
C3.4.3.6. Ensure that foreign nationals identify themselves as foreign nationals when using the telephone and conducting business with DoD and other Federal agencies (DoD Directive 5230.20 (reference (l))).
C3.4.3.7. Ensure that CRT releases under the provision of a Data Exchange Agreements or Master Exchange Agreements are reviewed and approved prior to release.
C3.4.4. Export Control. The site director will:
C3.4.4.1. Establish a process whereby RDT&E personnel determine whether technical data or commodities at RDT&E facilities can be exported to foreign countries.
C3.4.4.2. Establish a focal point at each RDT&E site to determine whether a deemed export license is required when a foreign national visits the facility.
C3.4.4.3. Mandate training requirements for personnel at DoD research facilities on the deemed export licensing requirements of the EAR (reference (ee)) and the ITAR (reference (e)) and on other mechanisms, such as international agreements, whereby data may be legally exported.
C3.4.4.4. Ensure personnel understand the security requirements for transmitting export controlled technical data, CRT, and CPI via telephone, facsimile, and/or e-mail systems.
C3.5. SECURITY SUPPORT PLAN
Analogous to a PPP for acquisition programs, an SSP will be developed for each RDT&E site as described in C13. Chapter 13. This plan will serve as the consolidated plan for integrating all security, foreign disclosure, intelligence, CI, and OPSEC activities at the site.
C3.6. COUNTERINTELLIGENCE (CI) SUPPORT PLAN (CISP)
The CI support for each RDT&E site will be tailored as described in C4. Chapter 4. A CISP will be developed for each RDT&E site as described in C14. Chapter 14. This plan will serve as the “contract” between the individual RDT&E site director and the responsible CI support activity.
C3.7. INFORMATION ASSURANCE
All IT network and systems storing, processing, or transmitting CRT will be accredited in accordance with Defense Information Technology Systems Certification and Accreditation Program as described in C18. Chapter 18.
C4. CHAPTER 4
COUNTERINTELLIGENCE SUPPORT TO RDT&E ACTIVITIES
C4.1. CI SUPPORT AT DoD RDT&E ACTIVITIES
C4.1.1. DoD Component CI agencies will assign CI specialists to support DoD RDT&E activities on or off military installations.
C4.1.2. These CI specialists will:
C4.1.2.1. Provide full-time, tailored, protection support to major DoD RDT&E sites and “on-call” support to any DoD RDT&E sites not requiring the full-time presence of CI specialists.
C4.1.2.2. Provide CI support to DoD contractors and academic institutions working with DoD CRT in coordination with the Defense Security Service (DSS).
C4.1.3. DoD Component CI agencies will:
C4.1.3.1. Assign a CI specialist to the DoD Component headquarters or major command acquisition and technology element to provide CI support to DoD Component research projects and acquisition programs.
C4.1.3.2. Ensure all field CI personnel involved in RTP receive specialized CI training from the Joint CI Training Academy.
C4.1.3.3. Ensure that appropriate security, research management, foreign disclosure, OPSEC, and acquisition program personnel are continuously apprised of foreign intelligence or other threat information relating to their RDT&E site or research projects.
C4.1.3.4. Disseminate CI information and products to contractor facilities under DSS cognizance and to locations and officials DSS may designate.
C4.1.3.5. Keep DSS informed of any threat to CRT and/or CPI that involve contractors under the cognizance of DSS. The provision of classified threat information to contractors shall be coordinated with DSS.
C4.1.3.6. Provide requested threat information to assist defense contractors in developing and updating their Technology Control Plans and protection of DoD CRT.
C4.1.4. The DoD Joint CI Assessment Group (JCAG) provides a centralized CI assessment capability supporting horizontal assessment and protection, threat analysis, and other RTP activities.
PART III
PROTECTION OF CPI IN ACQUISITION PROGRAMS
C5. CHAPTER 5
PROGRAM PROTECTION STRATEGY
C5.1. GENERAL
C5.1.1. The initial steps for planning program protection must be taken early in the acquisition cycle to ensure protection of CPI. This effort will be a major factor in avoiding additional and unforeseen program costs. Protection planning begins before a program or system is designated as an acquisition program. Early planning will ensure that necessary personnel and fiscal resource requirements are identified for applicable funding consideration.
C5.1.2. Program protection planning may be outsourced and included in a contract. That contract activity may include initial program and system evaluation as well as program protection planning that leads to specific RTP countermeasures. Early planning is necessary to ensure that funds are programmed and budgeted to provide the required contract support.
C5.1.3. Program protection activities must begin prior to contract award. Delaying the process may result in safeguards being difficult to accomplish or being omitted from contracts. The program’s underpinning CRT and inherited or determined CPI must be factored into the program’s overall acquisition strategy. PMs who are responsible for this planning must budget for all security costs within the Planning, Programming, and Budget System and the program’s Acquisition Program Baseline.
C5.2. PROGRAM PROTECTION STRATEGY.
C5.2.1. Each agency must apply procedures early in its acquisition cycle to ensure program protection requirements are properly addressed (see figure C5.F1.). The generic procedures must be tailored for the specific acquisition program or system being addressed.
C5.2.1.1. Acquisition planning must consider program protection an integral part of the acquisition strategy early in the planning cycle. This includes ensuring that the program management staff (whether or not a PM has been officially designated) has a representative who does the following:
C5.2.1.1.1. Understands program protection planning.
C5.2.1.1.2. Is able to identify requirements that must be programmed and budgeted.
C5.2.1.1.3. Is tasked with including program protection expertise on the program management staff.
C5.2.2. The first step is to identify resources and assign program protection staff. This should be accomplished during the early requirements reviews, but not later than the beginning of the Components Advanced Development phase. When program protection is outsourced, program protection requirements must be included in appropriate portions of solicitations and resulting contracts (e.g., statement of work (SOW), Contract Data Requirements List (CDRL), DD Form 254).
C5.2.3. The next step is to assist the program management staff in translating protection requirements into a program protection plan (PPP). This should be accomplished during a working-level IPT (WIPT) process. Acquisition strategy reviews may require an acquisition plan, depending on the size and complexity of the acquisition. This plan should detail the program protection requirements, funding, and methodology to meet these requirements.
C5.2.4. The final step is strategy implementation. This will result in an event-based schedule to execute the acquisition strategy and include actions that address program protection. After this foundation is laid, the program will proceed through the milestones and phases shown in Figure C5.F1. The program protection activities, described in C6. Chapter 6 through C11. Chapter 11, are tailored and performed prior to each milestone to provide the required countermeasures during each acquisition phase.
Figure C5.F1. Acquisition Program Schedule
C6. CHAPTER 6
PROGRAM PROTECTION PLANNING
C6.1. GENERAL
C6.1.1. Effective program protection planning is the process of identifying CPI and determining necessary countermeasures to safeguard the CPI throughout the acquisition process. CPI includes defense technologies and their support systems as defined in DoD Directive 5200.39 (reference (a)). To accomplish program protection objectives, each DoD acquisition program will be reviewed by the PM (or the responsible commander/manager if a PM has not been appointed) to determine if the program contains CPI. Not all acquisition programs will contain CPI. When the PM decides that there is no CPI, this determination shall be put in writing for concurrence by the appropriate level Program Executive Officer, Service Acquisition Executive, or MDA. If the acquisition program does contain CPI, the program protection planning process should address the following:
C6.1.1.1. Identify and set priorities on those operational or design characteristics of the system that result in the system providing unique mission capabilities.
C6.1.1.2. Identify and prioritize, in terms of importance to the program or to the system being developed, CPI related to these distinctive system characteristics.
C6.1.1.3. Identify specific program locations where CPI is developed, produced, analyzed, tested, maintained, transported, stored, or used in training.
C6.1.1.4. Identify the foreign collection threat to the program. (MDCI CI Threat Assessments are discussed in C7. Chapter 7.)
C6.1.1.5. Identify program vulnerabilities to specific threats at specific times and locations during all phases of the acquisition cycle.
C6.1.1.6. Identify time- or event-phased RTP countermeasures to be employed by the PM to reduce, control, or eliminate specific vulnerabilities to the program to ensure a minimum level of protection for CPI.
C6.1.1.7. Identify anti-tamper (AT) techniques (see C15. Chapter 15) and system security engineering (SSE) techniques (see C12. Chapter 12) required to protect CPI. Ensure these AT and SSE techniques are placed into the system’s design specifications, subsequent technical drawings, test plans, and other program documentation.
C6.1.1.8. Identify elements that require classification and determine the duration of such controls. The resulting program Security Classification Guide shall be issued by the program’s Original Classification Authority (OCA).
C6.1.1.9. Identify protection costs associated with personnel, products, services, equipment, contracts, facilities, or other areas that are part of program protection planning, countermeasures, or program security surveys. These costs shall be reflected in the Planning, Programming and Budget System.
C6.1.1.10. Identify the risks and benefits of developing, producing, or selling the system to a foreign interest, as well as the methods used to protect CRT and/or CPI if such an arrangement is authorized, and whether an export variant is necessary (see C8. Chapter 8).
C6.1.1.11. Identify contractual actions required to ensure that planned systems security engineering, AT techniques, information assurance, information superiority, and/or RTP countermeasures are appropriately applied by defense contractors at contractor locations (see C9 and 17. Chapter 9 and 17).
C6.1.1.12. Coordinate with PMs of supporting programs to ensure that measures taken to protect CRT and/or CPI are maintained at an equivalent level throughout DoD.
C6.1.2. After completing the protection planning process, the PM must, with the assistance of applicable CI and security support activities, ensure implementation of countermeasures to protect the CRT and/or CPI at each location and activity identified in the protection planning process.
C6.1.3. Protection planning process is continuous and amenable to revision as appropriate.
C6.2. CRITICAL PROGRAM INFORMATION (CPI)
C6.2.1. CPI is the foundation upon which all protection planning for the program is based, and the reason all countermeasures are implemented. As an example, the system characteristic might be the small radar cross section. The CPI are those unique program elements that make the system radar cross-section possible.
C6.2.2. CPI may include components; engineering, design, or manufacturing processes; technologies; system capabilities and vulnerabilities; and other information that give the system its distinctive operational capability.
C6.2.3. To develop the list of CPI, a WIPT will perform a “functional decomposition” of the program or system, as follows:
C6.2.3.1. Analyze the program or system description and those specific components or attributes that give the system its unique operational capability.
C6.2.3.2. Perform the analysis on each subcomponent until a specific element is associated with each system capability.
C6.2.3.3. When a component is isolated, evaluate its potential as CPI by applying the following questions:
C6.2.3.3.1. If a foreign interest obtained this item or information, could a method be developed to degrade system combat effectiveness?
C6.2.3.3.2. If a foreign interest obtained this item or information, could it compromise the U.S. program or system capabilities?
C6.2.3.3.3. If a foreign interest obtained this item or information, would it shorten the expected combat-effective life of the system or significantly alter program direction?
C6.2.3.3.4. If a foreign interest obtained this item or information, would additional RDT&E resources be required to develop a new generation of the U.S. system that was compromised?
C6.2.3.4. When CRT are inherited from a technology project and incorporated into an acquisition program, the CRT will be identified as program CPI.
C6.2.3.5. An affirmative answer to any of those questions will qualify the item as CPI.
C6.2.4. In addition to the elements organic to the system, the PM should consider any engineering process, fabrication technique, diagnostic equipment, simulator, or other support equipment associated with the system for identification as a possible CPI. Special emphasis should be placed on any process that is unique to the system being developed. The PM and program engineer should evaluate each area and identify any activity distinctive to the U. S. industrial and technological base that limits the ability of a foreign interest to reproduce or counter the system.
C6.2.5. Once all system CPI has been identified, additional refinement may be necessary. Key considerations in this refinement are as follows:
C6.2.5.1. Describe CPI in terms understandable by those not in the scientific or engineering field (e.g., use terms from the MCTL (reference (ff)) or National Disclosure Policy (reference (gg))). The fact that a particular technology is on a technology control list does not mean that technology is a CPI.
C6.2.5.2. Provide specific criteria for determining whether CPI has been compromised.
C6.2.5.3. Indicate any CPI related to a treaty-limited item.
C6.2.5.4. Indicate if this CPI is being or may be used by any other acquisition program or system.
C6.2.5.5. Prioritize CPI to ensure that the most important information is emphasized during protection cost analysis. That process addresses the following two questions:
C6.2.5.5.1. What is the extent to which the CPI could benefit a foreign interest?
C6.2.5.5.2. How difficult is it for a foreign interest to exploit the information?
C6.2.6. CI and security support activities and program protection staff elements will assist the PM in completing this task.
C6.3. COORDINATION
C6.3.1. The PM is responsible for developing, approving, and implementing a program protection plan (PPP), which is normally accomplished through a WIPT. The PM may establish a security WIPT or include the appropriate personnel on an existing WIPT to assist in the preparation of the PPP and supporting documentation.
C6.3.1.1. The following personnel or organizational representatives will be represented in the WIPT:
C6.3.1.1.1. Program office engineering and/or technical staff
C6.3.1.1.2. Organizational or command security
