Counterintelligence organizations need information that describes the CPI and its projected
What is CPI?CPI is defined as U.S. capability elements that contribute to the warfighters' technical advantage, which if compromised, undermine U.S. military preeminence. U.S. capability elements may include, but are not limited to, software algorithms and specific hardware residing on the system, the system's training equipment, or the system's maintenance support equipment. Show
General guidance suggests that an element may be CPI if:
Consequences of CPI compromise may include:
What is NOT CPI?Examples of types of information that are not CPI:
Ref: DoDI 5200.39 for more information, *(defined in Committee on National Security Systems Instruction (CNSSI) Number 4009) CPI Analysis ProcessThe CPI analysis process consists of three steps:
1. Identify CPI The purpose of CPI Identification is to identify critical program information that requires protection to prevent reverse engineering. Note that CPI is not a category of information and not all programs will have CPI. CPI are normally DoD-unique capabilities, those that are developed and owned by the U.S., that are necessary for U.S. technological superiority.CPI identification frequently involves use of many different toolsets, which include: Counterintelligence, intelligence, and security assessments and supportInternational Cooperative Program/Export Control considerationsCPI Protection ListHorizontal identificationSecurity Classification GuidanceComplete OSD CPI Survey form and submit to your organization's Research and Technology Protection officeThe methodology to identify CPI, the identified inherited and organic CPI, protection measures, and consequence if compromised are documented in Section 3 of the Program Protection Plan (PPP).Output The output of CPI identification is an approved list of CPI (initial or updated) or a decision stating that the operational, deployed system does not or will not contain CPI. These should be captured within the PPP.Identify CPI: Step 1Use DoD resources to identify technology areas and thresholds that provide an advanced, new, or unique warfighting capability that apply to the system.
Identify CPI: Step 2Identify system attributes that fall within an established technology area or within a new technology area that exceed a threshold, i.e., CPI. A threshold is a boundary associated with a capability or level of performance.
Identify CPI: Step 3Review and approve the CPI.
Take Note: The CPI Identification Process – its steps, tools, resources, and reviews – if followed by all programs, helps achieve consistency across program CPI determinations to achieve horizontal identification. Per DoDI 5200.39, Component heads must ensure horizontal identification and MDAs must oversee horizontal identification. 2. Assess CPI RiskHow do we determine which protection measures are adequate for the identified CPI? We make this determination by assessing the risk associated with each CPI and protecting the CPI commensurate with the risk. The risk associated with each identified CPI is determined by analyzing and combining three factors:
Output Three Factors of CPI Risk Assessment1. Consequence Detailed information on the consequence of CPI compromise can be found in the AT Guidelines v2.1, which can be requested via the DoD AT website. 2. Exposure For detailed information on exposure analysis, refer to the AT Guidelines v2.1. Per the AT Guidelines v2.1, programs should assume export-level exposure by default – the highest level of exposure. 3. Threat Programs should confirm foreign adversary interest and skill in obtaining CPI through requesting and receiving a counterintelligence report such as the Multi-Discipline Counterintelligence Threat Assessment or the Technology Targeting Risk Assessment (TTRA). The TTRA is required at Milestone A (per Milestone Document Identification (MDID) tool). To initiate and coordinate counterintelligence activities supporting your program, follow the instructions in DoDI O-5240.24, Enclosure 4, Counterintelligence (Cl) Activities Supporting Research, Development, and Acquisition (RDA), June 8, 2011. (This is a controlled document.) The results of this coordination should be documented in a formal and living plan describing activities to be conducted by a Defense Counterintelligence Component in support of your program. This plan is known as the Counterintelligence Support Plan (CISP) and is an appendix to the PPP. The CISP should be reviewed and updated annually. Organic vs. Inherited CPIOrganic CPI As previously discussed, this is done by analyzing and combining three factors:
Inherited CPI For inherited CPI, the inheriting program office should determine the appropriate system exposure and also reassess the consequence of compromise determined originally by the originating program office. CPI Risk Assessment/Mitigation ExampleFor CPI Risk Assessment, the Likelihood scale represents the Exposure assessment for the CPI, with the operational environment as the primary factor in making this determination. Consequence of CPI compromise refers to the impact, if the CPI is compromised, on U.S. tactical or strategic military advantage in conjunction with the time and resources required for the U.S. to regain that tactical or strategic military advantage. The Likelihood scale can also be used to represent the Threat assessment of foreign adversary interest and skill in obtaining CPI. The Anti-Tamper, Defense Exportability Features, and Foreign Disclosure/Agreement countermeasures counter the Exposure in the operational environment while the other countermeasures counter the Threat based on foreign adversary interest and skill.
3. Protect CPIPrograms should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected. CPI protections, at a minimum, will include anti-tamper, exportability features, security (cybersecurity, industrial security, information security, operations security, personnel security, and physical security), or equivalent countermeasures. SSE Specialties Applicable to CPI ProtectionSystem Security Engineering (SSE) specialties* that are considered to be primarily associated with mitigating risks to CPI are:
While AT and DEF are triggered by the identification of CPI and applied based on the CPI risk assessment, cybersecurity and the security specialties are considered, identified, and applied based on the types of information on the weapons system. Take Note: Supply chain risk management (SCRM), software assurance, and hardware assurance protection measures applied as part of the trusted systems and network (TSN) analysis, though not triggered by the identification of CPI, can contribute to the protection of CPI and are considered when selecting protection measures for CPI. Protecting CPI - System Context CPI Protection Measures Incorporated into Trade-off AnalysesSystems engineers recognize that threats and vulnerabilities will continue to be identified during system development and operation and that the system security requirements will need to be reassessed and updated as system requirements and design decisions are made. As part of CPI analysis, the system security engineer and relevant SSE specialists identify protection measures that address risks discovered through CPI analysis. These protection measures, however, must be integrated with other SSE protection measures selected through information analysis and trusted systems and network (TSN) analysis. The total set of protection measures must also be balanced with other system attributes as part of the overall solution. The two levels of trade-off analysis are listed below.
The resulting requirements are placed in the System Requirements Document (SRD), the Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254), early in the program. CPI Horizontal Protection Concept & PolicyIn this context, horizontal refers to consistently and efficiently identifying and protecting CPI across programs. DoDI 5200.39, CPI Identification and Protection Within RDT&E, requires that:
How to Horizontally Protect CPITo make sure CPI protection resources are consistently and efficiently applied across all programs, programs must:
For inherited CPI, the program inheriting the CPI must:
For similar organic CPI, the affected programs must discuss, negotiate, and agree upon the protection level(s). The goal is an agreement on a common risk mitigation level among affected programs, not a common protection requirement. Take Note: The horizontal protection analysis that is performed should be documented in the Program Protection Plan (PPP) in Section 4, Horizontal Protection. Acquisition Security Database (ASDB) in Support of Horizontal ProtectionThe ASDB is a useful resource for horizontal CPI identification and protection under the control of the Office of the Under Secretary of Defense for Research and Engineering -- OUSD(R&E). This DoD database provides online storage, retrieval, and tracking of CPI and supporting program protection documents. Programs are required to populate the ASDB with program CPI and consult the ASDB to help identify same or similar CPI in other programs. The ASDB facilitates comparative analysis of defense systems' technology and the alignment of CPI protection activities across the DoD. The Under Secretary of Defense for Acquisition and Sustainment controls, oversees, and manages the ASDB. Take Note: Programs are required to use the ASDB to support horizontal identification and protection analysis and to input and validate program information, including inherited and organic CPI. ASDB resides on the Secret Internet Protocol Router Network (SIPRNet) and access is granted on a strict need-to-know basis. CPI Protection Measures ApprovalApproval of the selected CPI protections occurs as part of the PPP and Anti-Tamper Plan concurrence and approval process. Additionally, appropriate protection measures are incorporated into the System Requirements Document (SRD), Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254). This means that CPI protections are approved as part of the SRD and SOW approval processes as well. CPI Risk Management - MonitoringMonitoring is the fifth step of the Risk Management Process and it applies to CPI Risk Management, too. Programs should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected. The CPI identified for the program should be re-assessed throughout the life of the system to determine if it is still CPI, and if any new CPI can be identified, especially during technology insertion and refresh efforts. Also, the countermeasures employed to mitigate previously identified CPI exposures, threats, and consequences should be periodically evaluated for effectiveness. In addition, new exposures, threats, and consequences should be examined. The threats should be reviewed and updated annually in the Counterintelligence Support Plan appendix to the Program Protection Plan. So, CPI should be periodically reviewed and assessed for the life of the system during reviews of the Program Protection Plan and its associated annexes. References
Which organization provides signals intelligence in support of CI activities?The National Security Agency/Central Security Service is the nation's cryptologic organization that coordinates, directs, and performs highly specialized activities to protect U.S. information systems and to produce foreign signals intelligence information.
Which organization serves as the Defense Counterintelligence CI Manager to provide for centralized management of DoD CI activities?DIRECTOR, DIA. Under the authority, direction, and control of the USD(I) and in addition to the responsibilities in section 6 of this enclosure, the Director, DIA: a. Serves as the Defense CI Manager to provide for centralized management of DoD CI activities.
Which of the following organizations provides signals intelligence?The National Security Agency (NSA) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations in order to gain a decision advantage for the nation and our allies under all circumstances.
|