System Security Engineering

Overview

System Security Engineering (SSE) activities allow for identification and incorporation of security design and process requirements into risk identification and management in the requirements trade space.

SSE is an element of system engineering (SE) that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities. Program Protection is the Department’s integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability or supply chain exploit/insertion (see Technology & Program Protection (T&PP) Guidebook, battlefield loss and unauthorized or inadvertent disclosure throughout the acquisition life cycle. The Program Protection processes capture SSE analysis in the system requirements and design documents and SSE verification in the test plans, procedures and results documents. The Program Protection Plan (PPP) (see T&PP Guidebook documents the comprehensive approach to system security engineering analysis and the associated results.

SSE analysis results should be captured in the PPP, provided at each technical review and audit (see T&PP Guidebook and incorporated into the technical review assessment criteria as well as the functional, allocated and product baselines. The PPP is approved by the Milestone Decision Authority (MDA) at each milestone decision review and at the Full-Rate Production/Full-Deployment (FRP/FD) decision, with a draft PPP (as defined in Adaptive Acquisition Framework Document Identification (AAFDID) tool and DoDI 5000.83, Section 3.4.c.) due at the Development Request for Proposals (RFP) Release Decision Point. For other programs, PPPs are developed and submitted as directed by components for Operation of Middle Tier Acquisition, Urgent Capability Acquisition, and Software Acquisition programs. The analysis should be used to update the technical baselines prior to each technical review and key knowledge point throughout the life cycle. It should also inform the development and release of each RFP by incorporating SSE process requirements and the system security requirements into the appropriate solicitation documentation.

Role of the PM and SE

The Program Manager (PM) is responsible for employing SSE practices and preparing a PPP to guide the program’s efforts and the actions of others. The Systems Engineer and/or System Security Engineer is responsible for ensuring a balanced set of security requirements, designs, testing and risk management are incorporated and addressed in the their respective trade spaces. The Systems Engineer and/or System Security Engineer is responsible for leading and facilitating cross-discipline teams to conduct the SSE analysis necessary for development of the PPP. The cross-discipline interactions reach beyond the SSE community to the test and logistics communities. The T&TP Guidebook (forthcoming) further details the program protection roles and responsibilities.

To address SSE as a design consideration, the Systems Engineering and Systems Security Engineer should ensure the system architecture and design addresses how the system:

• Manages access to, and use of, the system and system resources.
• Is configured to minimize exposure of vulnerabilities that could impact the mission through techniques such as design choice, component choice, security technical implementation guides and patch management in the development environment (including integration and T&E), in production and throughout sustainment.
• Is structured to protect and preserve system functions or resources, e.g., through segmentation, separation, isolation or partitioning.
• Monitors, detects and responds to security anomalies.
• Maintains priority system functions under adverse conditions.
• Interfaces with DoD Information Network or other external security services.
• Prevents, mitigates and recovers from cyberspace attacks and events, based on current cyberspace threats validated by the intelligence community.
• Is designed to be operationally resilient, as per the DoDI 8500.01

The early and frequent consideration of SSE principles reduces re-work and expense resulting from late-to-need security requirements (e.g., anti-tamper, exportability features, supply chain risk management, secure design, defense-in-depth and cybersecurity implementation). A best practice is to perform Mission-Based Cyber Risk Assessments early, and to update the assessments periodically as cyberspace threats and system design evolves. These assessments should be collaborative and include operational users, developers, engineers, and cyberspace threat emulation (testers).

Products and Tasks

Product	Tasks
10-24-1: Develop a program protection plan (PPP)	Provide a program protection assessment of requirements documents to program management. Identify critical program information (CPI) including inherited designated science and technology information. Determine the threat to CPI. Identify personnel required to fulfill all pertinent program protection roles to engineering and program management. Identify vulnerabilities to CPI. Perform risk analysis. Recommend appropriate security controls for an acquisition program. Provide technical support to register an acquisition program with the applicable component(s) cybersecurity program. Document program protection planning in the systems engineering plan (SEP), PPP and system security plan (SSP).
10-24-2: Execute the program protection during development	Analyze and assist engineering and program management with program protection requirements analysis. Identify the security architecture boundary and characterize the attack surface. Translate security controls and requirements into system specification requirements. Update program protection actions and strategies in the systems engineering plan (SEP), program protection plan (PPP) and system security plan (SSP). Implement system security solutions consistent with approved system security architectures. Obtain interim approval to test or approval to operate as appropriate for test. Coordinate and conduct system security and cybersecurity developmental test and evaluation (DT&E). Coordinate the cybersecurity vulnerability and operational resiliency evaluations with operational test. Update cybersecurity actions and strategies in the SEP, PPP and SSP as applicable.
10-24-3: Execute program protection during production and sustainment	Based on the systems engineering plan review, test results, threat assessment and vulnerability analysis, update program protection actions and strategies in the program protection plan (PPP) and system security plan (SSP). Report findings of the operational cybersecurity vulnerability evaluation to engineering and program management. Implement control solutions consistent with approved system security architectures. Report findings of the operational cybersecurity resiliency evaluation to engineering and program management. Assess selected controls annually and report status to engineering and program management. Update program protection planning actions and strategies in the SEP, PPP and SSP as applicable.

Source: AWQI eWorkbook

---

Resources

Key Terms

• Anti-Tamper (AT)
• Communications Security (COMSEC)
• Computer Security and Privacy
• Cybersecurity
• Cybersecurity Maturity Model Certification (CMMC)
• Cybersecurity Strategy
• Defense Counterintelligence and Security Agency (DCSA)
• DoD Information Network (DODIN)
• Facility Security Clearance
• Global Information Grid
• National Industrial Security Program (NISP)
• Operations Security (OPSEC)
• Program Protection
• Program Protection Plan
• Science and Technology Protection Plan
• Supply Chain Risk Management (SCRM) - Overview
• System Security Engineering
• Technology Area Protection Plan (TAPP)
• Technology Security and Foreign Disclosure (TSFD)

Source:
DAU ACQuipedia
DAU Glossary

Policy and Guidance

• DoDI 5000.83 Technology and Program Protection to Maintain Technological Advantage
• DoDI 5000.90 Cybersecurity for Acquisition Decision Authorities and Program Managers
• DoDI 8500.01, Cybersecurity
• DoDI 8510.01 Risk Management Framework RMF for DoD Information Technology
• Systems Engineering (SE) Guidebook, 5.24 System Security Engineering
• AAFDID tool, Major Capability Acquisition pathway Milestone and Phase Information Requirements, Program Protection Plan (PPP)
• Technology and Program Protection Guidebook

DAU Training Courses

• ETM 1050: Design Considerations Fundamentals Lesson 24 System Security Engineering
• ACQ 1300: Fundamentals of Technology Security/Transfer
• ACQ 160: Program Protection Planning Awareness
• CLE 022: Program Manager Introduction to Anti-Tamper
• CLE 074: Cybersecurity Throughout DoD Acquisition
• CLE 080: SCRM for Information and Communications Technology (ICT)
• ENG 260: Program Protection for Practitioners
• ISA 220: Risk Management Framework (RMF) for the Practitioner
• CCYB 001: Program Protection Credential
• CCYB 00: Cybersecurity for Program Managers Credential
• WSS 001: Cybersecurity and Acquisition Integration Workshop
• WSS 003: Information System Security Manager (ISSM) Workshop
• WSS 004: Strengths, Weaknesses, Opportunities and Risks Workshop
• WSS 005: Program Protection Workshop
• WSS 008: Protecting Controlled Unclassified Information (CUI) Workshop
• WSS 011: Cyber Training Range - Intermediate Workshop
• WSS 012: Defensive Cyber Operations (DCO) Workshop
• Cybersecurity Training at DAU

DAU Tools

• DoD Developer’s Guidebook for Software Assurance
• Program Manager’s Guidebook for Software Assurance
• Cyber Resilient Weapon Systems Body of Knowledge (CRWS-BoK) tool
• DoD Cybersecurity Test and Evaluation Guidebook

Media

• A New Approach to Cyber Software Assurance
• Adaptive Acquisition Framework: DoDI 5000.83, Technology and Program Protection to Maintain Technological Advantage
• Adaptive Acquisition Framework: DoDI 5000.90, Cybersecurity for Acquisition Decision Authorities and Program Managers
• DAU Cybersecurity media channel
• Cybersecurity Implementation
• Cybersecurity in Program Acquisition
• Cybersecurity/Risk Management Framework
• ISA201 Lesson 8 Cybersecurity
• NAVAIR's Cyber Controls
• Program Protection Plan DAU blog
• Protecting DoD's Unclassified Information (1 of 3)
• Protecting DoD's Unclassified Information (2 of 3)
• Protecting DoD's Unclassified Information (3 of 3)
• Protecting DoD's Unclassified Information - Defining the Landscape

DAU Communities of Practice

• Information Technology/Software