System Security Engineering

Overview

System Security Engineering (SSE) activities allow for identification and incorporation of security design and process requirements into risk identification and management in the requirements trade space.

SSE is an element of system engineering (SE) that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities. Program Protection is the Department’s integrating process for mitigating and managing risks to advanced technology and mission-critical system functionality from foreign collection, design vulnerability or supply chain exploit/insertion (see Technology & Program Protection (T&PP) Guidebook, battlefield loss and unauthorized or inadvertent disclosure throughout the acquisition life cycle. The Program Protection processes capture SSE analysis in the system requirements and design documents and SSE verification in the test plans, procedures and results documents. The Program Protection Plan (PPP) (see T&PP Guidebook documents the comprehensive approach to system security engineering analysis and the associated results.

SSE analysis results should be captured in the PPP, provided at each technical review and audit (see T&PP Guidebook and incorporated into the technical review assessment criteria as well as the functional, allocated and product baselines. The PPP is approved by the Milestone Decision Authority (MDA) at each milestone decision review and at the Full-Rate Production/Full-Deployment (FRP/FD) decision, with a draft PPP (as defined in Adaptive Acquisition Framework Document Identification (AAFDID) tool and DoDI 5000.83, Section 3.4.c.) due at the Development Request for Proposals (RFP) Release Decision Point. For other programs, PPPs are developed and submitted as directed by components for Operation of Middle Tier Acquisition, Urgent Capability Acquisition, and Software Acquisition programs. The analysis should be used to update the technical baselines prior to each technical review and key knowledge point throughout the life cycle. It should also inform the development and release of each RFP by incorporating SSE process requirements and the system security requirements into the appropriate solicitation documentation.

Role of the PM and SE

The Program Manager (PM) is responsible for employing SSE practices and preparing a PPP to guide the program’s efforts and the actions of others. The Systems Engineer and/or System Security Engineer is responsible for ensuring a balanced set of security requirements, designs, testing and risk management are incorporated and addressed in the their respective trade spaces. The Systems Engineer and/or System Security Engineer is responsible for leading and facilitating cross-discipline teams to conduct the SSE analysis necessary for development of the PPP. The cross-discipline interactions reach beyond the SSE community to the test and logistics communities. The T&TP Guidebook (forthcoming) further details the program protection roles and responsibilities.

To address SSE as a design consideration, the Systems Engineering and Systems Security Engineer should ensure the system architecture and design addresses how the system:

The early and frequent consideration of SSE principles reduces re-work and expense resulting from late-to-need security requirements (e.g., anti-tamper, exportability features, supply chain risk management, secure design, defense-in-depth and cybersecurity implementation). A best practice is to perform Mission-Based Cyber Risk Assessments early, and to update the assessments periodically as cyberspace threats and system design evolves. These assessments should be collaborative and include operational users, developers, engineers, and cyberspace threat emulation (testers).

Products and Tasks

Product Tasks
10-24-1: Develop a program protection plan (PPP)
  1. Provide a program protection assessment of requirements documents to program management.
  2. Identify critical program information (CPI) including inherited designated science and technology information.
  3. Determine the threat to CPI.
  4. Identify personnel required to fulfill all pertinent program protection roles to engineering and program management.
  5. Identify vulnerabilities to CPI.
  6. Perform risk analysis.
  7. Recommend appropriate security controls for an acquisition program.
  8. Provide technical support to register an acquisition program with the applicable component(s) cybersecurity program.
  9. Document program protection planning in the systems engineering plan (SEP), PPP and system security plan (SSP).
10-24-2: Execute the program protection during development
  1. Analyze and assist engineering and program management with program protection requirements analysis.
  2. Identify the security architecture boundary and characterize the attack surface.
  3. Translate security controls and requirements into system specification requirements.
  4. Update program protection actions and strategies in the systems engineering plan (SEP), program protection plan (PPP) and system security plan (SSP).
  5. Implement system security solutions consistent with approved system security architectures.
  6. Obtain interim approval to test or approval to operate as appropriate for test.
  7. Coordinate and conduct system security and cybersecurity developmental test and evaluation (DT&E).
  8. Coordinate the cybersecurity vulnerability and operational resiliency evaluations with operational test.
  9. Update cybersecurity actions and strategies in the SEP, PPP and SSP as applicable.
10-24-3: Execute program protection during production and sustainment
  1. Based on the systems engineering plan review, test results, threat assessment and vulnerability analysis, update program protection actions and strategies in the program protection plan (PPP) and system security plan (SSP).
  2. Report findings of the operational cybersecurity vulnerability evaluation to engineering and program management.
  3. Implement control solutions consistent with approved system security architectures.
  4. Report findings of the operational cybersecurity resiliency evaluation to engineering and program management.
  5. Assess selected controls annually and report status to engineering and program management.
  6. Update program protection planning actions and strategies in the SEP, PPP and SSP as applicable.

Source: AWQI eWorkbook


Resources

Key Terms

Source:
DAU ACQuipedia
DAU Glossary

Policy and Guidance

DAU Training Courses

DAU Tools

Media

DAU Communities of Practice

On this page

  1. Overview
  2. Role of the PM and SE
  3. Resources
Back to top