??? Critical Program Information Risk Assessment

Critical Program Information Risk Assessment

What is CPI?

CPI is defined as U.S. capability elements that contribute to the warfighters' technical advantage, which if compromised, undermine U.S. military preeminence. U.S. capability elements may include, but are not limited to, software algorithms and specific hardware residing on the system, the system's training equipment, or the system's maintenance support equipment.

General guidance suggests that an element may be CPI if:

Consequences of CPI compromise may include:

What is NOT CPI?

Examples of types of information that are not CPI:

Ref: DoDI 5200.39 for more information, *(defined in Committee on National Security Systems Instruction (CNSSI) Number 4009)

CPI Analysis Process

The CPI analysis process consists of three steps:

  1. Identify CPI
  2. Assess CPI Risk
  3. Protect CPI

1. Identify CPI

The purpose of CPI Identification is to identify critical program information that requires protection to prevent reverse engineering. Note that CPI is not a category of information and not all programs will have CPI. CPI are normally DoD-unique capabilities, those that are developed and owned by the U.S., that are necessary for U.S. technological superiority.

CPI identification frequently involves use of many different toolsets, which include:

The methodology to identify CPI, the identified inherited and organic CPI, protection measures, and consequence if compromised are documented in Section 3 of the Program Protection Plan (PPP).

Output
The output of CPI identification is an approved list of CPI (initial or updated) or a decision stating that the operational, deployed system does not or will not contain CPI. These should be captured within the PPP.

Identify CPI: Step 1

Use DoD resources to identify technology areas and thresholds that provide an advanced, new, or unique warfighting capability that apply to the system.

Identify CPI: Step 2

Identify system attributes that fall within an established technology area or within a new technology area that exceed a threshold, i.e., CPI. A threshold is a boundary associated with a capability or level of performance.

Identify CPI: Step 3

Review and approve the CPI.

Take Note: The CPI Identification Process ??? its steps, tools, resources, and reviews ??? if followed by all programs, helps achieve consistency across program CPI determinations to achieve horizontal identification. Per DoDI 5200.39, Component heads must ensure horizontal identification and MDAs must oversee horizontal identification.

2. Assess CPI Risk

How do we determine which protection measures are adequate for the identified CPI? We make this determination by assessing the risk associated with each CPI and protecting the CPI commensurate with the risk.

The risk associated with each identified CPI is determined by analyzing and combining three factors:

Output
The output of CPI Risk Assessment is the level of risk associated with each CPI, which is documented in the Anti-Tamper (AT) Plan.

Three Factors of CPI Risk Assessment

1. Consequence
Consequence of CPI compromise refers to the impact, if the CPI is compromised, on U.S. tactical or strategic military advantage in conjunction with the time and resources required for the U.S. to regain that tactical or strategic military advantage.

Detailed information on the consequence of CPI compromise can be found in the AT Guidelines v2.1, which can be requested via the DoD AT website.

2. Exposure
Exposure is the likelihood that an adversary will be able to obtain the end-item through battlefield loss or export. This is a key factor in determining CPI protection requirements. The operational environmental is a primary factor in making this determination.

For detailed information on exposure analysis, refer to the AT Guidelines v2.1. Per the AT Guidelines v2.1, programs should assume export-level exposure by default ??? the highest level of exposure.

3. Threat
Threat is an assessment of foreign adversary interest and skill in obtaining CPI. The threat assessment to the CPI is provided by the Defense Intelligence Agency (DIA).

Programs should confirm foreign adversary interest and skill in obtaining CPI through requesting and receiving a counterintelligence report such as the Multi-Discipline Counterintelligence Threat Assessment or the Technology Targeting Risk Assessment (TTRA). The TTRA is required at Milestone A (per Adaptive Acquisition Framework Document Identification (AAFDID) tool).

To initiate and coordinate counterintelligence activities supporting your program, follow the instructions in DoDI O-5240.24, Enclosure 4, Counterintelligence (Cl) Activities Supporting Research, Development, and Acquisition (RDA), June 8, 2011. (This is a controlled document.)

The results of this coordination should be documented in a formal and living plan describing activities to be conducted by a Defense Counterintelligence Component in support of your program. This plan is known as the Counterintelligence Support Plan (CISP) and is an appendix to the PPP. The CISP should be reviewed and updated annually.

Organic vs. Inherited CPI

Organic CPI
Organic CPI is unique CPI that is owned and generated by the RDT&E program. Programs need to assess the risk associated with each organic CPI associated with the program.

As previously discussed, this is done by analyzing and combining three factors:

Inherited CPI
Inherited CPI is CPI that is owned and generated by one RDT&E program, subsystem, or project, and then incorporated into and used by another RDT&E program. This includes CPI from an existing weapon system incorporated into a new program, subsystem, or project.

For inherited CPI, the inheriting program office should determine the appropriate system exposure and also reassess the consequence of compromise determined originally by the originating program office.

CPI Risk Assessment/Mitigation Example

For CPI Risk Assessment, the Likelihood scale represents the Exposure assessment for the CPI, with the operational environment as the primary factor in making this determination. Consequence of CPI compromise refers to the impact, if the CPI is compromised, on U.S. tactical or strategic military advantage in conjunction with the time and resources required for the U.S. to regain that tactical or strategic military advantage. The Likelihood scale can also be used to represent the Threat assessment of foreign adversary interest and skill in obtaining CPI.

initial risk assessment matrix with likelihood on y axis and corresponding boxes from very low to very high. X axis labeled consequence with boxes from very low to very high. Box VH likelihood and Medium consequence labled #1, box medium likelihood high consequence labled #2
down arrow

The Anti-Tamper, Defense Exportability Features, and Foreign Disclosure/Agreement countermeasures counter the Exposure in the operational environment while the other countermeasures counter the Threat based on foreign adversary interest and skill.

Countermeasure
Required Anti-Tamper
Communications Security
Exports only Defense Exportability Features (DEF)
Exports only Foreign Disclosure / Agreement
Information Assurance
Operations Security
Personnel Security
Physical Security
Software Assurance
Transportation Management
down arrow
initial risk assessment matrix from above with box for #1 moving from very high likelihood / medium consequence to low lokelihood medium consequence, box #2 moving from medium likelihood high consequence to very low likelihood high consequence.

3. Protect CPI

Programs should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected.

CPI protections, at a minimum, will include anti-tamper, exportability features, security (cybersecurity, industrial security, information security, operations security, personnel security, and physical security), or equivalent countermeasures.

SSE Specialties Applicable to CPI Protection

System Security Engineering (SSE) specialties* that are considered to be primarily associated with mitigating risks to CPI are:

While AT and DEF are triggered by the identification of CPI and applied based on the CPI risk assessment, cybersecurity and the security specialties are considered, identified, and applied based on the types of information on the weapons system.

Take Note: Supply chain risk management (SCRM), software assurance, and hardware assurance protection measures applied as part of the trusted systems and network (TSN) analysis, though not triggered by the identification of CPI, can contribute to the protection of CPI and are considered when selecting protection measures for CPI.

flowchart showing the system context of protecting CPI. protection measures triggered by che classification of system information or unclassified controlled technical information. Build the capability using this technical information. Protetion measures triggered by the classificaiton of system information. Image of computer with hardware and software labeled. Dashed line box underneath with proteciton measures triggered by the identification of CPI/ identification of mission-critical functions. Computer labeled with hardware software, CPI.

Protecting CPI - System Context

CPI Protection Measures Incorporated into Trade-off Analyses

Systems engineers recognize that threats and vulnerabilities will continue to be identified during system development and operation and that the system security requirements will need to be reassessed and updated as system requirements and design decisions are made.

As part of CPI analysis, the system security engineer and relevant SSE specialists identify protection measures that address risks discovered through CPI analysis. These protection measures, however, must be integrated with other SSE protection measures selected through information analysis and trusted systems and network (TSN) analysis.

The total set of protection measures must also be balanced with other system attributes as part of the overall solution. The two levels of trade-off analysis are listed below.

The resulting requirements are placed in the System Requirements Document (SRD), the Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254), early in the program.

CPI Horizontal Protection Concept & Policy

In this context, horizontal refers to consistently and efficiently identifying and protecting CPI across programs.

DoDI 5200.39, CPI Identification and Protection Within RDT&E, requires that:

How to Horizontally Protect CPI

To make sure CPI protection resources are consistently and efficiently applied across all programs, programs must:

For inherited CPI, the program inheriting the CPI must:

For similar organic CPI, the affected programs must discuss, negotiate, and agree upon the protection level(s). The goal is an agreement on a common risk mitigation level among affected programs, not a common protection requirement.

Take Note: The horizontal protection analysis that is performed should be documented in the Program Protection Plan (PPP) in Section 4, Horizontal Protection.

Acquisition Security Database (ASDB) in Support of Horizontal Protection

The ASDB is a useful resource for horizontal CPI identification and protection under the control of the Office of the Under Secretary of Defense for Research and Engineering -- OUSD(R&E). This DoD database provides online storage, retrieval, and tracking of CPI and supporting program protection documents.

Programs are required to populate the ASDB with program CPI and consult the ASDB to help identify same or similar CPI in other programs. The ASDB facilitates comparative analysis of defense systems' technology and the alignment of CPI protection activities across the DoD.

Take Note: Programs are required to use the ASDB to support horizontal identification and protection analysis and to input and validate program information, including inherited and organic CPI. ASDB resides on the Secret Internet Protocol Router Network (SIPRNet) and access is granted on a strict need-to-know basis.

CPI Protection Measures Approval

Approval of the selected CPI protections occurs as part of the PPP and Anti-Tamper Plan concurrence and approval process. Additionally, appropriate protection measures are incorporated into the System Requirements Document (SRD), Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254). This means that CPI protections are approved as part of the SRD and SOW approval processes as well.

CPI Risk Management - Monitoring

Monitoring is the fifth step of the Risk Management Process and it applies to CPI Risk Management, too. Programs should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected. The CPI identified for the program should be re-assessed throughout the life of the system to determine if it is still CPI, and if any new CPI can be identified, especially during technology insertion and refresh efforts. Also, the countermeasures employed to mitigate previously identified CPI exposures, threats, and consequences should be periodically evaluated for effectiveness. In addition, new exposures, threats, and consequences should be examined. The threats should be reviewed and updated annually in the Counterintelligence Support Plan appendix to the Program Protection Plan. So, CPI should be periodically reviewed and assessed for the life of the system during reviews of the Program Protection Plan and its associated annexes.


References

On this page

  1. What is CPI?
  2. What is NOT CPI?
  3. CPI Analysis Process
  4. Monitoring
  5. References

Related Topics

Back to top