Critical Program Information Risk Assessment

What is CPI?

CPI is defined as U.S. capability elements that contribute to the warfighters' technical advantage, which if compromised, undermine U.S. military preeminence. U.S. capability elements may include, but are not limited to, software algorithms and specific hardware residing on the system, the system's training equipment, or the system's maintenance support equipment.

General guidance suggests that an element may be CPI if:

• It provides a clear warfighting technological advantage.
• It was identified as CPI previously by another program (horizontal identification).
• It involves a method, technique, application, or production process that:
• Is unique to the U.S. Government and/or industry, and
• Cannot be achieved using alternate methods and techniques, and
• Is critical to system capability and performance.

Consequences of CPI compromise may include:

• A reduction in U.S. technological advantage on the battlefield
• The need for additional resources to counter the impact of the compromise
• A reduction in the combat effective life of the system
• The need for a significant alteration in the system design

What is NOT CPI?

Examples of types of information that are not CPI:

• Personally Identifiable Information
• Individually Identifiable Health Information
• Financial, Logistics Information
• Operational Information (i.e., waypoints and target location data)
• Vulnerabilities and Weaknesses
• Unmodified Commercial-Off-The-Shelf (COTS)
• Multi-Level Security, Cryptographic, and Cross Domain Solutions*

Ref: DoDI 5200.39 for more information, *(defined in Committee on National Security Systems Instruction (CNSSI) Number 4009)

CPI Analysis Process

The CPI analysis process consists of three steps:

1. Identify CPI
2. Assess CPI Risk
3. Protect CPI

1. Identify CPI

The purpose of CPI Identification is to identify critical program information that requires protection to prevent reverse engineering. Note that CPI is not a category of information and not all programs will have CPI. CPI are normally DoD-unique capabilities, those that are developed and owned by the U.S., that are necessary for U.S. technological superiority.

CPI identification frequently involves use of many different toolsets, which include:

• Counterintelligence, intelligence, and security assessments and support
• International Cooperative Program/Export Control considerations
• CPI Protection List
• Horizontal identification
• Security Classification Guidance
• Complete OSD CPI Survey form and submit to your organization's Research and Technology Protection office

The methodology to identify CPI, the identified inherited and organic CPI, protection measures, and consequence if compromised are documented in Section 3 of the Program Protection Plan (PPP).

Output
The output of CPI identification is an approved list of CPI (initial or updated) or a decision stating that the operational, deployed system does not or will not contain CPI. These should be captured within the PPP.

Identify CPI: Step 1

Use DoD resources to identify technology areas and thresholds that provide an advanced, new, or unique warfighting capability that apply to the system.

• Assess the current state of U.S. and foreign technology and identify those areas where the U.S. has a significant technological advantage (Sources)
• Review applicable Security Classification Guides (SCGs), if available, to identify classified system functional and performance requirements and the enabling technologies as potential sources of CPI
• Search the Acquisition Security Database (ASDB) for technologies that have been identified as CPI by other programs and are the same or similar to those within the team's program
• More information on the ASDB may be found on the Secret Internet Protocol Router Network (SIPRNET) at https://www.dodtechipedia.smil.mil/ASDB
• Review the International Transfer Guide to identify technology thresholds that, if exceeded, may indicate CPI
• For foreign military sales and direct commercial sales, review provisos within license agreements and consider the identified technologies requiring protection as potential sources of CPI.

Identify CPI: Step 2

Identify system attributes that fall within an established technology area or within a new technology area that exceed a threshold, i.e., CPI. A threshold is a boundary associated with a capability or level of performance.

• Early in the program, the identified attributes will be capability objectives, performance parameters, system performance requirements, and system functional requirements.
• Later, as the system matures, the identified attributes will be system elements and enabling system elements.
• To identify CPI:
• Decompose the system to the lowest level possible in its life cycle phase, in order to identify CPI with sufficient granularity.
• Investigate other sources to identify CPI (e.g., analyze mission packages and subsystems incorporated from other research, development, test, and evaluation (RDT&E) programs and search the ASDB).
• Use OSD or DoD-Component-specific CPI tools and decision aids as directed by DoD Component policy and guidance.
• Take Note: Each DoD Component may have a more granular process and/or additional tools for identifying CPI.

Identify CPI: Step 3

Review and approve the CPI.

• Obtain program manager approval of the identified CPI.
• Incorporate the CPI into the PPP and the Anti-Tamper Plan.
• Obtain Milestone Decision Authority (MDA) approval of the identified CPI as part of the PPP and Anti-Tamper Plan submittal. The Anti-Tamper Plan is an appendix in the PPP. The format for the Anti-Tamper Plan can be requested from the CAC-enabled DoD Anti-Tamper Executive Agent (ATEA) at AT Related Document Support.
• Update the ASDB.

Take Note: The CPI Identification Process – its steps, tools, resources, and reviews – if followed by all programs, helps achieve consistency across program CPI determinations to achieve horizontal identification. Per DoDI 5200.39, Component heads must ensure horizontal identification and MDAs must oversee horizontal identification.

2. Assess CPI Risk

How do we determine which protection measures are adequate for the identified CPI? We make this determination by assessing the risk associated with each CPI and protecting the CPI commensurate with the risk.

The risk associated with each identified CPI is determined by analyzing and combining three factors:

• Consequence of CPI compromise
• Exposure
• Threat

Output
The output of CPI Risk Assessment is the level of risk associated with each CPI, which is documented in the Anti-Tamper (AT) Plan.

Three Factors of CPI Risk Assessment

1. Consequence
Consequence of CPI compromise refers to the impact, if the CPI is compromised, on U.S. tactical or strategic military advantage in conjunction with the time and resources required for the U.S. to regain that tactical or strategic military advantage.

Detailed information on the consequence of CPI compromise can be found in the AT Guidelines v2.1, which can be requested via the DoD AT website.

2. Exposure
Exposure is the likelihood that an adversary will be able to obtain the end-item through battlefield loss or export. This is a key factor in determining CPI protection requirements. The operational environmental is a primary factor in making this determination.

For detailed information on exposure analysis, refer to the AT Guidelines v2.1. Per the AT Guidelines v2.1, programs should assume export-level exposure by default – the highest level of exposure.

3. Threat
Threat is an assessment of foreign adversary interest and skill in obtaining CPI. The threat assessment to the CPI is provided by the Defense Intelligence Agency (DIA).

Programs should confirm foreign adversary interest and skill in obtaining CPI through requesting and receiving a counterintelligence report such as the Multi-Discipline Counterintelligence Threat Assessment or the Technology Targeting Risk Assessment (TTRA). The TTRA is required at Milestone A (per Adaptive Acquisition Framework Document Identification (AAFDID) tool).

To initiate and coordinate counterintelligence activities supporting your program, follow the instructions in DoDI O-5240.24, Enclosure 4, Counterintelligence (Cl) Activities Supporting Research, Development, and Acquisition (RDA), June 8, 2011. (This is a controlled document.)

The results of this coordination should be documented in a formal and living plan describing activities to be conducted by a Defense Counterintelligence Component in support of your program. This plan is known as the Counterintelligence Support Plan (CISP) and is an appendix to the PPP. The CISP should be reviewed and updated annually.

Organic vs. Inherited CPI

Organic CPI
Organic CPI is unique CPI that is owned and generated by the RDT&E program. Programs need to assess the risk associated with each organic CPI associated with the program.

As previously discussed, this is done by analyzing and combining three factors:

• Consequence of CPI compromise
• Exposure
• Threat

Inherited CPI
Inherited CPI is CPI that is owned and generated by one RDT&E program, subsystem, or project, and then incorporated into and used by another RDT&E program. This includes CPI from an existing weapon system incorporated into a new program, subsystem, or project.

For inherited CPI, the inheriting program office should determine the appropriate system exposure and also reassess the consequence of compromise determined originally by the originating program office.

CPI Risk Assessment/Mitigation Example

For CPI Risk Assessment, the Likelihood scale represents the Exposure assessment for the CPI, with the operational environment as the primary factor in making this determination. Consequence of CPI compromise refers to the impact, if the CPI is compromised, on U.S. tactical or strategic military advantage in conjunction with the time and resources required for the U.S. to regain that tactical or strategic military advantage. The Likelihood scale can also be used to represent the Threat assessment of foreign adversary interest and skill in obtaining CPI.

The Anti-Tamper, Defense Exportability Features, and Foreign Disclosure/Agreement countermeasures counter the Exposure in the operational environment while the other countermeasures counter the Threat based on foreign adversary interest and skill.

Countermeasure
Required	Anti-Tamper
	Communications Security
Exports only	Defense Exportability Features (DEF)
Exports only	Foreign Disclosure / Agreement
	Information Assurance
	Operations Security
	Personnel Security
	Physical Security
	Software Assurance
	Transportation Management

3. Protect CPI

Programs should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected.

CPI protections, at a minimum, will include anti-tamper, exportability features, security (cybersecurity, industrial security, information security, operations security, personnel security, and physical security), or equivalent countermeasures.

SSE Specialties Applicable to CPI Protection

System Security Engineering (SSE) specialties* that are considered to be primarily associated with mitigating risks to CPI are:

• Anti-Tamper (AT)
• Defense Exportability Features (DEF)
• Cybersecurity
• Security Specialties (industrial, information, operations, personnel, and physical)

While AT and DEF are triggered by the identification of CPI and applied based on the CPI risk assessment, cybersecurity and the security specialties are considered, identified, and applied based on the types of information on the weapons system.

Take Note: Supply chain risk management (SCRM), software assurance, and hardware assurance protection measures applied as part of the trusted systems and network (TSN) analysis, though not triggered by the identification of CPI, can contribute to the protection of CPI and are considered when selecting protection measures for CPI.

Protecting CPI - System Context

CPI Protection Measures Incorporated into Trade-off Analyses

Systems engineers recognize that threats and vulnerabilities will continue to be identified during system development and operation and that the system security requirements will need to be reassessed and updated as system requirements and design decisions are made.

As part of CPI analysis, the system security engineer and relevant SSE specialists identify protection measures that address risks discovered through CPI analysis. These protection measures, however, must be integrated with other SSE protection measures selected through information analysis and trusted systems and network (TSN) analysis.

The total set of protection measures must also be balanced with other system attributes as part of the overall solution. The two levels of trade-off analysis are listed below.

• SSE Trade-Off Analysis
• Systems Engineering Trade-Off Analysis

The resulting requirements are placed in the System Requirements Document (SRD), the Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254), early in the program.

CPI Horizontal Protection Concept & Policy

In this context, horizontal refers to consistently and efficiently identifying and protecting CPI across programs.

DoDI 5200.39, CPI Identification and Protection Within RDT&E, requires that:

• CPI will be horizontally identified and protected to ensure equivalent protections are consistently and efficiently applied across programs based on exposure of the system, consequence of CPI compromise, and assessed threats.
• DoD Component heads ensure horizontal identification and protection of CPI, utilizing the Acquisition Security Database (ASDB) when conducting horizontal identification and protection analysis. They input and validate program information, including inherited and organic CPI, into the ASDB.

How to Horizontally Protect CPI

To make sure CPI protection resources are consistently and efficiently applied across all programs, programs must:

• Identify CPI that is inherited into their program
• Identify CPI from other programs that is similar to the organic CPI in their program

For inherited CPI, the program inheriting the CPI must:

• Reconduct and validate the CPI assessment
• Confirm that the inherited protections are applied at a level consistent with the current system exposure and consequence of compromise
• Adjust or add protections as needed

For similar organic CPI, the affected programs must discuss, negotiate, and agree upon the protection level(s). The goal is an agreement on a common risk mitigation level among affected programs, not a common protection requirement.

Take Note: The horizontal protection analysis that is performed should be documented in the Program Protection Plan (PPP) in Section 4, Horizontal Protection.

Acquisition Security Database (ASDB) in Support of Horizontal Protection

The ASDB is a useful resource for horizontal CPI identification and protection under the control of the Office of the Under Secretary of Defense for Research and Engineering -- OUSD(R&E). This DoD database provides online storage, retrieval, and tracking of CPI and supporting program protection documents.

Programs are required to populate the ASDB with program CPI and consult the ASDB to help identify same or similar CPI in other programs. The ASDB facilitates comparative analysis of defense systems' technology and the alignment of CPI protection activities across the DoD.

Take Note: Programs are required to use the ASDB to support horizontal identification and protection analysis and to input and validate program information, including inherited and organic CPI. ASDB resides on the Secret Internet Protocol Router Network (SIPRNet) and access is granted on a strict need-to-know basis.

CPI Protection Measures Approval

Approval of the selected CPI protections occurs as part of the PPP and Anti-Tamper Plan concurrence and approval process. Additionally, appropriate protection measures are incorporated into the System Requirements Document (SRD), Statement of Work (SOW), and the Department of Defense Contract Security Classification Specification (DD Form 254). This means that CPI protections are approved as part of the SRD and SOW approval processes as well.

CPI Risk Management - Monitoring

Monitoring is the fifth step of the Risk Management Process and it applies to CPI Risk Management, too. Programs should assess and reassess their systems throughout the life cycle to identify CPI and ensure it is adequately protected. The CPI identified for the program should be re-assessed throughout the life of the system to determine if it is still CPI, and if any new CPI can be identified, especially during technology insertion and refresh efforts. Also, the countermeasures employed to mitigate previously identified CPI exposures, threats, and consequences should be periodically evaluated for effectiveness. In addition, new exposures, threats, and consequences should be examined. The threats should be reviewed and updated annually in the Counterintelligence Support Plan appendix to the Program Protection Plan. So, CPI should be periodically reviewed and assessed for the life of the system during reviews of the Program Protection Plan and its associated annexes.

---

References

• DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E)
• DoDD 5200.47E, Anti-Tamper (AT)"
• DoDI 5000.83, Technology and Program Protection to Maintain Technological Advantage
• DoDI O-5240.24 Counterintelligence (CI) Activities Support Research, Development, and Acquisition (RDA) [controlled document]
• Program Protection Plan (PPP)
• Systems Engineering (SE) Guidebook, Section 5.24 System Security Engineering, Program Protection
• SE Brainbook - Design Considerations: System Security Engineering