Technology and Program Protection to Maintain ... 5000-83 9.14.20.pdfSpace Technology Modernization...
Transcript of Technology and Program Protection to Maintain ... 5000-83 9.14.20.pdfSpace Technology Modernization...
Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology and Program Protection to Maintain Technological Advantage
Ms. Melinda ReedDirector, Resilient SystemsStrategic Technology Protection & Exploitation Office of the Under Secretary of Defensefor Research and Engineering
Defense Acquisition UniversitySeptember 15, 2020
1Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
• Ensure Technological Superiority for the U.S. Military
- Set the technical direction for the Department of Defense (DoD)
- Champion and pursue new capabilities, concepts, and prototyping activities throughout DoD research and development enterprise
• Bolster Modernization - Pilot new acquisition pathways and
concepts of operation- Accelerate capabilities to the Warfighter
Office of the Under Secretary of Defense for Research and Engineering (OUSD(R&E)) Mission
2Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Strategic Technology Protection & Exploitation (STP&E) Organization and Mission
Acting Deputy DirectorSTP&EDr. Robert Irie
D, Resilient SystemsMs. Melinda Reed
Maintain Leadership in Critical Technology Modernization Areas
D, Maintaining TechnologyAdvantageDr. Robert Irie
D, Technology and Manufacturing Industrial BaseMr. Robert Gold
Advance Domestic Innovation Base to Deliver Modernization Goals
Foster Assured Resilient Missions, Systems and Components
STP&E MISSION: Promote and protect technology advantage and counter unwanted
technology transfer to ensure Warfighter dominance through superior, assured, and resilient systems, and
a healthy, viable national security innovation base.
3Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
STP&E Integrated Lines of Effort: Priorities
Maintain Leadership in Critical Technology Modernization Areas
• Implement new procedures for Technology Area Protection and Science and Technology (S&T) Protection
• Update DoD and Govt-wide procedures to strengthen U.S. research enterprise
• Mitigate exploitation in academia, labs, Federally funded research and development centers (FFRDCs), and University Affiliated Research Centers (UARCs) Focus security, counterintelligence, and law enforcement actions to deter adversaries
Foster Assured Resilient Missions, Systems and Components
• Set the technical and policy direction for technology and program protection
• Grow DoD capability/capacity to evaluate and mitigate software component vulnerabilities; partner with D, Microelectronics who is spearheading hardware assurance
• Establish secure cyber resilient weapons, engineering methods and workforce competency
Ensure Competitive, Advanced Innovation Base to Deliver Modernization Goals• Assess and monitor emerging technology, workforce, engineering, test, & infrastructure base • Facilitate U.S. Government mechanisms and tools to close gaps, foster enabling domestic technology development
and manufacturing capability, and counter strategic competitor actions• Manage the OSD Manufacturing Technology Program and Manufacturing Innovation Institutes
4Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Department of Defense Instruction 5000.83
• Establishes policy, assigns responsibilities, and provides procedures for DoD S&T managers and engineers to mitigate risks and protect critical U.S. research, military technologies, and programs
• Contributes to a National Defense Strategy (NDS) line of effort (increasing lethality) through promotion and implementation of enhanced technology protection across the DoD enterprise
• The Department of Defense Instruction (DoDI) recommends activities for DoD S&T managers and engineers to mitigate threats to U.S. technology and programs, including:
• Released 20 July 2020; available on https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500083p.pdf?ver=2020-07-20-150345-930/
Safeguarding classified and unclassified Controlled Technical Information
Supervising DoD-sponsored research involving joint ventures, academic collaborations, and cooperative research partnerships
Designing systems for security and cyber resiliency
Protecting against cyberattacks Protecting fielded systems from changing
threat environments Enhancing protection for critical programs
and technologies through Technology Area Protection Plans (TAPPs), S&T protection plans, and Program Protection Plans (PPPs)
5Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Transforming Acquisition Policy*
*https://www.acq.osd.mil/ae/assets/docs/Transforming%20Defense%20Acq%20Policy%20(15Jan2020).pdf
6Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology and Program Protection Planning Across the Lifecycle
Program Protection S&T Protection
Technology Area Protection Plans for DoD Modernization Priorities
5G Network Technology
Autonomy Biotechnology Cyber Directed Energy Fully Networked
Command, Control, and Communications
Hypersonics Machine Learning /
Artificial Intelligence Microelectronics Quantum Science Space
Technology Modernization Priorities
7Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Alignment to National Defense Strategy
Technology and Program Protection
Activities to Mitigate Adversary Threats
Technology Modernization Priorities
Tailored Program Protection for Acquisition Pathways
• Assigns responsibilities for S&T managers and engineers • OUSD(R&E) monitors process, delegates responsibility to greatest extent
practicable; approves acquisition categories (ACAT) 1D Program Protection Plans
• Links to Pathways, Engineering, Cybersecurity in the Acquisition System, Test and Evaluation, and Sustainment
• Includes responsibilities for DoD-sponsored research, prior to Materiel Development Decision (MDD)
• Reinforces best practices for risk informed technical and engineering mitigations
• Implements technical information, hardware assurance, software assurance, anti tamper, and cyber resilient security engineering methods and level of assurance to achieve protection and cyber objectives
• Refreshed periodically throughout the program lifecycle
• Establishes TAPP for modernization priorities• Establishes S&T Protection activities• Enhanced protection for critical programs and technologies
• Enables tailoring to pathway focus areas• Determine protection planning and implementation risks as part of the
design and technical risk assessment process• Ensure operator is informed of operational risks when system is fielded
8Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology, S&T and ProgramProtection Planning
S&TProtection
Plan
Technology Area
Protection Plan (TAPP)
Manage risk of adversarial exploitation and compromise beginning with early S&T and continues through the Acquisition lifecycle
Program Protection
Plan(PPP)
Main Content• Safeguard information• Control DoD-sponsored research• Design for security and cyber
resiliency• Protect the system against cyber
attacks from enabling and supporting systems
• Protect fielded systems• Enhance protection for critical
programs and technologies
DoD S&T (Budget Activities 6.1 - 6.4)
DoD RDT&E Programs (Budget Activities 6.4+)
- OUSD(R&E) identifies broad technology elements to protect that are central to accelerating Warfighter capabilities in key technology areas across the Department
- Set boundaries on what should be communicated by stakeholder groups for protection purposes
- Management tool to guide protection activities for S&T Investments at DoD Component-level
- Implement risk-based protection measures to reduce compromise or loss to competitor nations through transition to acquisition
- Acquisition management tool to guide the systems security engineering, to include cyber resilient engineering, activities across the life cycle
- Informed by TAPP and S&T Protection Plans
9Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology Area Protection Plans (TAPPs)
PPP
• DoD policy requires a TAPP for each Modernization Priority• Modernization Derived from National Defense priorities• Provides stakeholder key areas for protection activities• Informs S&T Protection Plans and Program Protection Plans
TAPP
S&T Protection
PlanOutline and Guidance
under development
10Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology Area ProtectionPlan Stakeholders
• Established by USD(R&E) to provide horizontal protection guidance for technology modernization priorities
- Documents department-wide messaging guidance- Identifies and informs international engagement opportunities- Provides focus for counterintelligence, security and law
enforcement activities- Creates opportunities for open research and collaboration by
identifying what requires protection- Provides provenance for protecting technologies in acquisition
programs
• Shared with Federal Interagency partners to inform federal guidelines and consistent implementation
DoD S&T Offices
DoD Contracting
and Program Offices
International Community
Stakeholders
Security, CI, and Law
Enforcement
Customers & Stakeholders
R&EPrincipalDirectors
CFIUS
DTSA
Federal LE and CI Task
ForcesProvides consistent protection priorities and messaging across diverse stakeholders
11Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Section 1
Section 2
Section 3
Section 4
Section 5
Section 6
Science & Technology ProtectionPlan Outline and Guidance
IDENTIFY
What is important to protectWho is responsible
ASSESS
How important it isWhat inherent vulnerabilities it has
Who and what are threats to itThe risk level and risk tolerance
MITIGATE
Known risks to critical elementsBy documenting countermeasures
By establishing a plan of action
Initial draft planned to be released Dec 2020
• S&T managers prepare protection plans as a management tool to guide S&T protection activities.
• The S&T protection plan is submitted for approval before project approval and at intervals as defined by the DoD Component.
• S&T managers transition the S&T protection plan to inform the Program Protection Plan (PPP) when a technology transition decision is made. (ref. DoDI 5000.83)
12Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
1. GENERAL ISSUANCE INFORMATION
2. RESPONSIBILITIESUSD(R&E), USD(A&S), USD(I&S), DoD CIO, USD(P), DoD Component Heads
3. PROCEDURES3.1. General
3.2. TECHNOLOGY AND PROGRAM PROTECTIONa. Adversary Impact on Technology and
Programsb. Technologists and Lead Systems Engineers
Responsibilities
3.3. ACTIVITIES TO MITIGATE ADVERSARY THREATS TO TECHNOLOGY AND PROGRAMSa. Safeguard Informationb. Control DoD-sponsored Researchc. Design for Security and Cyber Resiliencyd. Protect the System Against Cyber Attacks
from Enabling and Supporting Systemse. Protect Fielded Systemsf. Enhanced Protections for Critical
Programs and Technologies
DoDI 5000.83 Activities
3.4 TECHNOLOGY AND PROGRAM PROTECTION MANAGEMENTa. TAPPb. S&T Protection Planc. PPPd. Independent Technical Risk Assessment e. System Engineering Plan f. Test and Evaluation Master Plan g. Life-cycle Sustainment Plan
3.5 TAILORED PROGRAM PROTECTION FOR SELECTED ACQUISITION PATHWAYSa. Major Capability Acquisitionb. Urgent Operational Needsc. Operation of the Middle Tier of Acquisitiond. Software Acquisition
S&T manager and engineering activities are informed by:
• Intelligence, counterintelligence and security activities
13Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Technology and Program Protection & Cybersecurity Policies and Initiatives
Key Protection Activities: • Export Control• Anti-Tamper• Defense Exportability Features• DoD Horizontal Protection Guide• Acquisition Security Database
Key Protection Activities:• Software Assurance• Hardware Assurance• Supply Chain Risk Management• Anti-counterfeits• Joint Federated Assurance
Center
Key Protection Activities:• Classification• Information Security• Cybersecurity Protections and
Technology Solutions• Joint Acquisition Protection &
Exploitation Cell (JAPEC)• Damage Assessment
Management
InformationMission Components
Goal: Prevent compromise or loss of critical technology transfer
Goal: Protect mission-critical components (hardware, software) from malicious exploitation
Goal: Safeguard system and technical data from adversary collection and disruption
Technology
• DoDI 5200.44 Trusted Systems & Networks• PL 113-66 Sec 937 (FY14 NDAA) JFAC• DFARS 239.73 Requirements for information
relating to supply chain risk• NDAA FY11 Sec 806; Requirements for Information
Relating to Supply Chain Risk• NDAA FY18 Sec 1659. Supply Chain Risk
Management of Critical Missions• NDAA FY20 Sec 224, Trusted Supply Chain
Standards• NDAA FY17 Sec 231 DoDI Microelectronics
• DoDI 5230.24 Distribution Statements on Technical Information
• DoDI 5200.48 Controlled Unclassified Information• DFARS 252.204-7012 Safeguarding covered
defense information and cyber incident reporting (includes requirement to implement NIST SP800-171)
• DCMA NIST SP 800-171 Strategic Assessments• 32 CFR 2002: Controlled Unclassified Information
• DoDI 5200.39 Critical Program Information• DoDD 5200.47E Anti-Tamper• DFARS 225.7901 Export-controlled items
Goal: Ensure Warfighter dominance through superior, assured, and resilient systems
14Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Program Protection Planning,Includes Cyber Activities
Contractor Program Protection
Implementation Plan
SystemPerformance Specification
Solicitation/Contract
PM Program Protection Plan
• Consistent implementation will provide balanced and seamless protections
My Goal
Increase consistency and repeatability of system assurance, system security, and cybersecurity methods and technologies
Improve expectations across Government, industry, academia and operational stakeholders
Section I FAR/DFAR Contract Clauses
Section C Statement of Work
Government Furnished
Information
Government Furnished
Information
15Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Program Protection Planning Update
Collaboration with stakeholders is forthcoming
Modernize the PPP Outline and Guidance
- Policy Updates- Acquisition Regulations- Standards- Lessons Learned Concerted effort to enable
consistent tailored implementation
• Scheduling virtual roadshows to provide training on implementation of DoDI 5000.83
• Updates to Defense Acquisition University (DAU) S&T managers and engineering education and training for technology and program protection will be informed by R&E-led Engineering Workforce Task Force
16Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
The Fundamentals of the FAR and DFARS
• The Federal Acquisition Regulation (FAR), provides uniform Government procurement policies and procedures to all Executive agencies
• The Defense FAR Supplement (DFARS), provides DoD-specific procurement policies and procedures
• FAR and DFARS rules consist of:‒ Prescription: Conditions, requirements, and instructions for using the provision or
clause (i.e., when/where it must be included in contracts)‒ Procurement Policy: Directions to the Government (i.e., contracting officers)‒ Solicitation Provisions: Notices and direction to offerors‒ Contract Clauses: Terms and conditions of doing business with the Government
• Any regulation that has a significant effect beyond the internal operating procedures of the Federal Government or has a significant cost or administrative impact on contractors or offerors must be published for public comment ‒ The ‘rulemaking process’ is the mechanism used to obtain public comment and
codify a procurement policy or procedure in the FAR or DFARS
17Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Cybersecurity in the FAR and DFARS
For Federal System - Requirements in NIST SP 800-53 apply; For DoD System - Requirements in CNSSI 1253, based on NIST SP 800-53 apply
Nonfederal/Contractor Internal System Federal/DoD Information System
DoD Cloud Computing SRG applies when cloud services are provided by DoD
Requirements from NIST SP 800-171 apply
External CSPEquivalent to FedRAMP
Moderate
CSP
Internal CloudNIST SP 800-171
CSP
System Operated on Behalf of the DoD
DoD Owned and/or Operated Information System
(e.g., what we buy; systems embedded in weapon systems developed for DoD)
FAR Clause 52.204-21 applies when contractor processes/stores/transmits Federal contract information
DFARS Clause 252.204-7012 applies when contractor processes/stores/transmits CUI
DFARS Clause 252.239-7010 (DoD Cloud Computing SRG) apply when cloud services are used to process data on the DoD's behalf
DFARS Case 2019-D041, Strategic Assessment and Cybersecurity Certification Requirements (Open Case for Proposed Rule)
Cloud Service Provider
FAR Case 2017-016, Controlled Unclassified Information (Open Case for Proposed Rule)
Cloud Service Provider
FAR Case 2017-013, Breaches of Personally Identifiable Information (Open Case for Proposed Rule)
18Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Protecting the DoD’s Unclassified Information
System Operated on Behalf of Federal Agency/DoD
Nonfederal/Contractor’s Internal Information System
Federal/DoD Information System
Federal/DoD Owned and/or Operated Information System
(e.g., what we buy; systems embedded in weapon systems developed for DoD)
Cloud services provided by Federal
Agency/DoD
Cloud Service Provider –Service operated on
behalf of the GovernmentCloud Service Provider –Service operated on
behalf of the Nonfederal/ Contractor Organization
in performance of contract with the Government
Cloud services provided by the Nonfederal/Contractor
Organization in performance of contract
with the GovernmentExternal
CSP
External CSP
Internal Cloud
Internal Cloud
Where is the information processed/stored?
19Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
ExternalCSP
External CSP
Internal Cloud
Internal Cloud
How Are Cybersecurity and Supply Chain Requirements Communicated?
Systems/Equipment Operated on Behalf of Federal Agency/DoD
Nonfederal/Contractor Systems/Equipment Federal/DoD Systems/Equipment
Where to find requirements in the contract ‒• Section C – Description/Specifications/ Statement
of Work (SOW)• Section H – Special Contract Requirements• Section I – Contract Clauses• Section K – Representations and Certifications
Section L and M are NOT intended to convey system/equipment
requirements• Section L is intended to guide offerors or
respondents in preparing proposals or responding to RFIs
• Section M identifies evaluation factors
Requirements for Nonfederal/Contractor Systems/Equipment AND for Systems/Equipment Operated on Behalf of Federal Agency/DoD will be
contractually implemented and derived from Federal/DoD policy and issuances
Requirements for Federal/DoD Owned and/or Operated Systems/ Equipment will be conveyed via Federal/DoD policy and issuances
Federal/DoD Owned and/or Operated System/Equipment
20Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Standardize: Secure Cyber Resilience Engineering (SCRE) Standardization Area
• SCRE Definition‒ This Area covers the integration of life cycle
security and protection considerations in the requirements, design, test, demonstration, operations, maintenance, sustainment, and disposal of military systems that operate in physical and cyberspace operational domains.
‒ This Area specifically encompasses the standards, specifications, methods, practices, techniques, and data requirements for the security aspects of systems engineering activities executed and artifacts produced, with explicit consideration of malicious and non-malicious adversity.
Defense Standardization Program Established Secure Cyber Resilient Engineering Standardization Area in March 2019
21Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Joint Federated AssuranceCenter (JFAC) Capabilities
https://jfac.navy.mil
Protecting force lethality and increasing resiliencethrough software and hardware assurance
• Federated laboratory capability of expertise and tools for vulnerability detection and analysis• Support program offices with software and hardware assurance expertise and capabilities• Stakeholders - Army, Navy, Air Force, National Security Agency (NSA), Defense Microelectronics Activity (DMEA), OUSD(R&E), DoD CIO,
Defense Information Systems Agency (DISA), National Reconnaissance Office (NRO), Missile Defense Agency (MDA), OUSD(A&S)
PROTECT
PARTNER
PROMOTE • Assured Design Methods• Binary Software Analysis• Physical/Functional
Verification• IC Component Markers• Source Code Analysis• Supply Chain Assessments• Technology/Prototype
Development and Transitions
22Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Summary
• DoDI 5000.83 establishes roles and responsibilities for the S&T manager and the engineering workforce
• Updates to guidance, standards, education and training are pending to make more consistent implementation
• Collaboration and partnerships are critical for success
Customer-Focused: Outcome-Based
23Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.
Questions?
Wrap-Up