Technology and Program Protection to Maintain ... 5000-83 9.14.20.pdfSpace Technology Modernization...

Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.

Technology and Program Protection to Maintain Technological Advantage

Ms. Melinda ReedDirector, Resilient SystemsStrategic Technology Protection & Exploitation Office of the Under Secretary of Defensefor Research and Engineering

Defense Acquisition UniversitySeptember 15, 2020

1Distribution Statement A: Approved for public release. DOPSR case #20-S-2038 applies. Distribution is unlimited.

• Ensure Technological Superiority for the U.S. Military

- Set the technical direction for the Department of Defense (DoD)

- Champion and pursue new capabilities, concepts, and prototyping activities throughout DoD research and development enterprise

• Bolster Modernization - Pilot new acquisition pathways and

concepts of operation- Accelerate capabilities to the Warfighter

Office of the Under Secretary of Defense for Research and Engineering (OUSD(R&E)) Mission


Strategic Technology Protection & Exploitation (STP&E) Organization and Mission

Acting Deputy DirectorSTP&EDr. Robert Irie

D, Resilient SystemsMs. Melinda Reed

Maintain Leadership in Critical Technology Modernization Areas

D, Maintaining TechnologyAdvantageDr. Robert Irie

D, Technology and Manufacturing Industrial BaseMr. Robert Gold

Advance Domestic Innovation Base to Deliver Modernization Goals

Foster Assured Resilient Missions, Systems and Components

STP&E MISSION: Promote and protect technology advantage and counter unwanted

technology transfer to ensure Warfighter dominance through superior, assured, and resilient systems, and

a healthy, viable national security innovation base.


STP&E Integrated Lines of Effort: Priorities

Maintain Leadership in Critical Technology Modernization Areas

• Implement new procedures for Technology Area Protection and Science and Technology (S&T) Protection

• Update DoD and Govt-wide procedures to strengthen U.S. research enterprise

• Mitigate exploitation in academia, labs, Federally funded research and development centers (FFRDCs), and University Affiliated Research Centers (UARCs) Focus security, counterintelligence, and law enforcement actions to deter adversaries

Foster Assured Resilient Missions, Systems and Components

• Set the technical and policy direction for technology and program protection

• Grow DoD capability/capacity to evaluate and mitigate software component vulnerabilities; partner with D, Microelectronics who is spearheading hardware assurance

• Establish secure cyber resilient weapons, engineering methods and workforce competency

Ensure Competitive, Advanced Innovation Base to Deliver Modernization Goals• Assess and monitor emerging technology, workforce, engineering, test, & infrastructure base • Facilitate U.S. Government mechanisms and tools to close gaps, foster enabling domestic technology development

and manufacturing capability, and counter strategic competitor actions• Manage the OSD Manufacturing Technology Program and Manufacturing Innovation Institutes


Department of Defense Instruction 5000.83

• Establishes policy, assigns responsibilities, and provides procedures for DoD S&T managers and engineers to mitigate risks and protect critical U.S. research, military technologies, and programs

• Contributes to a National Defense Strategy (NDS) line of effort (increasing lethality) through promotion and implementation of enhanced technology protection across the DoD enterprise

• The Department of Defense Instruction (DoDI) recommends activities for DoD S&T managers and engineers to mitigate threats to U.S. technology and programs, including:

• Released 20 July 2020; available on https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500083p.pdf?ver=2020-07-20-150345-930/

Safeguarding classified and unclassified Controlled Technical Information

Supervising DoD-sponsored research involving joint ventures, academic collaborations, and cooperative research partnerships

Designing systems for security and cyber resiliency

Protecting against cyberattacks Protecting fielded systems from changing

threat environments Enhancing protection for critical programs

and technologies through Technology Area Protection Plans (TAPPs), S&T protection plans, and Program Protection Plans (PPPs)


Transforming Acquisition Policy*

*https://www.acq.osd.mil/ae/assets/docs/Transforming%20Defense%20Acq%20Policy%20(15Jan2020).pdf


Technology and Program Protection Planning Across the Lifecycle

Program Protection S&T Protection

Technology Area Protection Plans for DoD Modernization Priorities

5G Network Technology

Autonomy Biotechnology Cyber Directed Energy Fully Networked

Command, Control, and Communications

Hypersonics Machine Learning /

Artificial Intelligence Microelectronics Quantum Science Space

Technology Modernization Priorities


Alignment to National Defense Strategy

Technology and Program Protection

Activities to Mitigate Adversary Threats

Technology Modernization Priorities

Tailored Program Protection for Acquisition Pathways

• Assigns responsibilities for S&T managers and engineers • OUSD(R&E) monitors process, delegates responsibility to greatest extent

practicable; approves acquisition categories (ACAT) 1D Program Protection Plans

• Links to Pathways, Engineering, Cybersecurity in the Acquisition System, Test and Evaluation, and Sustainment

• Includes responsibilities for DoD-sponsored research, prior to Materiel Development Decision (MDD)

• Reinforces best practices for risk informed technical and engineering mitigations

• Implements technical information, hardware assurance, software assurance, anti tamper, and cyber resilient security engineering methods and level of assurance to achieve protection and cyber objectives

• Refreshed periodically throughout the program lifecycle

• Establishes TAPP for modernization priorities• Establishes S&T Protection activities• Enhanced protection for critical programs and technologies

• Enables tailoring to pathway focus areas• Determine protection planning and implementation risks as part of the

design and technical risk assessment process• Ensure operator is informed of operational risks when system is fielded


Technology, S&T and ProgramProtection Planning

S&TProtection

Plan

Technology Area

Protection Plan (TAPP)

Manage risk of adversarial exploitation and compromise beginning with early S&T and continues through the Acquisition lifecycle

Program Protection

Plan(PPP)

Main Content• Safeguard information• Control DoD-sponsored research• Design for security and cyber

resiliency• Protect the system against cyber

attacks from enabling and supporting systems

• Protect fielded systems• Enhance protection for critical

programs and technologies

DoD S&T (Budget Activities 6.1 - 6.4)

DoD RDT&E Programs (Budget Activities 6.4+)

- OUSD(R&E) identifies broad technology elements to protect that are central to accelerating Warfighter capabilities in key technology areas across the Department

- Set boundaries on what should be communicated by stakeholder groups for protection purposes

- Management tool to guide protection activities for S&T Investments at DoD Component-level

- Implement risk-based protection measures to reduce compromise or loss to competitor nations through transition to acquisition

- Acquisition management tool to guide the systems security engineering, to include cyber resilient engineering, activities across the life cycle

- Informed by TAPP and S&T Protection Plans


Technology Area Protection Plans (TAPPs)

PPP

• DoD policy requires a TAPP for each Modernization Priority• Modernization Derived from National Defense priorities• Provides stakeholder key areas for protection activities• Informs S&T Protection Plans and Program Protection Plans

TAPP

S&T Protection

PlanOutline and Guidance

under development


Technology Area ProtectionPlan Stakeholders

• Established by USD(R&E) to provide horizontal protection guidance for technology modernization priorities

- Documents department-wide messaging guidance- Identifies and informs international engagement opportunities- Provides focus for counterintelligence, security and law

enforcement activities- Creates opportunities for open research and collaboration by

identifying what requires protection- Provides provenance for protecting technologies in acquisition

programs

• Shared with Federal Interagency partners to inform federal guidelines and consistent implementation

DoD S&T Offices

DoD Contracting

and Program Offices

International Community

Stakeholders

Security, CI, and Law

Enforcement

Customers & Stakeholders

R&EPrincipalDirectors

CFIUS

DTSA

Federal LE and CI Task

ForcesProvides consistent protection priorities and messaging across diverse stakeholders


Section 1

Section 2

Section 3

Section 4

Section 5

Section 6

Science & Technology ProtectionPlan Outline and Guidance

IDENTIFY

What is important to protectWho is responsible

ASSESS

How important it isWhat inherent vulnerabilities it has

Who and what are threats to itThe risk level and risk tolerance

MITIGATE

Known risks to critical elementsBy documenting countermeasures

By establishing a plan of action

Initial draft planned to be released Dec 2020

• S&T managers prepare protection plans as a management tool to guide S&T protection activities.

• The S&T protection plan is submitted for approval before project approval and at intervals as defined by the DoD Component.

• S&T managers transition the S&T protection plan to inform the Program Protection Plan (PPP) when a technology transition decision is made. (ref. DoDI 5000.83)


1. GENERAL ISSUANCE INFORMATION

2. RESPONSIBILITIESUSD(R&E), USD(A&S), USD(I&S), DoD CIO, USD(P), DoD Component Heads

3. PROCEDURES3.1. General

3.2. TECHNOLOGY AND PROGRAM PROTECTIONa. Adversary Impact on Technology and

Programsb. Technologists and Lead Systems Engineers

Responsibilities

3.3. ACTIVITIES TO MITIGATE ADVERSARY THREATS TO TECHNOLOGY AND PROGRAMSa. Safeguard Informationb. Control DoD-sponsored Researchc. Design for Security and Cyber Resiliencyd. Protect the System Against Cyber Attacks

from Enabling and Supporting Systemse. Protect Fielded Systemsf. Enhanced Protections for Critical

Programs and Technologies

DoDI 5000.83 Activities

3.4 TECHNOLOGY AND PROGRAM PROTECTION MANAGEMENTa. TAPPb. S&T Protection Planc. PPPd. Independent Technical Risk Assessment e. System Engineering Plan f. Test and Evaluation Master Plan g. Life-cycle Sustainment Plan

3.5 TAILORED PROGRAM PROTECTION FOR SELECTED ACQUISITION PATHWAYSa. Major Capability Acquisitionb. Urgent Operational Needsc. Operation of the Middle Tier of Acquisitiond. Software Acquisition

S&T manager and engineering activities are informed by:

• Intelligence, counterintelligence and security activities


Technology and Program Protection & Cybersecurity Policies and Initiatives

Key Protection Activities: • Export Control• Anti-Tamper• Defense Exportability Features• DoD Horizontal Protection Guide• Acquisition Security Database

Key Protection Activities:• Software Assurance• Hardware Assurance• Supply Chain Risk Management• Anti-counterfeits• Joint Federated Assurance

Center

Key Protection Activities:• Classification• Information Security• Cybersecurity Protections and

Technology Solutions• Joint Acquisition Protection &

Exploitation Cell (JAPEC)• Damage Assessment

Management

InformationMission Components

Goal: Prevent compromise or loss of critical technology transfer

Goal: Protect mission-critical components (hardware, software) from malicious exploitation

Goal: Safeguard system and technical data from adversary collection and disruption

Technology

• DoDI 5200.44 Trusted Systems & Networks• PL 113-66 Sec 937 (FY14 NDAA) JFAC• DFARS 239.73 Requirements for information

relating to supply chain risk• NDAA FY11 Sec 806; Requirements for Information

Relating to Supply Chain Risk• NDAA FY18 Sec 1659. Supply Chain Risk

Management of Critical Missions• NDAA FY20 Sec 224, Trusted Supply Chain

Standards• NDAA FY17 Sec 231 DoDI Microelectronics

• DoDI 5230.24 Distribution Statements on Technical Information

• DoDI 5200.48 Controlled Unclassified Information• DFARS 252.204-7012 Safeguarding covered

defense information and cyber incident reporting (includes requirement to implement NIST SP800-171)

• DCMA NIST SP 800-171 Strategic Assessments• 32 CFR 2002: Controlled Unclassified Information

• DoDI 5200.39 Critical Program Information• DoDD 5200.47E Anti-Tamper• DFARS 225.7901 Export-controlled items

Goal: Ensure Warfighter dominance through superior, assured, and resilient systems


Program Protection Planning,Includes Cyber Activities

Contractor Program Protection

Implementation Plan

SystemPerformance Specification

Solicitation/Contract

PM Program Protection Plan

• Consistent implementation will provide balanced and seamless protections

My Goal

Increase consistency and repeatability of system assurance, system security, and cybersecurity methods and technologies

Improve expectations across Government, industry, academia and operational stakeholders

Section I FAR/DFAR Contract Clauses

Section C Statement of Work

Government Furnished

Information

Government Furnished

Information


Program Protection Planning Update

Collaboration with stakeholders is forthcoming

Modernize the PPP Outline and Guidance

- Policy Updates- Acquisition Regulations- Standards- Lessons Learned Concerted effort to enable

consistent tailored implementation

• Scheduling virtual roadshows to provide training on implementation of DoDI 5000.83

• Updates to Defense Acquisition University (DAU) S&T managers and engineering education and training for technology and program protection will be informed by R&E-led Engineering Workforce Task Force


The Fundamentals of the FAR and DFARS

• The Federal Acquisition Regulation (FAR), provides uniform Government procurement policies and procedures to all Executive agencies

• The Defense FAR Supplement (DFARS), provides DoD-specific procurement policies and procedures

• FAR and DFARS rules consist of:‒ Prescription: Conditions, requirements, and instructions for using the provision or

clause (i.e., when/where it must be included in contracts)‒ Procurement Policy: Directions to the Government (i.e., contracting officers)‒ Solicitation Provisions: Notices and direction to offerors‒ Contract Clauses: Terms and conditions of doing business with the Government

• Any regulation that has a significant effect beyond the internal operating procedures of the Federal Government or has a significant cost or administrative impact on contractors or offerors must be published for public comment ‒ The ‘rulemaking process’ is the mechanism used to obtain public comment and

codify a procurement policy or procedure in the FAR or DFARS


Cybersecurity in the FAR and DFARS

For Federal System - Requirements in NIST SP 800-53 apply; For DoD System - Requirements in CNSSI 1253, based on NIST SP 800-53 apply

Nonfederal/Contractor Internal System Federal/DoD Information System

DoD Cloud Computing SRG applies when cloud services are provided by DoD

Requirements from NIST SP 800-171 apply

External CSPEquivalent to FedRAMP

Moderate

CSP

Internal CloudNIST SP 800-171

CSP

System Operated on Behalf of the DoD

DoD Owned and/or Operated Information System

(e.g., what we buy; systems embedded in weapon systems developed for DoD)

FAR Clause 52.204-21 applies when contractor processes/stores/transmits Federal contract information

DFARS Clause 252.204-7012 applies when contractor processes/stores/transmits CUI

DFARS Clause 252.239-7010 (DoD Cloud Computing SRG) apply when cloud services are used to process data on the DoD's behalf

DFARS Case 2019-D041, Strategic Assessment and Cybersecurity Certification Requirements (Open Case for Proposed Rule)

Cloud Service Provider

FAR Case 2017-016, Controlled Unclassified Information (Open Case for Proposed Rule)

Cloud Service Provider

FAR Case 2017-013, Breaches of Personally Identifiable Information (Open Case for Proposed Rule)


Protecting the DoD’s Unclassified Information

System Operated on Behalf of Federal Agency/DoD

Nonfederal/Contractor’s Internal Information System

Federal/DoD Information System

Federal/DoD Owned and/or Operated Information System

(e.g., what we buy; systems embedded in weapon systems developed for DoD)

Cloud services provided by Federal

Agency/DoD

Cloud Service Provider –Service operated on

behalf of the GovernmentCloud Service Provider –Service operated on

behalf of the Nonfederal/ Contractor Organization

in performance of contract with the Government

Cloud services provided by the Nonfederal/Contractor

Organization in performance of contract

with the GovernmentExternal

CSP

External CSP

Internal Cloud

Internal Cloud

Where is the information processed/stored?


ExternalCSP

External CSP

Internal Cloud

Internal Cloud

How Are Cybersecurity and Supply Chain Requirements Communicated?

Systems/Equipment Operated on Behalf of Federal Agency/DoD

Nonfederal/Contractor Systems/Equipment Federal/DoD Systems/Equipment

Where to find requirements in the contract ‒• Section C – Description/Specifications/ Statement

of Work (SOW)• Section H – Special Contract Requirements• Section I – Contract Clauses• Section K – Representations and Certifications

Section L and M are NOT intended to convey system/equipment

requirements• Section L is intended to guide offerors or

respondents in preparing proposals or responding to RFIs

• Section M identifies evaluation factors

Requirements for Nonfederal/Contractor Systems/Equipment AND for Systems/Equipment Operated on Behalf of Federal Agency/DoD will be

contractually implemented and derived from Federal/DoD policy and issuances

Requirements for Federal/DoD Owned and/or Operated Systems/ Equipment will be conveyed via Federal/DoD policy and issuances

Federal/DoD Owned and/or Operated System/Equipment


Standardize: Secure Cyber Resilience Engineering (SCRE) Standardization Area

• SCRE Definition‒ This Area covers the integration of life cycle

security and protection considerations in the requirements, design, test, demonstration, operations, maintenance, sustainment, and disposal of military systems that operate in physical and cyberspace operational domains.

‒ This Area specifically encompasses the standards, specifications, methods, practices, techniques, and data requirements for the security aspects of systems engineering activities executed and artifacts produced, with explicit consideration of malicious and non-malicious adversity.

Defense Standardization Program Established Secure Cyber Resilient Engineering Standardization Area in March 2019


Joint Federated AssuranceCenter (JFAC) Capabilities

https://jfac.navy.mil

Protecting force lethality and increasing resiliencethrough software and hardware assurance

• Federated laboratory capability of expertise and tools for vulnerability detection and analysis• Support program offices with software and hardware assurance expertise and capabilities• Stakeholders - Army, Navy, Air Force, National Security Agency (NSA), Defense Microelectronics Activity (DMEA), OUSD(R&E), DoD CIO,

Defense Information Systems Agency (DISA), National Reconnaissance Office (NRO), Missile Defense Agency (MDA), OUSD(A&S)

PROTECT

PARTNER

PROMOTE • Assured Design Methods• Binary Software Analysis• Physical/Functional

Verification• IC Component Markers• Source Code Analysis• Supply Chain Assessments• Technology/Prototype

Development and Transitions


Summary

• DoDI 5000.83 establishes roles and responsibilities for the S&T manager and the engineering workforce

• Updates to guidance, standards, education and training are pending to make more consistent implementation

• Collaboration and partnerships are critical for success

Customer-Focused: Outcome-Based


Questions?

Wrap-Up

Technology and Program Protection to Maintain ... 5000-83 9.14.20.pdfSpace Technology Modernization...

Documents

Transcript of Technology and Program Protection to Maintain ... 5000-83 9.14.20.pdfSpace Technology Modernization...