Acquisition and technology overview system assurance and cyber security
1 / 17

- PowerPoint PPT Presentation

  • Uploaded on

Acquisition and Technology Overview: System Assurance and Cyber Security. Kristen Baldwin Deputy Director, Strategic Initiatives Office of the Deputy Under Secretary of Defense (Acquisition and Technology) March 2009. Agenda. Increased priority for program protection Threats

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - hilda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Acquisition and technology overview system assurance and cyber security l.jpg

Acquisition and Technology Overview:System Assurance and Cyber Security

Kristen Baldwin

Deputy Director, Strategic Initiatives

Office of the Deputy Under Secretary of Defense

(Acquisition and Technology)

March 2009

Agenda l.jpg

  • Increased priority for program protection

    • Threats

    • Vision of Success

  • A plan for improving DoD Program Protection

    • Policy

    • Designing for Security

    • Program Protection Plans

    • Tools

    • Outcomes

  • Defense Industrial Base Cyber Security

    • Call to attention

    • Acquisition and contracting actions

Increased priority for program protection l.jpg
Increased Priority for Program Protection

Threats: Nation-state, terrorist, criminal, rogue developer who:

Gain control of IT/NSS/Weapons through supply chain opportunities

Exploit vulnerabilities remotely

Vulnerabilities: All IT/NSS/Weapons (incl. systems, networks, applications)

Intentionally implanted logic (e.g., back doors, logic bombs, spyware)

Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code)

Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality

System Assurance is the confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted during the lifecycle


Vision of success l.jpg
Vision of Success

The requirement for assurance is allocated among the right systems and their critical components

DoD understands its supply chain risks

DoD systems are designed and sustained at a known level of assurance

Commercial sector shares ownership and builds assured products

Technology investment transforms the ability to detect and mitigate system vulnerabilities










Assured Systems


Improving dod program protection l.jpg
Improving DoD Program Protection

Increase Efficiency

of Program Personnel

Coordinating Security Disciplines

Reduce Program Documenta-tion



Improved Protection of DoD Weapon Systems


Cost of Implementing Protection

Early ID, Designed-In Protection


Program Level of Effort

Program Protection Tools


Program protection policy l.jpg
Program Protection Policy

  • DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD”

    • Provide uncompromised and secure military systems to the warfighter by performing comprehensive protection of CPI

    • CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness;

      • Includes information about applications, capabilities, processes, and end-items.

      • Includes elements or components critical to a military system or network mission effectiveness.

      • Includes technology that would reduce the US technological advantage if it came under foreign control

    • To minimize the chance that the Department’s warfighting capability will be impaired due to the compromise of elements or components being integrated into DoD systems by foreign intelligence, foreign terrorist, or other hostile elements through the supply chain or system design.

  • DoD 5000.02

    • CPI shall be identified at MS A in the Technology Development Strategy

    • Program Protection Plan shall be developed and approved by MS B; updated and approved at MS C

Dod 5000 02 early designed in program protection l.jpg
DoD 5000.02:Early, Designed-In Program Protection

Production & Deployment


  • Acquisition Strategy, TDS, RFP, SEP, and TEMP revised to include PPP relevant information

  • Milestone Decision Authority approves Program Protection Plan (PPP)

  • Streamlined Program Protection Plan

  • One-stop shopping for documentation

  • of acquisition program security (ISP,

  • IAS, AT appendices)

  • Living document, easy to update,

  • maintain

  • Improve over time based on feedback

  • Identify draft CPI, estimated protection duration and S&T Lab countermeasures

Full Rate

Prod DR




Engineering & Manufacturing Development & Demonstration








  • Assess supplier risks

  • Develop design strategy for CPI protection

  • Enhance countermeasure

  • information PPP

  • Evaluatethat CPI Protection RFP

  • requirements have been met

  • Update PPP with lifecycle

  • sustainment planning

  • Update PPP, with contractor

  • additions

  • Preliminary verification and

  • validation that design meets

  • assurance plans


Systems security engineering integration of security resources l.jpg
Systems Security Engineering: Integration of Security Resources


Engineering for system assurance l.jpg
Engineering for System Assurance

  • “Engineering for System Assurance” V1.0 Guidebook signed out at NDIA October 1, 2008

  • Posted on SSE Web site at:


  • Provides guidance on how to address System Assurance through Systems Engineering processes

    • Aligns to DoD acquisition lifecycle processes with actionable criteria

    • Adds emphasis to ISO/IEC 15288 SE processes

  • Enhanced IA focus and alignment with current processes

    • Focus on hardware, software and operational environment

    • Dovetails with Program Protection Planning (PPP) processes

    • Supports identification of trusted foundry resources

    • Informs Anti-tamper considerations

New ppp data driven format l.jpg
New PPP: Data Driven Format

Pithy, Dynamic, Modular

Verbose, Static, Essay

Example Format


Ppp process desired outcome l.jpg
PPP Process Desired Outcome

Program Benefit

Coherent direction and integrated policy framework to respond to security requirements

Risk-based approach to implementing security

Provision of expert engineering and intelligence support to our programs

Streamline process to remove redundancy; focus on protection countermeasures

DoD Benefit

Reduced risk exposure to gaps/seams in policy and protection activity

Improved oversight and focus on system assurance throughout the lifecycle

Ability to capitalize on common methods, instruction and technology transition opportunities

Cost effective approach to “building security in” where most appropriate

Defense industrial base cyber security l.jpg
Defense Industrial Base Cyber Security

  • DEPSECDEF Call to action: “Stop the Bleeding”

    • July 10, 2007: DSD, DNI, VCJCS meeting with CEOs of 16 DIB partners

    • DIB Cyber Security Task Force formed:

      • Developing strategies for information sharing;

      • Incident reporting;

      • Benchmarking information security practices;

      • Acquisition and contracting procedures

      • Damage assessment

  • SSE/Strategic Initiatives leads the Acquisition and Contracting efforts for DIB CS Task Force

Dib cs activities for acquisition and contracting l.jpg
DIB CS – Activities for Acquisition and Contracting

  • AT&L Policy Memo –

    • Directs Acquisition Executives to engage their Program Executive Offices and Program Managers to take immediate steps to:

      • Ensure that CUI is identified and appropriately protected in DoD acquisition programs.

      • Report incidences and exfiltrations

  • Evaluating information security standards

  • Developing DFAR Language

  • Piloting with Services to learn and refine policy and guidance

  • Working with industry partners to “raise the bar”

    • NDIA System Assurance Committee

    • AIA, ITAA, other interactions

  • Developing Education and Training materials

    • Program Managers

    • Contracting Officers

    • Small Business Mentors