[Back] |
[Index] |
[Next] |
CHAPTER 8
PROGRAM SECURITY DOCUMENTS
A. INTRODUCTION
1. DoD acquisition policies and procedures dictate the need for the documents discussed in this chapter. They are reviewed at the various milestone decision reviews that occur at critical program junctures in the acquisition process. See DoD Directive 5000.1 and DoD Instruction 5000.2 (references ppp and ii) for additional information on the structure of the acquisition process. The Technology Assessment/Control Plan (TA/CP) and the Delegation of Disclosure Authority Letter (DDL) are also required in support of other programs (e.g., sales and coproduction) involving the release of classified information to foreign governments.
2. DoD Directive 5000.1 establishes a hierarchy of potential alternatives to be considered prior to committing to a new start acquisition program. The first is the use or modification of an existing U.S. military system. The second priority is the use or modification of an existing commercial or allied system that would permit the bypassing of the development stage. Third on the list is a cooperative development program with one or more allied nations. A new Service-unique development program is the last alternative, following behind a joint-Service development program.
3. The DoD policy on cooperative development is based on law and necessity. In 1989, the Congress amended Title 10 (Armed Forces) of the U.S. Code by requiring that the Department of Defense conduct an analysis of cooperative opportunities at early decision points in the defense acquisition process for major defense acquisition programs (Pub. L. No. 101-189) (reference hh). The Department of Defense has implemented this by requiring a program proponent to consider potential foreign participation at Milestone I and subsequent milestones for all major defense programs and to include similar analyses as part of the acquisition strategy for all other programs. The reduction in defense spending creates the necessity of considering cooperation in the development of defense systems. Between the high water mark in 1985, and the drastic budget reductions of 1993, the DoD budget has been dropping in real terms each year while the cost of weapons systems and other things the Department of Defense buys have been rising.
4. Past practice and the economic picture suggest that some involvement by allied nations may occur in all but the most sensitive acquisition programs, be it in the form of cooperative R&D, use of foreign contractors and subcontractors, FMS, or direct commercial sales. Realistically, there are very few defense articles that the United States will not sell or share with an ally sometime during the life-cycle of the article. Therefore, consideration and planning for some form of foreign participation must start at the earliest point in the acquisition process. A key aspect of this planning involves decisions on access to technical data and protection of system capabilities and vulnerabilities, which are based on the underlying technology.
5. The four documents that are the subject of this chapter all deal with access to program information and its protection. However, the TA/CP contains requirements that support and form the basis for the decisions that must be made from all three documents. Therefore, it should be prepared first. The preparation of all four documents must be the result of a team effort involving program management, technical, intelligence, security, and foreign disclosure staffs.
B. TECHNOLOGY ASSESSMENT/CONTROL PLAN
1. The Deputy Secretary of Defense, in June 1990, directed that the TA/CP requirement be implemented to accelerate the planning process for decisions on the foreign release of sensitive information involved in cooperative programs and sales of military equipment. He directed that the foreign disclosure and security planning should start at the beginning of the weapon system acquisition process. As a result, DoD Directives were changed to incorporate the TA/CP requirement. DoD Instruction 5000.2 requires a TA/CP to support the Program Protection Plan (PPP) for all acquisition programs. DoD Directive 5530.3 (reference ee) requires a TA/CP as part of the package requesting authority to negotiate (RAN) an international agreement. As a practical matter, all programs will eventually have some foreign involvement. Program managers will likely be involved in NATO and other bilateral data exchanges. Foreign sales or coproduction of the resulting systems, more often than not, will occur. The TA/CP prepared for new-start acquisition programs will support subsequent decisions on these issues. Program managers, together with the team that developed it, must therefore review and update the TA/CP before each acquisition milestone, at each phase of cooperative programs, and when there are significant system improvements. A TA/CP also should be prepared for programs that are already in development to support sales decisions. When a TA/CP is prepared to support sales or coproduction, the U.S. prime contractor may provide assistance in technical aspects of the TA/CP. The TA/CP consists of the following four parts.
a. Program Concept. This section requires a concise description of the program concept. It must describe in as few words as possible the purpose of the program and the threat or military or technical requirement that created the need for the program. When applied to R&D cooperative programs not related to specific systems, it should define the technical objectives and limits of the cooperative effort and the need for this effort. This section must be consistent with other supporting program documentation. In short, this section describes briefly "what" is to be done and "why." The program manager and technical staff are primarily responsible for this section.
b. Nature And Scope Of The Effort Or Objectives. This section also should be concise and to the point. It describes "how" the technical and/or military operational objectives will be satisfied; "how" the program will be organized or phased, and "how" the effort will benefit the U.S. It also describes "who" is responsible, including program management. The program manager and technical staff also have primary responsibility for its preparation. It can be brief when prepared initially to support a coproduction program since the participants and program parameters are known in advance. When the TA/CP is prepared to support a cooperative R&D program, this section will necessitate a more detailed discussion on courses of action and phasing. For a TA/CP prepared in support of a new-start acquisition program, this section also will involve a detailed discussion of the courses of action and phasing. This information will be used later to determine the extent and timing of possible foreign involvement. Foreign involvement is not a consideration for a new-start program at this point in the TA/CP. However, as a result of the analysis discussed in paragraph c., below, Technology Assessment, conclusions can drawn on potential foreign involvement. Actual details on the extent and type of foreign involvement will be set forth in the Cooperative Opportunities Document (COD) (see section D, below). Factors to be covered in this section are:
(1) Type of program (e.g., cooperative R&D, coproduction, system acquisition).
(2) For coproduction and cooperative R&D programs, describe the country(ies) participating, extent of participation foreign commercial participants if known, and extent of commitment.
(3) Program phases, in terms of development, production, and testing.
(4) Summary of projected benefits to the U.S. and to other participants, if applicable, in terms of technology, production base, and military capability.
(5) Points of contact, including program management and security/foreign disclosure officials that are involved in the preparation of the TA/CP.
(6) Major milestones or dates when the assessment will require review or revision.
c. Technology Assessment. This is the most important part of the TA/CP. Its preparation will require a joint effort involving experts from program management, technical staff, security, intelligence and foreign disclosure.
(1) For a cooperative R&D or coproduction program or foreign sale, this assessment requires the preparer to identify U.S. technologies involved, place a value on the U.S. technical contributions to the program, fully assess the benefits to accrue to the United States and perform a risk versus gain analysis. The preparer must also assess the value of any foreign government contributions. In all cases this analysis must result in clearly defined operational or technological benefits to the United States. These benefits must clearly outweigh any damage that might occur if there should be a compromise or unauthorized transfer. The benefits must be described fully in layman's terms.
(2) The analysis must identify any critical military capability and information or technology that requires protection. It may reveal that an adjustment to program phasing is necessary to preclude the release of critical information before it is absolutely needed. The analysis should identify the need for any special security requirements. It must evaluate the risk of compromise based on the capability of the recipients or purchaser to protect the information. It must discuss any known foreign availability of the information, system and technology involved, and previous releases to the participants and to other countries.
(3) Whether preparing a TA/CP in support of a cooperative or coproduction program or a PPP for a new-start program, emphasis should be placed on the value of the technology and system in terms of military capability and technology; susceptibility to compromise; foreign availability; and likely damage in the event of compromise. It should draw conclusions regarding the need for protective security measures; the advantages and disadvantages of foreign participation in the program, in whole or in part; and foreign sales. The non-security aspects of foreign involvement will be discussed in the COD; thus, these documents must be mutually supporting. Concerning foreign sales and cooperative R&D, the assessment must consider phasing of releases of classified and unclassified information.
d. Control Plan. The Control Plan will identify measures to minimize the potential risks and damage to the U.S. through loss, diversion or compromise. Development of this section also requires a team effort. It describes "how" the security requirements to be set forth in the pertinent agreement will be satisfied for cooperative R&D and coproduction programs.
(1) The Control Plan, together with the Technology Assessment will form the basis for agreement negotiating guidance, the technical and security aspects of the program, and development of disclosure guidelines and security arrangements for subsequent foreign participation in the program. Ultimately, it will be used in the preparation of the Delegation of Disclosure Authority Letter (DDL).
(2) Consider the following points in developing the Control Plan.
(a) Phasing the release of information on a just-in-time basis over the course of the project.
(b) Plan for modified or FMS versions of particularly critical components, or the release of them as completed, tested items. This is particularly important as the United States moves to smarter weapons.
(c) Consider the possible development of special security procedures to handle and control access to program information (e.g., prepare a Program Security Instruction).
(d) Plan for controls on access to information by foreign nationals at U.S. facilities and the release of information by U.S. persons at foreign facilities.
2. A sample TA/CP is at Appendix H.
C. PROGRAM PROTECTION PLAN
1. DoD Directive 5000.1 requires that sensitive information and technologies be identified early in the acquisition process and be protected from inadvertent or unauthorized disclosure. DoD Instruction 5000.2 implements this requirement by requiring the development of a Program Protection Plan (PPP) for all acquisition programs before Milestone I. Its purpose is to protect defense items and technical data from hostile collection efforts and unauthorized disclosure during the acquisition process. Decision makers will review this plan at Milestone I and subsequent milestones.
2. The PPP addresses the protection of essential program information, technologies and systems (EPITS) throughout the acquisition cycle of the item. The PPP must consider system vulnerabilities, specific threats, and which countermeasures to employ to protect the item. The analysis required for this document is complimentary to the analysis necessary to complete the other documents in this chapter. The plan should counter only recognized vulnerabilities using selected countermeasures from the seven security disciplines described in DoD Instruction 5000.2. The program manager can design a cost effective plan using a judicious combination of these disciplines, counterintelligence assets and operations security (OPSEC) specialists. The governing directive does not specify a particular format for the PPP. If a program does not contain classified or essential technology, the Plan could be as short as a paragraph.
3. Which EPITS need protection, the threat and vulnerabilities, and system security engineering necessary for life-cycle protection drive the scope of the PPP. This serves as the basis for information security-related decisions in drafting the Security Classification Guide (SCG). DoD 5200.1-R (reference oo) requires a SCG for all classified systems, programs, plans, or projects. The SCG should include appropriate controls for sensitive (controlled) unclassified information and time-phase the security guidance over the life of the item.
4. The PPP includes the system security management plan as an annex at the Milestone II and subsequent reviews. This annex concentrates on the protection of the system in its operational environment. The system security management plan draws upon a portion of system security engineering as described in MIL-STD-1785 (reference qqq). System security addresses the use of engineering measures to protect the system physically or to limit actions which compromise its war-fighting or support capabilities. The PPP will replace all other plans and implementing requirements of MIL-STD-1785.
5. An acquisition program which will have international involvement adds a new dimension to the PPP. The international program agreement or contract must incorporate the PPP requirements. If a Program Security Instruction (see Appendix N) is prepared, the details of the PPP requirements may be included. The PPP can be made legally binding on program participants by reference in the agreement or contract.
D. COOPERATIVE OPPORTUNITIES DOCUMENT (COD)
1. DoD Instruction 5000.2 requires a thorough analysis of opportunities to conduct cooperative R&D or production for major Defense acquisition programs with allies at early decision points in the acquisition process. DoD 5000.2-M (reference rrr) expands the considerations to include foreign military sales, component codevelopment and incorporation of subsystems from allied sources. The acquisition strategy for non-major programs must include a similar analysis for consideration by DoD Component program review authorities.
2. The COD presents the results of this analysis. The COD is required at Milestone I and is updated for subsequent milestone reviews. It is an annex to the Integrated Program Summary which is a comprehensive summary of program structure, status, assessment, plans and recommendations by the Program Manager and Program Executive Officer.
3. A principal issue is that of evaluating and comparing the positive and negative impacts of the technology sharing which happens in any cooperative program. This analysis should not differ materially from the analysis required for a TA/CP. Among such impacts are those involving program timing, development, life cycle costs and RSI. DoD Instruction 5000.2-M provides a standard format for the COD which addresses the specific areas required by the current legislation.
a. Sections one and two of the format provide the background and description of the program under consideration. They must be compatible with the description in the PPP and TA/CP.
b. Section three requires answers to four questions.
(1) The first two questions get to the heart of the matter. They ask whether there are any similar projects in development or production by one or more major allies of the United States and whether that project could satisfy, or be modified in scope, so as to satisfy the U.S. military requirements. In addition to briefly describing similar projects (assuming there are some) and their similarities and differences, the answer to the second question is critical. The sense of the Congress indicates, and the legislation implies, that U.S. military requirements should also be considered for modification if, by doing so, it will result in fielding a better weapon with greater efficiency. The opposite side to this is that if the necessary modifications are too extensive and costly or the relaxation of the U.S. military requirement results in an ineffective system, cooperation is not a good choice in this instance.
(2) The third question requires a description of any options. The advantages and disadvantages of trying to structure a cooperative development program should be listed, covering at least:
(a) Program Timing,
(b) Development and Life Cycle Costs,
(c) Technology Sharing (cover the flow in both directions, what technology is involved, is it state of the art, will an exception to the NDP be required, effect of compromise of U.S. CMI/CUI, etc.), and
(d) Rationalization, Standardization and Interoperability.
(3) The fourth question requires the consideration of alternative forms of cooperation such as FMS, coproduction, licensed production, component/sub-component codevelopment or incorporation of subsystems from allied sources. If a substantial possibility for cooperation exists, list the advantages and disadvantages in the same four items 3.b.(2)(a) through (4), above as a minimum.
c. All of the factors raised in the COD should be considered and a conclusion drawn. Keep the focus on the cooperative issues and not the technical issues that will need to be resolved regardless of the outcome of the analysis.
E. DELEGATION OF DISCLOSURE AUTHORITY LETTER
1. DoD Directive 5230.11 (reference ff) provides the format for a DDL. DoD Directive 5530.3 requires a DDL as part of the package requesting authority to conclude (RAC) an international agreement. The DDL uses, as its basis, the guidelines and restrictions in the Control Plan of the relevant TA/CP, if one has been prepared. It is an annex to the TA/CP as required by DoD Instruction 5000.2. The DDL also is required by DoD Directive 5230.20 (reference gg) for certain visits and assignments of foreign nationals.
a. The DDL is issued by a Principal or Designated Disclosure Authority. It explains classification levels, categories, scope, and limitations on information that may be disclosed to a foreign recipient. This document will be used by foreign disclosure and licensing personnel to carry out their functions.
b. It provides disclosure guidance to disclosure officials in subordinate commands and agencies and, when applicable, to DoD contractors.
c. The Milestone Decision Authority in coordination with the Component Principal or Designated Disclosure Authority approves the DDL prepared to support the defense acquisition process.
d. The DDL must conform to the content of paragraphs 3 (Technology Assessment) and 4 (Control Plan) of the TA/CP. While all elements identified below should be provided in the general order shown, information should be presented in the clearest and easiest-to-use manner. For complex systems give consideration to breaking out items (5) and (6) by major subsystems to enhance the usefulness of the DDL.
(1) CLASSIFICATION: Identify the highest level of classification of the U.S. information involved in the program.
(2) DISCLOSURE METHODS: Identify the approved methods of disclosure, e.g., oral, visual or documentary.
(3) CATEGORIES OF CMI PERMITTED: Specify which of the eight categories of CMI may be disclosed or released.
(4) SCOPE: Specify who is authorized to release material or information, and to whom disclosure is authorized.
(5) AUTHORIZED FOR RELEASE/DISCLOSURE: Describe the material or information that can be released or disclosed. Specify any conditions or limitations to be imposed (e.g., time-phasing of release, allowable forms of software, identification of items releasable only as finished, tested items).
(6) NOT AUTHORIZED FOR RELEASE/DISCLOSURE: Describe material or information that cannot be released or disclosed.
(7) PROCEDURES: Specify review and transfer procedures, special security procedures or protective measures to be imposed. Include coordination requirements.
(8) REDELEGATION: Specify the extent of redelegation of authority, if any, permitted to subordinate activities.