Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
UNCLASSIFIED
Life Cycle Sustainment Plan (LCSP) &
Program Protection Plan (PPP) Touchpoints and Integration
2017 Acquisition Insight Days
June 14, 2017
1
Mr. John Medlin
ODASD(MR)[email protected]
703.614.6433
UNCLASSIFIED
Purpose
• Introduce the LCSP Outline v2.0, Program Protection Elements• Identify and discuss LCSP & PPP elements that require integration
of program protection, cybersecurity and logistics activities, roles, and responsibilities
2
UNCLASSIFIED
Integrating the PPP & LCSP
4
Program Protection Plan
Life Cycle Sustainment Plan
Expectation Reality
UNCLASSIFIED
Comparison of LCSP Outlines
LCSP Outline v1.0 (2011)
1. Introduction
2. Product Support Performance
3. Product Support Strategy
4. Product Support Arrangements
5. Product Support Package Status
6. Regulatory/Statutory Requirements Influencing Product Support
7. Integrated Schedule
8. Funding
9. Management
10.Supportability Analysis
11.Additional Sustainment Planning Factors
LCSP Annexes
LCSP Outline v2.0 (2017)
1. Introduction
2. Product Support Performance
3. Product Support Strategy
4. Program Review Issues and
Corrective Actions
5. Influencing Design and Sustainment
6. Integrated Schedule
7. Cost and Funding
8. Management
9. Supportability Analysis
10. LCSP Annexes
Incorporated into Section 3
Section renamed
Expanded into Cost and
Funding to include O&S
cost estimates, Should Cost
Initiatives, and Affordability
New Section
5
Reduced to Executive
Summaries
UNCLASSIFIED
LCSP Outline v2.0 & PPP Outline v1.0
• ASD(L&MR) Memo to the Components signed on January 19, 2017
• Revisions to the LCSP Outline v1.0:– Reflect new statute/policy– Clarify guidance; incorporate lessons
learned– Expand the Funding section – Stress the tailorability of the document– Introduce “Critical Thinking Questions”– Reference appropriate DAG sections
(future)
• Review and Approval process unchanged
• DODI 5000.02 (Ch 2, Feb 22, 2017), Encl 6, Life-Cycle Sustainment
6
• USD(AT&L) Memo, Document Streamlining –Program Protection Plan, July 18, 2011
• The PPP will be streamlined consistent with the attached annotated outline
• Increases emphasis on early-phase planning activity
• Reflects the integration of the Acquisition Information Assurance (IA) Strategy and recognizes Program Protection as the Department's holistic approach for delivering trusted systems
• DODI 5000.02 (Ch 2, Feb 22, 2017), Encl 14, Cybersecurity in the Defense Acquisition System
UNCLASSIFIED
LCSP Outline and Cyber
• LCSP v2.0• 3 Product Support Strategy
• 3.1.4 Cybersecurity The Program Protection Plan is the program’s primary document for managing a program’s protection of their technology, components, and information throughout the system life cycle. The Program Protection Plan includes areas that directly impact sustainment including Cybersecurity Strategy, Anti-Tamper Plan, and Supply Chain Risk Management. This section of the LCSP is reserved for appropriate cybersecurity and related program protection planning details and to identify the PM responsible for the Program Protection Plan during system sustainment and disposal.
7
• LCSP v1.0• 11 Additional Sustainment
Planning Factors
– List additional sustainment issues or risks that cross functional lines that could adversely impact sustainment or sustainment support across the system’s life cycle that are not included elsewhere in the LCSP. If the topic is addressed in another document (e.g., the Systems Engineering Plan, etc.) provide a short summary and reference the source. For example:
• Critical Program Information elements provided in the Program Protection Plan (maintaining anti-tamper on component or sub-components)
UNCLASSIFIED
Cyber Activities Across the Lifecycle
8
O&S Phase & Decommission
MONITOR
Security Controls
URA
?
Task6-1
Task6-2
Task6-3
Task6-4
Task6-5
Task6-6
URA
?
Mitigation Measures Include
Assurance
Practices
Anti-Tamper SCRM Practices
Resiliency
Techniques
Security
Practices
UNCLASSIFIED
Product Support in the PPP Outline
9
• 2.0. Program Protection Summary
• 5.0. Threats, Vulnerabilities, and Countermeasures
• 6.0. Other System Security-Related Plans and Documents
• 7.0. Program Protection Risks
• 8.0. Foreign Involvement
• 9.0. Processes for Management and Implementation of PPP
• 10.0. Processes for Monitoring and Reporting Compromises
• 11.0. Program Protection Costs
UNCLASSIFIED
Product Support in the PPP Outline
10
2.0. Program Protection Summary
• 2.1. Schedule– A Program Protection schedule
overlaid onto the program's master schedule (milestones, systems engineering technical reviews, etc.) includes:
• Countermeasure (e.g. Anti-Tamper, Information Assurance) testing/verification events
• Most events, if not all, are not one-time activities but recur across the system’s life cycle– Are these accounted for in O&S
cost estimates?
– How is the PPP carried forward/monitored?
– Who in sustainment manages PPP/countermeasure requirements?
– Are recurring events and activities reflected in the schedule Post MS-C, across the O&S Phase, and for disposal?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
11
2.0. Program Protection Summary• 2.2. CPI and Critical Functions and
Components Protection
– Over the lifecycle of the program list all CPI and critical functions and components (including inherited and organic) mapped to the security disciplines of the countermeasures being applied in Table 2.2-1 below.
• What are the recurring events and activities for these inherited or organic functions?
• What is their O&S cost and is it included in the program’s O&S cost?
• What are the elements of any MOA/MOUs that have life cycle impact?– Are these included in Sections
3.1, 3.2, 3.3?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
12
2.0. Program Protection Summary• Table 2.2-1: CPI and Critical
Components Countermeasure Summary
• For the implemented countermeasures, who is the OPR in sustainment?
• Are there product support elements that support countermeasure implementation?
• Is there fidelity on costs to implement and are those costs carried forward across the life cycle and part of the O&S cost estimate?
Question(s) posed are not exhaustive nor applicable across all systems and domains
Table 2.2-1: CPI and Critical Components Countermeasure Summary (mandated) (sample)
UNCLASSIFIED
Product Support in the PPP Outline
14
5.0. Threats, Vulnerabilities, and Countermeasures
– 5.1. Threats
– 5.2. Vulnerabilities
– 5.3. Countermeasures
• 5.3.1. Anti-Tamper (AT)
• 5.3.2. Information Assurance (IA)
• 5.3.3. Software Assurance
• 5.3.4. Supply Chain Risk Management (Trusted Suppliers, Counterfeit)
• 5.3.5. System Security Engineering
• 5.3.6. General Countermeasures
• Threat identification, vulnerability analysis, and countermeasure update are not one-time activities but recur across the system’s life cycle– Are recurring updates & analyses
included in O&S cost estimates?
– After MS-C/FRP/Post-Production, who manages this activity?
– Are there product support element impacts?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
15
• Are these agreements carried over and applicable across the system’s life cycle?
• Are updates planned?
• Do they impact other elements of the PPP and if so, what are the actions and impacts to sustainment planning and implementation (PSEs, O&S cost, etc.)
• After MS-C/FRP/Post-Production, who manages this activity?
Question(s) posed are not exhaustive nor applicable across all systems and domains
6.0. Other System Security-Related Plans and Documents
Expectation: If Technical Assistance Agreements, Memoranda of Agreement (MOA), Memoranda of Understanding (MOU), or other similar agreements have been signed, reference or link to them in an additional table with a description of the key commitments.
UNCLASSIFIED
Product Support in the PPP Outline
16
7.0. Program Protection Risks– Describe how Program Protection
risks (cost, schedule, technical) will be integrated with overall Program risk management.
– Discuss the approach to identifying residual risks of CPI and critical function and component compromise after countermeasure implementation. Are there any unmitigated risks?
– Include a risk cube and mitigation plan for the top Program Protection risks.
• What are the mitigation actions or unmitigated risks that carry over into sustainment?
• Who is the OPR in sustainment?
• Is funding required, planned and programmed after MS-C and O&S Phase?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
17
8.0. Foreign Involvement– Summarize any international
activities and any plans for, or known, foreign cooperative development or sales of the system.
• Are there cooperative supply agreements via FMS (CLSSA)?
• Are there different configurations requiring control and if so, where documented and who is the OPR after MS-C/FRP/Post-Production?
• Are product support elements affected the same or differently for US and foreign customers?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
18
9.0. Processes for Management and Implementation of PPP
– 9.1. Audits/Inspections
– 9.2. Engineering/Technical Reviews
– 9.3. Verification and Validation
– 9.4. Sustainment• How will Program Protection
requirements and considerations be managed in sustainment? Who is responsible for this?
• Link to the relevant Lifecycle Sustainment Plan (LCSP) language.
• What audits/inspections carry over in to sustainment; are there any open audit/inspection findings that carry over in to sustainment; if set cycle, are these reflected as an O&S cost in POE, SCP, ICE; are funds planned and programmed for after MS-C and during O&S Phase?
• How are review findings, risks and issues carried forward after MS-C and into the O&S Phase; are modifications, upgrades & tech refresh planned?
• For test findings, what is the process to carry forward after MS-C and into the O&S Phase; is there any testing that is planned in sustainment (FOT&E) and who is responsible?
Question(s) posed are not exhaustive nor applicable across all systems and domains
UNCLASSIFIED
Product Support in the PPP Outline
19
9.0. Processes for Management and Implementation of PPP
– 9.4. Sustainment• How will Program Protection
requirements and considerations be managed in sustainment? Who is responsible for this?
• Link to the relevant Lifecycle Sustainment Plan (LCSP) language.
Question(s) posed are not exhaustive nor applicable across all systems and domains
• Does program protection and cybersecurity become a PSM responsibility?
UNCLASSIFIED
Product Support in the PPP Outline
20
10.0. Processes for Monitoring and Reporting Compromises
– Summarize the plan/procedure for responding to a CPI compromise or a supply chain exploit.
– What constitutes a compromise or exploit? Who is notified if one occurs? Define what constitutes an Anti-Tamper event or a Supply Chain exploit.
Question(s) posed are not exhaustive nor applicable across all systems and domains
• Who is the OPR and stakeholders post MS-C/FRP/post-production (are stakeholders the same)?
• Are plans, procedures and definitions for compromise & exploitation supportable in sustainment?
• What events and corrective actions are carried forward post-production?
UNCLASSIFIED
Product Support in the PPP Outline
21
11.0. Program Protection Costs– Indicate where Program
Protection costs are to be accounted for in the SCP and program budget. Who has the responsibility to ensure Program Protection costs are estimated and included in the programs budget and contracts?
Question(s) posed are not exhaustive nor applicable across all systems and domains
• Did program protection & cybersecurity requirements and activities informing SCP extend into the O&S Phase and include disposal?
• How are those requirements, activities and costs tracked in acquisition?
• When is the cost estimate for program protection requirements & activities updated?
UNCLASSIFIED
Product Support in the PPP Outline
22
11.0. Program Protection Costs– Indicate where Program
Protection costs are to be accounted for in the SCP and program budget. Who has the responsibility to ensure Program Protection costs are estimated and included in the programs budget and contracts?
– 11.1. Security Costs
– 11.2. Acquisition and Systems Engineering Protection Costs
Question(s) posed are not exhaustive nor applicable across all systems and domains
• Did program protection & cybersecurity requirements and activities informing SCP extend into the O&S Phase and include disposal?
• How are those requirements, activities and costs tracked in acquisition?
• When is the cost estimate for program protection requirements & activities updated?
UNCLASSIFIED
23
Question(s) posed are not exhaustive nor applicable across all systems and domains
Cyber Activities Across the Lifecycle
O&S Phase & Decommission
MONITOR
Security Controls
PM
URA
?
Task6-1
Task6-2
Task6-3
Task6-4
Task6-5
Task6-6
Who is the organization or person who has “PM” responsibility for management of the system (activities, PPBE, etc) in the O&S Phase & decommissioning; when does this organization become a Stakeholder in the acquisition cycle; is there guidance for the turnover process?
URA
?
Mitigation Measures Include
Assurance
Practices
Anti-Tamper SCRM Practices
Resiliency
Techniques
Security
Practices
UNCLASSIFIED
Questions
24
Air Force Guidance
• AFPAM 63-113 PROGRAM PROTECTION PLANNING FOR LIFE CYCLE MANAGEMENTOCTOBER 2013
THE DEPARTMENT OF DEFENSECYBER STRATEGY STRATEGIC GOALS
• I. Build and maintain ready forces and capabilities to conduct cyberspace operations
• II. Defend the DoD information network, secure DoD data, and mitigate
• III. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence
• IV. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages
• V. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability risks to DoD missions
https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
THE DOD CYBER STRATEGY STRATEGIC GOAL II
• DEFEND THE DOD INFORMATION NETWORK, SECURE DOD DATA, AND MITIGATE RISKS TO DOD MISSIONS
– DoD cannot defend every network and system against every kind of intrusion – DoD’s total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities – DoD must take steps to identify, prioritize, and defend its most important networks and data
• DODI 8510.01 March 12, 2014, Risk Management Framework (RMF) for DoD Information Technology (IT)
THE DOD CYBER STRATEGY STRATEGIC GOAL II
IMPLEMENTATION OBJECTIVES
• Plan for network defense and resilience
– Improve weapons systems cybersecurity• DoD will assess and initiate improvements to the cybersecurity of
current and future weapons systems, doing so on the basis of operational requirements. For all future weapons systems that DoD will acquire or procure, DoD will mandate specific cybersecurity standards for weapons systems to meet. Acquisition and procurement policy and practice will be updated to promote effective cybersecurity throughout a system’s life cycle.