Critical Program Information (CPI) is the U.S. capability element that contributes to the warfighters’ technical advantage, which, if compromised, undermines U.S. military preeminence. U.S. capability elements may include, but are not limited to, software algorithms and specific hardware residing on the system, training equipment, and/or maintenance support equipment. [2]
Definition: Critical Program Information (CPI) is any U.S. capability elements that contribute to the warfighters’ technical advantage, which if compromised, undermine U.S. military preeminence. CPI provides missionessential capabilities, and can include, but is not limited to, software algorithms, specific hardware residing on the system, system training equipment, or maintenance support equipment.
Purpose of Critical Program Information (CPI)
CPI aims to determine what information is needed to protect US capabilities.
Main Reference
DoDI 5200.39 establishes policies and responsibilities for the identification and protection of CPI.
DoD Instruction 5200.39: “CPI Identification and Protection within RDT&E” – 1 Oct 20
Critical Program Information (CPI) Compromise May: [1]
- Reduce U.S. technological superiority and shorten the combat-effective life of the system as the adversary develops and fields comparable capabilities and/or countermeasures;
- Require research, development, and acquisition resources to counter the impact of compromise and regain or maintain the advantage;
- Protection measures should be put in place to deter, delay, detect, and respond to attempts to compromise CPI.
Types of Critical Program Information (CPI)
There are two types of CPI according to DoD Instruction 5200.39
- Organic: is unique, original CPI that is owned and generated by a Research Development Test & Evaluation, or RDT&E, program.
- Inherited: is CPI that is owned and generated by one RDT&E program, subsystem, or project, but that is incorporated into or used by another.
Where is Critical Program Information (CPI) Documented
The Program Manager will document approved CPI in the Program Protection Plan (PPP).
Critical Program Information (CPI) Analysis
CPI analysis is the means by which programs identify, protect, and monitor CPI. This analysis should be conducted early and throughout the life cycle of the program. Additionally, because CPI is critical to U.S. technological superiority, its value extends beyond any one program. As a result, CPI analysis should consider the broader impact of CPI identification and protection on national security. [1]
CPI includes information about applications, capabilities, processes, and end-items; Includes elements or components critical to a military system or network mission effectiveness; Includes technology that would reduce the US technological advantage if it came under foreign control. [2]
Critical Program Information (CPI) Analysis Steps
The CPI analysis process has three development steps:
- Step 1: Identity: identify critical program information that requires protection to prevent reverse engineering
- Step 2: Assess Risk: Determine the risk for each CPI and assess its impact – Risk Assessment
- Step 3: Protect: Continually assess if the CPI is protected and new vulnerabilities haven’t arrised – Anti-Tamper; cybersecurity
Critical Program Information (CPI) on a Research, Development, and Acquisition program may include:
- Components,
- Engineering design,
- Manufacturing processes,
- Critical technologies,
- System capabilities and vulnerabilities and,
- Other information that gives the system its distinctive operational capability
Not Critical Program Information (CPI)
The following are not considered CPI:
- Personally Identifiable Information (PII)
- Individually Identifiable Health Information
- Operational Information (i.e., waypoints and target location data)
- Vulnerabilities and Weaknesses
- Unmodified Commercial-Off-The-Shelf (COTS)
- Multi-Level Security, Cryptographic, and Cross Domain Solutions
- Logistics
AcqTips:
- When CPI is inherited from a technology project and incorporated into an acquisition program, the Program Manager should incorporate the countermeasures prescribed in the Program Protection Plan (PPP) of origin until such time the CPI can be used to determine whether it still requires protection during acquisition, or if new or related CPI exists. [1]
AcqLinks and References:
- [1] Defense Acquisition Guidebook (DAG) – Chapter 9
- DoD Instruction 5200.39 “CPI Identification and Protection within the RDT&E” – 1 Oct 2020
- [2] DoD Instruction 5200.39 “CPI Identification and Protection Within RDT&E” – 15 Oct 2018
- (Old) DoD Instruction 5200.39 “CPI Identification and Protection Within RDT&E” – 17 Nov 2017
Updated: 3/13/2024
Rank: G3.5