Intelligence & Security

Critical Program Information (CPI)

Critical Program Information (CPI) is the U.S. capability element that contributes to the warfighters’ technical advantage, which if compromised, undermines U.S. military preeminence. U.S. capability elements may include but are not limited to, software algorithms and specific hardware residing on the system, training equipment, and/or maintenance support equipment. [2]

Critical Program Information (CPI) Compromise May: [1]

  • Reduce U.S. technological superiority and shorten the combat-effective life of the system as the adversary develops and fields comparable capabilities and/or countermeasures;
  • Require research, development, and acquisition resources to counter the impact of compromise and regain or maintain the advantage;
  • Protection measures should be put in place to deter, delay, detect, and respond to attempts to compromise CPI.

Critical Program Information (CPI) Analysis

CPI analysis is the means by which programs identify, protect, and monitor CPI. This analysis should be conducted early and throughout the life cycle of the program. Additionally, because CPI is critical to U.S. technological superiority, its value extends beyond any one program. As a result, CPI analysis should consider the broader impact of CPI identification and protection on national security. [1]

DoD Instruction 5200.39: CPI Identification and Protection Within RDT&E – 15 Oct 2018

CPI includes information about applications, capabilities, processes, and end-items; Includes elements or components critical to a military system or network mission effectiveness; Includes technology that would reduce the US technological advantage if it came under foreign control. [2]

Critical Program Information (CPI) Analysis Steps

The CPI analysis process has three development steps:

  • Step 1: Identity: identify critical program information that requires protection to prevent reverse engineering
  • Step 2: Assess Risk: Determine the risk for each CPI and assess its impact – Risk Assessment
  • Step 3: Protect:  Continually assess if the CPI is protected and new vulnerabilities haven’t arrised – Anti-Tamper; cybersecurity

Critical Program Information (CPI) on a Research, Development, and Acquisition program may include:

  • Components,
  • Engineering design,
  • Manufacturing processes,
  • Critical technologies,
  • System capabilities and vulnerabilities and,
  • Other information that gives the system its distinctive operational capability

Not Critical Program Information (CPI)

The following is not considered CPI:

  • Personally Identifiable Information (PII)
  • Individually Identifiable Health Information
  • Operational Information (i.e., waypoints and target location data)
  • Vulnerabilities and Weaknesses
  • Unmodified Commercial-Off-The-Shelf (COTS)
  • Multi-Level Security, Cryptographic, and Cross Domain Solutions
  • Logistics

AcqTips:

  • When CPI is inherited from a technology project and incorporated into an acquisition program, the Program Manager should incorporate the countermeasures prescribed in the Program Protection Plan (PPP) of origin until such time the CPI can be used to determine whether it still requires protection during acquisition, or if new or related CPI exists. [1]

AcqLinks and References:

Updated: 7/4/2021

Ranl: G1.5

Leave a Reply