Intelligence and Security lay the foundation for protecting our DoD systems and Critical Program Information (CPI) assets against compromise and threats. CPI requires protection to prevent unauthorized or inadvertent disclosure, destruction, transfer, alteration, reverse engineering, or loss.  A Program Manager (PM) is responsible for the protection of all CPI. They must also understand how intelligence, Counterintelligence, and their impact on their program for protection.

Throughout the course of an acquisition program, A PM will develop a:

• Program Protection Plan (PPP)
• Security Classification Guide (SCG)
• System Threat Assessment Report (STAR)
• Capstone Threat Assessment (CTA)
• Technology Assessment/Control Plan (TA/CP)

Other information and security topics that a PM must be aware of are:

• Computer Security (COMPUSEC)
• Communication Security (COMSEC)
• Information Assurance (IA)
• Operations Security (OPSEC)
• System Security Engineering (SSE)

Information that may be restricted and protected is identified, marked, and controlled in accordance with DoD Directives 5230.24 and 5230.25 or applicable national-level policy (Acquisition Security Related Policies and Issuances) and is limited to the following:

• Information that is classified in accordance with Executive Order (EO) 12958 , and
• Unclassified information that has restrictions placed on its distribution by:
• U.S. Statutes (Arms Export Control Act, Export Administration Act);
• Statute-driven national regulations (Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR)); and
• Related national policy (Executive Order (EO) 12958, National Security Decision Directive 189)
• Acquisition Security Related Policies and Issuances

The National Industry Security Program Operating Manual (NISPOM) establishes the standard procedures and requirements for all government contractors, with regards to classified information. It covers the entire field of government-industrial security-related matters.

AcqLinks and References:

• Defense Acquisition Guidebook (DAG) – Chapter 8.0
• Cybersecurity and Acquisition Lifecycle Integration Tool (CALIT) Ver 2.02
• DoD Directive 5205.02E “DoD Operations Security (OPSEC) Program” – 20 Jun 2012
• DoD Directive 5230.11 “Disclosure of Classified Info to Foreign Government/International Organization” – 19 Jun 1992
• DoD Directive 5230.24 “Distribution Statements on Technical Documents” – 18 Mar 1987
• DoD Directive 5230.25 “Withholding of Unclassified Technical Data from Public Disclosure” – 6 Nov 1984
• DoD Directive 5530.3 “International Agreements” – 18 Feb 1991
• DoD Instruction 5200.39 “CPI Identification and Protection Within RDT&E” – 15 Oct 2018
• DoD Instruction 5240.19 “Counterintelligence Support to the Defense Critical Infrastructure Program” – 28 Dec 2010
• DoD 5200.1-H “DoD Handbook for Writing Security Classification Guidance” – Nov 1999
• DoD 5200.1-M “Acquisition Systems Protection Program” – Mar 1994
• DoD 5220.22-M “National Industry Security Program Operating Manual (NISPOM)” – 28 Feb 2006
• DoD Cloud Computing Security Requirements Guide (SRG) – 12 Jan 2015
• Executive Order 12958 “Classified National Security Information” 28 Mar 2003
• Air Force Policy Directive 63-17 “Technology and Acquisition Systems Security Program Protection” – 26 Nov 01
• Acquisition Security Related Policies and Issuances
• Website: DoD Anti-Tamper
• Website: International Programs Security Handbook
• Website: National Disclosure Policy (NDP-1)
• Website: Arms Export Control Act
• Website: OSD Acquisition Security-Related Policy & Issuance

Updated: 3/24/2020