Intelligence & Security

Program Protection Plan (PPP)

The Program Protection Plan (PPP) is the single source document used to coordinate and integrate all protection efforts.  It’s designed to deny access to Critical Program Information (CPI) to anyone not authorized, not needing to know, and prevent inadvertent disclosure of leading-edge technology to foreign interests. The PPP is a living plan to manage the risks to the U.S. capability element that contributes to the warfighter’s technical advantage, mission-critical functions and components, CTI, and system data. This acquisition document captures the systems security engineering activities, including secure cyber resilient engineering, and the results of the analyses across the life-cycle.

Definition: The Program Protection Plan (PPP) is a security-focused document to guide efforts to manage the security risks to Critical Program Information (CPI) and mission-critical functions and components for a system and program.

Program Protection Plan (PPP) Purpose

The purpose of the PPP is to coordinate and integrate all security efforts throughout the entire system’s life cycle to ensure that there is adequate protection against hostile activities against a program.

Program Protection Plan (PPP) Sub Documentation

The following are the essential five (5) documents that comprise the overall program protection. These documents are attached as appendices to the PPP. These documents include:

Program Protection Plan (PPP) Approval

The PPP is approved by the Program Manager (PM) after an Initial Capabilities Document (ICD) has been validated and is part of the Security Classification Guide (SCG). A draft is due for the Development RFP Release Decision and is approved at Milestone B. [1,2]

Developing the Program Protection Plan (PPP)

When developing a program protection plan, developers can meet draft requirements by using all parts of the program protection plan template. Programs that have answered enough questions about the basic outline can go deeper and ask what makes their program different and what parts of the program need protection. The following guidance describes the process used to prepare a PPP when one is required: [1]

  • Any program, product, technology demonstrator, or other item developed as part of a separate acquisition process and used as a component, subsystem, or modification of another program should publish a PPP.
  • The effectiveness of the PPP is highly dependent upon the quality and currency of the information available to the program office.
    • Coordination between the Program Management Office (PMO) and supporting Counterintelligence (CI) and security activities is critical to ensure that any changes in the system CPI, threat, or environmental conditions are communicated to the proper organizations.
    • Intelligence and CI organizations supporting the program protection effort should notify the PM promptly of any information on adverse foreign interests targeting their CPI without waiting for a periodic production request.

Program Protection Plan (PPP) Content

While there is no specific format for PPPs, they normally include the following: [1]

  • System and program description
  • All program and support points of contact
  • A list of program CPI
  • Counterintelligence Analysis of CPI
  • Vulnerabilities of CPI
  • All Research and Technology Protection countermeasures (e.g., anti-tamper techniques, system security engineering) and Militarily Critical Technology List citations for applicable CPI
  • All RTP associated costs, by Fiscal Year, to include PPP development and execution
  • Foreign disclosure, direct commercial sales, co-production, import, export license or other export authorization requirements, and/or Technology Assessment/Control Plan
  • Delegation of Disclosure Authority Letter (DDL), if appropriate
  • Program Security Instruction, if appropriate

Example Program Protection Plan (PPP) Format

The following is an example format that program managers and security managers can follow when developing the PPP.

  • Section 1: Introduction
  • Section 2: Summary
  • Section 3: Critical Program Information (CPI)
  • Section 4: Horizontal Protection
  • Section 5: Threats, Vulnerabilities, and Countermeasures
  • Section 6: Other system-related plans and documents
  • Section 7: Risks
  • Section 8: Foreign Involvement
  • Section 9: Process for Management and Implementation of PPP
  • Section 10: Process for monitoring and Reporting Compromises
  • Section 11: Program Protection Costs

The PPP document includes five (5) Appendices:

Program Protection Plan (PPP) Regulations

  • A draft update is due for the Development RFP Release Decision and is approved at Milestone B. The PPP includes appropriate appendixes or links to required information. [2]
  • DoD Instruction (DoDI) 5000.82 requires that the PPP document be submitted five times for Milestone Decision Authority (MDA) review and approval at Milestone A, Development RFP Release Decision, Milestone B, Milestone C, and Full-Rate Production Decision Review (FRPDR).
  • The Component should submit a cybersecurity strategy as an appendix to the PPP per DoDI 5000.82.
  • For Major Capability Acquisitions (MCA) programs where the Defense Acquisition Executive (DAE) is the Milestone Decision Authority(MDA), the programs should submit PPPs to Director, S&T Program Protection not less than 45 calendar days before the relevant review for USD(R&E) approval. DoD Component PPPs will follow the DoD Component approval process.

AcqNotes Tutorial

AcqTips:

AcqLinks and References:

Updated: 2/84/2024

Rank: G1.6

Leave a Reply