UNCLASSIFIED

Life Cycle Sustainment Plan (LCSP) &

Program Protection Plan (PPP) Touchpoints and Integration

2017 Acquisition Insight Days

June 14, 2017

1

Mr. John Medlin

ODASD(MR)john.a.medlin6.civ@mail.mil

703.614.6433

UNCLASSIFIED

Purpose

• Introduce the LCSP Outline v2.0, Program Protection Elements• Identify and discuss LCSP & PPP elements that require integration

of program protection, cybersecurity and logistics activities, roles, and responsibilities

2

UNCLASSIFIED

Integrating the PPP & LCSP

4

Program Protection Plan

Life Cycle Sustainment Plan

Expectation Reality

UNCLASSIFIED

Comparison of LCSP Outlines

LCSP Outline v1.0 (2011)

1. Introduction

2. Product Support Performance

3. Product Support Strategy

4. Product Support Arrangements

5. Product Support Package Status

6. Regulatory/Statutory Requirements Influencing Product Support

7. Integrated Schedule

8. Funding

9. Management

10.Supportability Analysis

11.Additional Sustainment Planning Factors

LCSP Annexes

LCSP Outline v2.0 (2017)

1. Introduction

2. Product Support Performance

3. Product Support Strategy

4. Program Review Issues and

Corrective Actions

5. Influencing Design and Sustainment

6. Integrated Schedule

7. Cost and Funding

8. Management

9. Supportability Analysis

10. LCSP Annexes

Incorporated into Section 3

Section renamed

Expanded into Cost and

Funding to include O&S

cost estimates, Should Cost

Initiatives, and Affordability

New Section

5

Reduced to Executive

Summaries

UNCLASSIFIED

LCSP Outline v2.0 & PPP Outline v1.0

• ASD(L&MR) Memo to the Components signed on January 19, 2017

• Revisions to the LCSP Outline v1.0:– Reflect new statute/policy– Clarify guidance; incorporate lessons

learned– Expand the Funding section – Stress the tailorability of the document– Introduce “Critical Thinking Questions”– Reference appropriate DAG sections

(future)

• Review and Approval process unchanged

• DODI 5000.02 (Ch 2, Feb 22, 2017), Encl 6, Life-Cycle Sustainment

6

• USD(AT&L) Memo, Document Streamlining –Program Protection Plan, July 18, 2011

• The PPP will be streamlined consistent with the attached annotated outline

• Increases emphasis on early-phase planning activity

• Reflects the integration of the Acquisition Information Assurance (IA) Strategy and recognizes Program Protection as the Department's holistic approach for delivering trusted systems

• DODI 5000.02 (Ch 2, Feb 22, 2017), Encl 14, Cybersecurity in the Defense Acquisition System

UNCLASSIFIED

LCSP Outline and Cyber

• LCSP v2.0• 3 Product Support Strategy

• 3.1.4 Cybersecurity The Program Protection Plan is the program’s primary document for managing a program’s protection of their technology, components, and information throughout the system life cycle. The Program Protection Plan includes areas that directly impact sustainment including Cybersecurity Strategy, Anti-Tamper Plan, and Supply Chain Risk Management. This section of the LCSP is reserved for appropriate cybersecurity and related program protection planning details and to identify the PM responsible for the Program Protection Plan during system sustainment and disposal.

7

• LCSP v1.0• 11 Additional Sustainment

Planning Factors

– List additional sustainment issues or risks that cross functional lines that could adversely impact sustainment or sustainment support across the system’s life cycle that are not included elsewhere in the LCSP. If the topic is addressed in another document (e.g., the Systems Engineering Plan, etc.) provide a short summary and reference the source. For example:

• Critical Program Information elements provided in the Program Protection Plan (maintaining anti-tamper on component or sub-components)

UNCLASSIFIED

Cyber Activities Across the Lifecycle

8

O&S Phase & Decommission

MONITOR

Security Controls

URA

?

Task6-1

Task6-2

Task6-3

Task6-4

Task6-5

Task6-6

URA

?

Mitigation Measures Include

Assurance

Practices

Anti-Tamper SCRM Practices

Resiliency

Techniques

Security

Practices

UNCLASSIFIED

Product Support in the PPP Outline

9

• 2.0. Program Protection Summary

• 5.0. Threats, Vulnerabilities, and Countermeasures

• 6.0. Other System Security-Related Plans and Documents

• 7.0. Program Protection Risks

• 8.0. Foreign Involvement

• 9.0. Processes for Management and Implementation of PPP

• 10.0. Processes for Monitoring and Reporting Compromises

• 11.0. Program Protection Costs

UNCLASSIFIED

Product Support in the PPP Outline

10

2.0. Program Protection Summary

• 2.1. Schedule– A Program Protection schedule

overlaid onto the program's master schedule (milestones, systems engineering technical reviews, etc.) includes:

• Countermeasure (e.g. Anti-Tamper, Information Assurance) testing/verification events

• Most events, if not all, are not one-time activities but recur across the system’s life cycle– Are these accounted for in O&S

cost estimates?

– How is the PPP carried forward/monitored?

– Who in sustainment manages PPP/countermeasure requirements?

– Are recurring events and activities reflected in the schedule Post MS-C, across the O&S Phase, and for disposal?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

11

2.0. Program Protection Summary• 2.2. CPI and Critical Functions and

Components Protection

– Over the lifecycle of the program list all CPI and critical functions and components (including inherited and organic) mapped to the security disciplines of the countermeasures being applied in Table 2.2-1 below.

• What are the recurring events and activities for these inherited or organic functions?

• What is their O&S cost and is it included in the program’s O&S cost?

• What are the elements of any MOA/MOUs that have life cycle impact?– Are these included in Sections

3.1, 3.2, 3.3?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

12

2.0. Program Protection Summary• Table 2.2-1: CPI and Critical

Components Countermeasure Summary

• For the implemented countermeasures, who is the OPR in sustainment?

• Are there product support elements that support countermeasure implementation?

• Is there fidelity on costs to implement and are those costs carried forward across the life cycle and part of the O&S cost estimate?

Question(s) posed are not exhaustive nor applicable across all systems and domains

Table 2.2-1: CPI and Critical Components Countermeasure Summary (mandated) (sample)

UNCLASSIFIED

Product Support in the PPP Outline

14

5.0. Threats, Vulnerabilities, and Countermeasures

– 5.1. Threats

– 5.2. Vulnerabilities

– 5.3. Countermeasures

• 5.3.1. Anti-Tamper (AT)

• 5.3.2. Information Assurance (IA)

• 5.3.3. Software Assurance

• 5.3.4. Supply Chain Risk Management (Trusted Suppliers, Counterfeit)

• 5.3.5. System Security Engineering

• 5.3.6. General Countermeasures

• Threat identification, vulnerability analysis, and countermeasure update are not one-time activities but recur across the system’s life cycle– Are recurring updates & analyses

included in O&S cost estimates?

– After MS-C/FRP/Post-Production, who manages this activity?

– Are there product support element impacts?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

15

• Are these agreements carried over and applicable across the system’s life cycle?

• Are updates planned?

• Do they impact other elements of the PPP and if so, what are the actions and impacts to sustainment planning and implementation (PSEs, O&S cost, etc.)

• After MS-C/FRP/Post-Production, who manages this activity?

Question(s) posed are not exhaustive nor applicable across all systems and domains

6.0. Other System Security-Related Plans and Documents

Expectation: If Technical Assistance Agreements, Memoranda of Agreement (MOA), Memoranda of Understanding (MOU), or other similar agreements have been signed, reference or link to them in an additional table with a description of the key commitments.

UNCLASSIFIED

Product Support in the PPP Outline

16

7.0. Program Protection Risks– Describe how Program Protection

risks (cost, schedule, technical) will be integrated with overall Program risk management.

– Discuss the approach to identifying residual risks of CPI and critical function and component compromise after countermeasure implementation. Are there any unmitigated risks?

– Include a risk cube and mitigation plan for the top Program Protection risks.

• What are the mitigation actions or unmitigated risks that carry over into sustainment?

• Who is the OPR in sustainment?

• Is funding required, planned and programmed after MS-C and O&S Phase?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

17

8.0. Foreign Involvement– Summarize any international

activities and any plans for, or known, foreign cooperative development or sales of the system.

• Are there cooperative supply agreements via FMS (CLSSA)?

• Are there different configurations requiring control and if so, where documented and who is the OPR after MS-C/FRP/Post-Production?

• Are product support elements affected the same or differently for US and foreign customers?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

18

9.0. Processes for Management and Implementation of PPP

– 9.1. Audits/Inspections

– 9.2. Engineering/Technical Reviews

– 9.3. Verification and Validation

– 9.4. Sustainment• How will Program Protection

requirements and considerations be managed in sustainment? Who is responsible for this?

• Link to the relevant Lifecycle Sustainment Plan (LCSP) language.

• What audits/inspections carry over in to sustainment; are there any open audit/inspection findings that carry over in to sustainment; if set cycle, are these reflected as an O&S cost in POE, SCP, ICE; are funds planned and programmed for after MS-C and during O&S Phase?

• How are review findings, risks and issues carried forward after MS-C and into the O&S Phase; are modifications, upgrades & tech refresh planned?

• For test findings, what is the process to carry forward after MS-C and into the O&S Phase; is there any testing that is planned in sustainment (FOT&E) and who is responsible?

Question(s) posed are not exhaustive nor applicable across all systems and domains

UNCLASSIFIED

Product Support in the PPP Outline

19

9.0. Processes for Management and Implementation of PPP

– 9.4. Sustainment• How will Program Protection

requirements and considerations be managed in sustainment? Who is responsible for this?

• Link to the relevant Lifecycle Sustainment Plan (LCSP) language.

Question(s) posed are not exhaustive nor applicable across all systems and domains

• Does program protection and cybersecurity become a PSM responsibility?

UNCLASSIFIED

Product Support in the PPP Outline

20

10.0. Processes for Monitoring and Reporting Compromises

– Summarize the plan/procedure for responding to a CPI compromise or a supply chain exploit.

– What constitutes a compromise or exploit? Who is notified if one occurs? Define what constitutes an Anti-Tamper event or a Supply Chain exploit.

Question(s) posed are not exhaustive nor applicable across all systems and domains

• Who is the OPR and stakeholders post MS-C/FRP/post-production (are stakeholders the same)?

• Are plans, procedures and definitions for compromise & exploitation supportable in sustainment?

• What events and corrective actions are carried forward post-production?

UNCLASSIFIED

Product Support in the PPP Outline

21

11.0. Program Protection Costs– Indicate where Program

Protection costs are to be accounted for in the SCP and program budget. Who has the responsibility to ensure Program Protection costs are estimated and included in the programs budget and contracts?

Question(s) posed are not exhaustive nor applicable across all systems and domains

• Did program protection & cybersecurity requirements and activities informing SCP extend into the O&S Phase and include disposal?

• How are those requirements, activities and costs tracked in acquisition?

• When is the cost estimate for program protection requirements & activities updated?

UNCLASSIFIED

Product Support in the PPP Outline

22

11.0. Program Protection Costs– Indicate where Program

Protection costs are to be accounted for in the SCP and program budget. Who has the responsibility to ensure Program Protection costs are estimated and included in the programs budget and contracts?

– 11.1. Security Costs

– 11.2. Acquisition and Systems Engineering Protection Costs

Question(s) posed are not exhaustive nor applicable across all systems and domains

• Did program protection & cybersecurity requirements and activities informing SCP extend into the O&S Phase and include disposal?

• How are those requirements, activities and costs tracked in acquisition?

• When is the cost estimate for program protection requirements & activities updated?

UNCLASSIFIED

23

Question(s) posed are not exhaustive nor applicable across all systems and domains

Cyber Activities Across the Lifecycle

O&S Phase & Decommission

MONITOR

Security Controls

PM

URA

?

Task6-1

Task6-2

Task6-3

Task6-4

Task6-5

Task6-6

Who is the organization or person who has “PM” responsibility for management of the system (activities, PPBE, etc) in the O&S Phase & decommissioning; when does this organization become a Stakeholder in the acquisition cycle; is there guidance for the turnover process?

URA

?

Mitigation Measures Include

Assurance

Practices

Anti-Tamper SCRM Practices

Resiliency

Techniques

Security

Practices

UNCLASSIFIED

Questions

24

Air Force Guidance

• AFPAM 63-113 PROGRAM PROTECTION PLANNING FOR LIFE CYCLE MANAGEMENTOCTOBER 2013

THE DEPARTMENT OF DEFENSECYBER STRATEGY STRATEGIC GOALS

• I. Build and maintain ready forces and capabilities to conduct cyberspace operations

• II. Defend the DoD information network, secure DoD data, and mitigate

• III. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence

• IV. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages

• V. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability risks to DoD missions

https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf

THE DOD CYBER STRATEGY STRATEGIC GOAL II

• DEFEND THE DOD INFORMATION NETWORK, SECURE DOD DATA, AND MITIGATE RISKS TO DOD MISSIONS

– DoD cannot defend every network and system against every kind of intrusion – DoD’s total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities – DoD must take steps to identify, prioritize, and defend its most important networks and data

• DODI 8510.01 March 12, 2014, Risk Management Framework (RMF) for DoD Information Technology (IT)

THE DOD CYBER STRATEGY STRATEGIC GOAL II

IMPLEMENTATION OBJECTIVES

• Plan for network defense and resilience

– Improve weapons systems cybersecurity• DoD will assess and initiate improvements to the cybersecurity of

current and future weapons systems, doing so on the basis of operational requirements. For all future weapons systems that DoD will acquire or procure, DoD will mandate specific cybersecurity standards for weapons systems to meet. Acquisition and procurement policy and practice will be updated to promote effective cybersecurity throughout a system’s life cycle.