What Was Done
This summary is a compilation of inspection results from the DoD, Service, and Missile Defense Agency (MDA) Offices of Inspectors General (OIG) and, where available, notes the best practices of each. The DoD OIG assessed an acquisition category 1D program; the Service IGs selected 34 of 118 research, development, test, and evaluation (RDT&E) facilities under their purview for inspection; and the MDA looked at the effectiveness of their critical program information (CPI) identification and program protection planning efforts, as well as their international security program. These inspections ensure a uniform system of periodic reviews for compliance with directives concerning security, intelligence, counterintelligence, and technology protection practices. The OIGs used the biennial inspection guidelines that focus on eight key issue areas related to program protection.
What Was Found
Identifying CPI. Generally, an effective process for identifying CPI was found, with some having a standardized process for identifying CPI. However, 5 of the 35 sites inspected did not adequately identify specific CPI.
Program Protection Planning. Efforts to protect CPI are not integrated and synchronized to the greatest extent possible. In some instances, program protection plans were not completed and could not be assessed. However, in general CPI was incorporated into program protection plans.
Training and Education. Training for the protection of CPI was not tailored for intelligence and security personnel; and some personnel were not qualified to do the job. Moreover, the level of training related to CPI protection varied, with some personnel with no training, others with training acquired on the job and still others with training offered by the research, development, and acquisition (RDA) program support organization.
Resources. DoD OIG’s assessment found no embedded program security support. The program management office did not track all security costs nor did they report program protection or security-related expenditures, in order to establish budget projections for security throughout the program’s life-cycle and with measuring the return on the security expenditures.
Security and Other Support. Although program staff requested and were provided intelligence support, it was not timely nor tailored to CPI, adversely affecting the PM’s ability to implement an effective program protection plan. Service findings ranged from PMs not using counterintelligence assets correctly to counterintelligence assets being spread thin due to deployments and ad-hoc tasking.
Foreign Visitor Program. No major issues were noted with the effectiveness of the programs inspected. MDA was using the Foreign Visits System – Confirmation Module.
Horizontal Protection. Data from an Air Force program was on a separate horizontal protection database, but recent guidance will allow Air Force to use the Acquisition Security Database.
CPI Policies. While DoD and Service policies to protect CPI have progressed in recent years, there is still a need for improvement.