1.0 GENERAL1.0 GENERAL
EELV is the key enabling capability for flexible, assured, global space operations and support to military, civil and commercial users. The ability of an adversary to deny, counter, or compromise spacelift capabilities also denies the U.S. capability to achieve any other employment concept in the national space operations doctrine. The vulnerability of launch/range systems to physical, communications and computer security threats involves a major potential for catastrophic launch failures. DoD Space Policy and Defense Planning Guidance require assured access to space and the capability to deter terrestrial threats to our access to space. Range systems security and ground processing, integration and launch requirements are interlinked with mission needs of availability, operability, reliability, maintainability, and responsiveness. EELV program protection and systems security requirements are key elements in the strategy-to-task minimization of current spacelift/space support mission area deficiencies.

EELV must provide the capability to assure access to space through minimization of an economic or political adversary's ability to deny, clone, counter or compromise the effectiveness of U.S. space capabilities in peacetime or war. EELV systems, infrastructure, support systems and interfaces must protect sensitive national security information, operations and technologies, and assure the integrity and availability of critical EELV systems through development, design, test and operation. EELV will meet established survivability, endurability and physical security criteria commensurate with the warfighting missions supported and its security priority designation; provide standard, survivable, secure links with range users; and have a secure system configuration to allow operations across all classification levels.

The EELV system has not yet been defined. Therefore, this plan will require significant updating as the EELV program matures. For example, a specific system description as well as specific essential program information, technologies, and systems (EPITS) will be defined later (TBD) in the acquisition lifecycle, when that information becomes available.

1.1 PURPOSE1.1 PURPOSE
Program protection planning employs a step-by-step analytical process to identify the EPITS information; analyze the threats; determine program vulnerabilities; assess the risks to the EPITS; and apply countermeasures. The PPP is the single-source document to coordinate and integrate all program protection efforts and provide a basis for balancing security countermeasures, security costs, and risks to the system being procured.

1.2 SCOPE1.2 SCOPE
This plan describes the approach for the secure employment of the EELV during systems acquisition through mission operations while denying an adversary access to EPITS. It provides a description of the threat environment, mission, operational system, and secure system capabilities. This concept provides the basis for Air Force implementation of the Secretary of Defense's (SECDEF's) DoD Space Policy, 4 Feb 87, as amended 15 Dec 1992. This document is prepared under authority of DoD Directive 5000.1, DoD Instruction 5000.2, DoD Manual 5200.1-M, and Air Force Policy Directive 31-7.

This PPP is applicable to all program/system developers and operational users of the program. Specifically, that includes all Government agencies, test centers, laboratories, ranges, Contractor, and commercial firms throughout the life cycle of the program.

1.3 ROLES AND RESPONSIBILITIES1.3 ROLES AND RESPONSIBILITIES

1.3.1 PROGRAM DIRECTOR. The Program Director will direct implementation of this PPP and is responsible for its successful completion.

1.3.2 PROJECT OFFICER. The Project Officer (Acquisition Security Manager), will:

- complete the requirements.
- direct the periodic review and update of the PPP prior to each major program decision.
- oversee the integration of the related program activities reflected in the annexes/(appendices).
- direct the preparation/periodic update of the security classification guide.
- direct Program Protection Surveys.
- assure technical conformance with DoDI 5000.2 and DoD 5200.1-M.

1.3.3 CONTRACTORS. The Contractor will implement the provisions of this PPP as specified in their respective contract Integrated Task and Management Plan (ITAMP).

1.4 UPDATES TO THE PROGRAM PROTECTION PLAN1.4 UPDATES TO THE PROGRAM PROTECTION PLAN
This PPP will be reviewed and updated whenever there is a major program change or significant threat change to ensure cost-effective protection. As a minimum, it will be reviewed and updated prior to each new acquisition milestone as required by DoDI 5000.2. PPP surveys will be conducted prior to each scheduled PPP update. Each update will specifically address any EPITS changes, and associated protective countermeasures required to counter new/different threats.

This PPP is to be updated by the Government with Contractor input. These updates are to be based on new information, changes and new requirements.

SECTION IISECTION II

2.0 SYSTEM DESCRIPTION2.0 SYSTEM DESCRIPTION
EELV will be a family of launch vehicles that will launch the National Mission Model currently serviced by Titan II, Delta, Atlas, and Titan IV. EELV will be developed as a system, evolved from current expendable launch systems or components thereof. The system includes the launch capabilities (medium lift variant MLV -- heavy lift variant HLV), infrastructure, support systems, and interfaces. Unique to the development of the EELV system are demonstration flights of two MLVs and one HLV. The baseline system definition has not been defined, and will depend on the concepts of the Contractors who are awarded contracts. EELV will be the DoD's sole source of transportation to orbit for future launch system planners. The system definition will be refined in the Low Cost Concept Validation (LCCV) module and finalized in the Pre-Engineering and Manufacturing Development (Pre-EMD) module. The EELV system description will be updated as information becomes available.

2.1 PROGRAM INFORMATION2.1 PROGRAM INFORMATION

The EELV program is managed by :
Department of the Air Force
Space and Missile Systems Center (SMC/XRV)
2435 Vela Way, Suite 1613
Los Angeles AFB, CA 90245-5500

Program Manager:
GM-15 Robert K. Steele

Program Contracting Officer (PCO):
Maj Clifford Bratten

Program Protection Points of Contact (POC):
Capt Mel Allen, SMC/SDAS, (310)-363-2120, DSN 833-2120
Lt Jeff Ward, SMC/XRV, (310)-363-0859, DSN 833-0859
SECTION IIISECTION III

3.0 ESSENTIAL PROGRAM INFORMATION, TECHNOLOGY, AND SYSTEMS (EPITS) Table IIIA lists the EPITS associated with the program. The list is prioritized in order of the EPITS criticality. This next series of tables are used to identify EPITS and their locations by phase. This listing of EPITS and associated information will be updated by the EELV program office as information becomes available.

Table III A	ESSENTIAL PROGRAM INFORMATION, TECHNOLOGIES AND SYSTEMS (EPITS)
EPITS IDENTIFICATION
EELV

Program Information/Technology/System		Descriptive Nature of Sensitive Item	Form or Format of Sensitive Item
EELV technical information which may be national security or mission critical related.		Information describing a significant technical advance resulting from EELV system development activities directly related to specific DoD classified requirements.
EELV system vulnerabilities.		Vulnerabilities of flight systems and ground systems Method or procedure by which a vulnerability may be exploited Specific conflict levels to which the EELV system must be made survivable to accomplish DoD missions The results of acceptance testing of security provisions or techniques which reveal deficiencies Specific exploitable deficiencies that are intentionally left uncorrected
EELV Communication Security (COMSEC)		Details of the operation, capabilities, or characteristics of cryptologic hardware and material Information/evaluations which reveal the vulnerability of the EELV COMSEC sub-systems and associated storage media The fact that a Technical Surveillance Countermeasures Survey (TSCM) is scheduled or completed on a specific area or date
Table III-B	EPITS CONSOLIDATION BY LOCATION AND PHASE -- TBD
EPITS CONSOLIDATION

SECTION IVSECTION IV

4.0 SYSTEM THREAT ASSESSMENT. (For specific threat information, see the Space Systems Threat Environment Description (TED), dated 29 Oct 93)

Threats to Development

• Collection Activities
• Objective: Obtain Technologies and Mission Requirements Parameters

Human Intelligence

• Little Potential in Design/Acquisition Phase
• Inefficient
• High Threats in Operational Phase

• Considerable Potential in Design Phase
• Aimed at Technology and Program EPITS
• Objective: Obtain Intel on New Technology

• Interception of Acoustic Waves
• Compromise of Payloads

• Threat During Systems Testing
• Interception of Radio Frequencies
• Compromise Payload Mission and Capabilities
• ELINT, COMINT, TELINT and INSTRUMENT

• Considerable Potential in Design Phase
• International Industry
• Objective: Obtain Intel on Design Technology, and Long Range Planning

• Compromise Due to Use of Advocacy
• Literature by USAF and Contractors
• Exposes New Efforts and Technology
• Free Intelligence

• Very Little Potential in Design Phase
• Viable Threat in Operational Phase

• Includes Optical, Electro-optical, Photographic, and Radar Intelligence

• Damage
• Destruction
• Alteration

• Unauthorized Manipulation
• Software Corruption
• Hardware Alteration

• Foreign Intelligence/Economic Adversaries
• Militant Organizations
• Special Forces/Paramilitary
• Terrorists

• Dissident, disgruntled, or disturbed DoD or Contractor personnel having access to launch system elements pose potentially serious threats. While this is not an organized entity with a structured grouping or a common philosophy or motivation, the random activities of such personnel have resulted in damage to DoD facilities worldwide, occasional adverse publicity and adverse effects to DoD acquisition activities. The major consideration for this threat is that total system and security knowledge is often available and access is frequent and official. Tactics normally consist of spontaneous acts to harass or cause inconvenience rather than to destroy or incapacitate facilities/systems.

  Table IV-A	EPITS AT RISK TO COLLECTION BY LOCATION AND PHASE -- TBD
  THREAT ASSESSMENT
  EELV

  List System EPITS Classification EPITS Description			Mode of Collection	Risk Locations	Risk by Module
  					LCCV	Pre-EMD	EMD
  Table IV- B		EPITS COLLECTION RISK CONCENTRATIONS -- TBD
  EELV

  Country	Level of Need	Level of Capability	Level of Indicators	Probability of Collection	Mode of Collection

5.0 CAPSTONE VULNERABILITIES. Espionage activities may be focused on acquiring information from people and published documents, the co-opting of trusted friendly personnel, the clandestine penetration of facilities and the observation and analysis of indicators.
Open source literature searches can reveal new efforts or technology. Open sources include but are not limited to: professional journals, international conferences, university and Government sponsored seminars, public libraries, and computer retrieval services, acoustic wave interception, interception and exploitation of radio frequencies during equipment testing, interception and exploitation of radiated electronic signals.
The program may be vulnerable to the above threats in varying degrees and during specific phases of the program. The following discussion highlights the key vulnerabilities in each module.

1. Low Cost Concept Validation Module: Vulnerability to loss of essential information that has not been protected as national security information, national security-related information, mission critical data, acquisition sensitive or proprietary are considerations. The EELV program may be vulnerable to the following threats:

a) HUMINT d) LITINT
b) Scientific and Technical Intelligence e) Physical Threat
c) Economic

2. Engineering and Manufacturing Development Modules: The heaviest concentration of activity during these modules is at the Contractor locations for hardware and software engineering and manufacturing plus assembly, integration and testing at the launch facility. Critical production facilities and schedules may be vulnerable as well as information about mission requirements. U.S. adversaries will be seeking information about sensor/payload configurations, processing timelines etc. that will enable them to determine information about payload capabilities, replenishment strategies, and mission objectives. The primary vulnerabilities may be associated with satellite operations and ground processing of satellite data. As technologies evolve, they should be protected until a vulnerability assessment is made to determine if they are critical. The EELV program may be vulnerable to the following threats in these modules:

a) HUMINT f) IMINT
b) Scientific and Technical Intelligence g) HUMINT
c) Economic Intelligence h) MASINT
d) Physical Threat i) ACOUSTINT
e) SIGINT

SECTION VISECTION VI

COUNTERMEASURES

6.0 CAPSTONE COUNTERMEASURES6.0 CAPSTONE COUNTERMEASURES
The following security measures may be applied to EPITS to mitigate time-phased vulnerabilities. Protection will be integrated using concepts of the System Security Engineering (SSE) program.

6.1 PHYSICAL SECURITY6.1 PHYSICAL SECURITY
These measures will be applied to assure entry and access controls to sensitive-unclassified and classified information resident in program office, Contractor, and associated civil/Government agency facilities, computer and communications systems. Locations where they are to be applied will be identified in the attached annexes and will incorporate measures of the SSE program. These measures counter primarily the HUMINT and IMINT threats and include the following aspects:

- Barriers
- Entry Control
- Sensors/Sensor Processor
- Surveillance System
- Communications
- Security Force

6.2 PERSONNEL SECURITY6.2 PERSONNEL SECURITY
These measures will verify and promote reliability, trustworthiness, and suitability of personnel working on the program. Locations where they are to be applied will be identified in the attached annexes. These measures counter primarily the HUMINT threat, and include the following primary areas:

- Investigations (Entry)
- Clearances (Access)

6.3 INFORMATION SECURITY6.3 INFORMATION SECURITY
These measures will be applied to prevent unauthorized access/disclosure to classified and sensitive-unclassified essential program information and technologies resident in the program office, Contractor, and associated civil/Government agency facilities, computer and communications systems. Protection of sensitive-unclassified information includes the following:

a. FOR OFFICIAL USE ONLY (FOUO) This designation is for DoD documents which are not classified, but which are exempted from public release under the Freedom of Information Act (FOIA). Even though this is not a security designation per se, integrated protection of the program requires providing for handling FOUO information and promoting FOUO awareness and sensitivity among all DoD and Contractor personnel working on the program. This includes explaining the FOUO designation in the security classification guide.

b. SOURCE SELECTION/COMPETITION SENSITIVE These designations are for documents which contain private information related to contract award. Generally, it includes Contractor proposal information/test data pertaining to Contractor selection. Integrated protection of the program requires provisions for handling source selection sensitive information.

c. PROPRIETARY This is a designation for unclassified Contractor private information of economic value that has not been paid for by the Government, but which may be released on a restricted basis. Integrated protection of the program requires provisions for handling proprietary information.

d. DISTRIBUTION CONTROL STATEMENTS System sensitive-unclassified technical data and acquisition program data will be withheld from public disclosure. All information produced by and for the program will be reviewed for sensitivity and marked with the appropriate distribution limitation statements as required by DoDD 5230.24.

e. COLLECTION THREATS These measures counter all collection threats. Locations where they are to be applied will be identified in the attached annexes and include the following primary areas:

- Classification
- Technology Transfer

6.4 COMMUNICATIONS SECURITY (COMSEC) (AFI 33-201)
These measures will be applied to assure protection of communications systems employed by program office, Contractor, and associated civil/Government agencies which process sensitive-unclassified or classified essential program information. COMSEC complements and supplements PHYSEC, because it effectively extends the physical barrier between two widely separated facilities at a relatively low cost. These measures primarily counter the SIGINT threat. Locations where they are to be applied will be identified in the attached annexes and include the following aspects:

- Encryption
- Electronic Countermeasures (ECM)
- Transmission Security (TRANSEC)

6.5 COMPUTER SECURITY (COMPUSEC)6.5 COMPUTER SECURITY (COMPUSEC)
These measures will be applied to assure controls over computer systems software, hardware and operational procedures processing sensitive-unclassified or classified essential program information/technologies resident in the program office, Contractor, and associated civil/Government agency computer systems. The program will require COMPUSEC to protect classified/sensitive-unclassified research and development information and classified/sensitive-unclassified command and control information. COMPUSEC measures counter primarily the HUMINT and SIGINT threats. Locations where they are to be applied will be identified in the attached annexes and include the following aspects:

- Trusted Systems (DoD 5200.28-STD)

-- Identification and Authentication

-- Accountability

-- Object Reuse

-- Assurance

6.6 OPERATIONS SECURITY (OPSEC)6.6 OPERATIONS SECURITY (OPSEC)
These measures will be applied to identify and protect intelligence indicators of essential program information and technologies resident in the program office, Contractor, and associated civil/Government agency facility, computer and communications systems. The program will require OPSEC to protect sensitive-unclassified information from inadvertent disclosure. Documents containing this information will require FOUO and/or Source Selection Sensitive designations, distribution control statements, and will be exempt from the FOIA. A primary OPSEC aspect, in conjunction with other security countermeasures, is promoting awareness and personal discipline to ensure personnel do not discuss sensitive items such as test schedules, test objectives and EPITS over unsecured telephones. OPSEC measures indirectly counter the HUMINT, SIGINT and IMINT threats. Locations where they are to be applied will be identified in the attached annexes and include the following areas:

- Tactical Deception
- Physical Cover/Concealment
- Location Uncertainty
- Indicator Suppression

Table VI-A	COUNTERMEASURES TO EPITS AT RISK -- TBD
COUNTERMEASURES
EELV

Classification	List System EPITS Description	Mode of Collection	Risk Location	Countermeasures

KEYS/LEGEND

1. MODE OF COLLECTION 2. RISK LOCATIONS COUNTERMEASURES
SECTION VIISECTION VII

Table VII-ATable VII-A	PROGRAM PROTECTION COSTS (IN THOUSANDS) -- TBD
		LCCV	Pre-EMD	EMD
Personnel Costs
Salaries/Overtime
Overhead
Guard Support
Travel
Equipment Costs
STU Equipment
Secure Fax
Equipment Maintenance
Intrusion Detection System
Miscellaneous
Data Requirements Costs
Security Classification Guide
OPSEC Plan
System Security Engineering
PPP
TA/CP
AIS Plan
Service Costs
Security Assistance Visit
Security Survey
Training
Program Protection Survey
Range Costs
Total per FY
TOTAL PROJECTED PROGRAM COST

B. Technology Assessment/Control Plan (TA/CP) -- TBD

C. System Security Engineering Management Plan (SSEMP) -- TBD