Protecting “Critical Program Information” Within DoD

The Department of Defense last week issued new guidelines (pdf) for protecting “critical program information” (CPI), a term that refers to the most sensitive technology information in DoD research, development and acquisition programs.

CPI consists of those program elements “that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability.”

CPI “includes technology that would reduce the US technological advantage if it came under foreign control.”

“It is DoD policy… to provide uncompromised and secure military systems to the warfighter by performing comprehensive protection of CPI.”

The new CPI instruction, issued by James. R. Clapper, Jr., the Under Secretary of Defense for Intelligence, updates and expands upon a prior directive (pdf) from 1997.

Among the interesting changes adopted in the new instruction is an increased role for security oversight by the DoD Inspector General, who is called upon to “develop a uniform system of periodic inspections” to ensure compliance with CPI protection requirements, and to “publish an annual report of significant findings, recommendations, and best practices.”

Though it is not specifically addressed in the new instruction, the use of agency inspectors general to conduct oversight of classification and declassification activity is the single most promising near-term option for augmenting oversight of the government secrecy system. Increased IG oversight of CPI may serve as a useful precedent for validating the IG’s capacity to perform that function and advancing its classification oversight role.

See “Critical Program Information (CPI) Protection Within the Department of Defense,” DoD Instruction 5200.39, July 16, 2008.