Boost Fertility New Invention Ups Success Rates.pdf
NASA Project Management Challenge
1. National Aeronautics and Space Administration
NASA Project Management Challenge 2009
Effective PM Response for Protecting NASA’s Mission
Critical Technologies in a Growing Threat Environment
Terry E. Odum, CPP,1† Ryan Averbeck,2† G. A. Gaddy, Ph.D. 2
1. NASA Marshall Space Flight Center, Huntsville, AL
2. Concurrent Technologies Corporation, Huntsville, AL
† Presenter
25 February 2009
2. Why Technology Protection? – Advantage
There is a strong symbiotic relationship
between space research and national
security…We've worked too hard and
accomplished too much, to willfully forfeit our
leadership in space. Let's make the necessary
adjustments to maintain our supremacy. Our
future depends on it.
Kay Bailey Hutchinson
Member of the Senate Commerce, Science
And Transportation, and Appropriations, Committees
Special Section: Defense & Aerospace
October 2007
3. Protection Needs Assessment
We asked ourselves…
• Does NASA and its industrial base develop state-of-the-art systems and
technologies that are of strong interest to other countries?
• Is the risk of loss or compromise to NASA’s technologies growing?
• Could the loss impact mission success, reputation, or national security?
• Is a process in place to assist the PM in effectively managing security risks?
ESMD addressed these questions by piloting a system protection program
• Tailored for NASA after gleaning the “best of breed” approaches,
methodologies and techniques from DoD protection programs.
The need to implement a systematic protection process may never be greater
4. Policy Guidelines –
Cohesive Implementation Strategy Is Needed
NPR 1600.1
NASA Security Procedural Requirement
Chapter 8 Program Security
NPR 7120.5D
NASA Space Flight Program and Project Management Requirements
Section 3.13
NASA/SP-2007-6105
NASA Systems Engineering Handbook
Appendix Q
NPR 8000.4
NASA Risk Management Procedural Requirements
P.1; 2.6.1
NPR 1660.1
NASA Counterintelligence Policy
Para 2.10
NPR 2810.1A
Security of Information Technology
Preface P.1
NPR 2190.1
NASA Export Control
P.1 Chapter 2
Referenced policies all serve to provide national level security guidance.
5. Why Technology Protection? - The Threat
The targeting and theft of U.S. innovation has significant dire
effects on our nation.
Chamber of commerce estimates 750,000 jobs lost annually
due to the theft of innovation
Department of Justice estimates the loss of research and
technology costs U.S. companies as much as $250 billion
annually
The National Counterintelligence Executive (NCIX) estimates
the loss associated with foreign espionage directed at the
U.S. to be $300 billion and rising
NASA is a world leader in innovation, and thus, a highly targeted
organization.
Exploitation of cyberspace to attempt to gain access to space systems technologies and
information is growing exponentially and requires constant diligence.
6. Why Now?
What is the national priority at this time?
• President’s Vision for Space Exploration directed NASA to design and build
systems and infrastructure to return the nation to the Moon, Mars, and beyond.
• Exploration Systems represent NASA’s future and one of its highest priorities.
• Under the “10 Healthy Centers” concept, all ten (10) NASA Centers have
Exploration Systems Work Assignments.
• The Constellation architecture involves new systems, technologies, tooling and
equipment, and manufacturing processes that may provide the U.S. a
technological advantage.
• National Space Policy states that the U.S. will take those actions necessary to
“protect its space assets”.
Recently completed counterintelligence threat products address specific threats to NASA research, technologies, and
programs. Contact your Center Security or Counterintelligence Office for availability.
7. The ESMD Model
The Technology Protection Working Group (TPWG)
Multi-discipline Agency-wide forum with the core skills necessary for
managing security risks on major high priority programs / projects
Facilitates Technology Protection Program planning and implementation:
Assists the PM in identifying Mission Critical Information
Enhances operational readiness and mission success
Protects national security interests against threats
Prevents unauthorized disclosure of sensitive information
Helps maintain the U.S. technological advantage in Space
Ensures the proper horizontal protection of inherited technologies from
DoD and other government entities
TPWG processes and recommendations do not hinder the authorized sharing of NASA information. The
process is designed to quickly and precisely identify the information requiring protection.
8. Technology Protection Program Full Integration
NPR 7123.1A Technology Protection Working Group
NASA Systems Engineering Processes and Requirements Charter
Purpose: Goal:
The stakeholder expectations definition process is used to “The goal of the TPWG is to assist Program Managers in
elicit and define use cases, scenarios, operational the identification and protection of Mission Critical
concepts, and stakeholder expectations for the applicable Information (MCI) generated by the research,
product-line life-cycle phases and WBS model. This development and acquisition communities that provides
includes requirements for: and maintains NASA’s competitive advantage in Space.”
This includes requirements for:
a. operational end products and life-cycle-enabling
products of the WBS model; a. identifying MCI in the WBS model
b. expected skills/capabilities of operators or users; b. operational protection end products and life-
cycle-enabling protection processes of the WBS
c. expected number of simultaneous users;
model
d. system and human performance criteria;
c. performance criteria for protection
e. technical authority, standards, regulations, and
d. technical authority, standards, regulations, and
laws;
laws with respect to protection/security
f. factors such as safety, quality, security, context
e. security factors (vulnerability and threat)
of use by humans, reliability, availability,
maintainability, electromagnetic compatibility, f. local management constraints on how protection
interoperability, testability, transportability, will be implemented (e.g., operating procedures)
supportability, usability, and disposability;
g. local management constraints on how work will
be done (e.g., operating procedures)
The TPWG mitigates program security risks, improves the efficiency of the protection program, reduces
regulatory compliance costs, and streamlines security operations.
9. Protection Products
Full Range of Tailored
Security Product Offerings Include…
• Security Management Plan • Security Classification Guide
• Technology Assessment and • Life-cycle Cost Analysis
Control Plan (TA/CP) • Transportation Security Plan
• Export Control Plan • Preliminary System Security
• Security Surveys Concept
• Security Trade Studies • Systems Security Authorization
• Threat & Vulnerability Reports Agreement for IT Systems
• Counterintelligence Surveys • Mission Critical Information
• TP Process Assurance Maps Assessment (MCIA)
10. Protection Services
Comprehensive Set of
Security Services to Include…
• Security Requirements Definition • Risk Management and Decision
• Security Policy Reviews Support
• Export Control Guidance
• Threat & Vulnerability Analysis
• Information Technology
• Protection and Mitigation Planning Security/Information Protection
• Multi-Center/Multi-Agency Coordination
Coordination • Technology Protection Working
• Industry Partner Security Interface Group Facilitation
and Performance Monitoring • Education & Awareness (e.g.,
• International Cooperation SBU)
Interface • Counterintelligence Support
• Secure Communications Planning
11. TPWG Organization Structure
Exploration Systems Mission Directorate Office of Security and Program Protection
(ESMD ) Associate Administrator (OSPP)
Directorate Integration Assistant
Officer Administrator
Technology Protection Working Group Chair
CxP OCIO, S&MA,
Management • Program TPOs • Counterintelligence • Center IPOs Export, etc.
• Center TPOs • Industry partners • ESMD RM
ACD • Scientists • Center security • Engineers Center
Management Management
Program Technology System Security Threat and Horizontal Policy
Protection Trending Engineering Vulnerability Protection Compliance
Program
Project
Element
System
Component “Complex System”
Distributed Organizations
Implementation Technology
Policy
Information
Execution
12. TPWG NASA Representation – Full Integration
Constellation Program fully engaged
Scientists and engineers supported
Ares I and Orion Technology Protection Portfolios 70% complete
“Ten healthy Centers”
14. ESMD TPWG Community of Practice (CoP)
Oversight by ESMD Directorate Integration Office
Community in excess of 60 active members
Risk Managers, Engineers, Export Officials, Security
Industry partners
15. Technology Protection Program IPT
ES
MD
ou ction
an
ng Prote
d
p
n
Pro
ea atio
Gr
Pro nd E
e n f o rm
gr a
m
Wo logy
gra ng
a
m
sm In
tT
m inee
rki
no
ses itical
Ma
Sc
ch
ien rs
na
r
Te
C
tis
ge
on
ts
As
ss i
me
Mi
nt
Center Chiefs of Security
NASA Office of Security and
Program Protection
16. ESMD Technology Protection Program Model
CI
Program TPWG Information
Project Protection
TPO IPO
MCI
Information
Technology
Security
17. What is Mission Critical Information (MCI)?
NASA information related to research, technologies, projects, programs,
or systems that, if released outside established protocols could:
Significantly affect NASA resources, requiring additional research, development,
tests, or evaluation to overcome the adverse effects of unauthorized releases
- and / or -
Significantly reduce the performance or effectiveness of NASA research, projects,
technologies, programs, or systems
- and / or -
Have a significantly adverse affect on the United States’ advantage in space and
other current and emerging technologies
With a multitude of technologies and systems under review, the definition of significant will be specific to each
potential MCI during an assessment, with a basis of concepts such as Evolutionary/Revolutionary, State-of-the-
Art (SOA) vs. State-of-the-World (SOW), and specific impacts to NASA’s programs and missions.
18. Technology Protection Program Full Integration
The TP Program Model The TP Program Team
ES
CI
MD
ou ction
nd a
ng Prote
n
p
ea atio
Pro
Pro nd E
Gr
en form
Program TPWG Information
m
g
Wo ology
gra ng
a
ram
Project Protection
ssm l In
tT
m inee
rki
TPO IPO
sse itica
Sc
Ma
n
ch
ien rs
MCI
n
Cr
Te
ag
tis
on
ts
em
ssi
A
en
Mi
t
Center Chiefs of Security
Information
Technology
Security NASA Office of Security and
Program Protection
The NASA TP Program model works because of the MCI team’s understanding of the Program’s cost, schedule and
performance drivers. The technology protection team is respectful of the NASA mission, history and culture.
These characteristics are the key to minimizing the impact to the Program schedule and is one of the
reasons for the Program’s success.
19. MCI Assessment Participants
PM
PM Selected Project SMEs
(as needed)
TPO Mission Critical Information Assessment TPWG
Team
Oversight
Counterintelligence, IA, IT, security, etc.
Mission Critical Information Assessment Team
• Team of scientists, engineers, and security analysts
• Technical connection with NASA Program personnel
• Recommends MCI for PM consideration
• Develops and delivers all associated documentation (Technology Protection Portfolio)
• Collaborates with the Security and Intelligence functions of the TPWG team
20. MCI Assessment NASA Personnel and Contributions
NASA Scientists and Engineers
MCI Project/Element Manager
Protective Services (OSPP)
21. Technology Protection Cycle
Requires NASA Program
P1 Level Decision
Discovery
Activities
P2 P4
Assessment Initiate NASA Perform
Preparation TVA Process Risk Analysis
Technical Initiate Select Final
Discussions Controls v
Controls
P3 P5
Technical Discussion Evaluate Develop
Analysis Vulnerabilities Protection Plan
MCI Continuously Develop
Confirmation Implementation Plan
Periodically
22. Technology Protection Program Full Integration
NASA Project Life Cycle NASA Systems Engineering Handbook, page 20, DECEMBER 2007
*MCI re-assessments performed as required
MCI review
Technology MCI assessment completion
Protection Identify initial controls and threats
Activities Identify vulnerabilities and validate threat
Final controls selection / continuous risk management
23. Technology Protection Phases and Associated Activities
Element Technology Determine Determine impact Utilize security “best
P2 - Initiate TVA
P5 - Protection Implementation
P1 - MCI Assessment
P4 - Risk Analysis
Information adversary intent on NASA if practices” (trade
gathering and and capability to exploitation occurs studies, etc.)
review exploit technology
Determine Implement cost
Conduct technical Determine facilities, appropriate / effective and
discussions with personnel acceptable level of efficient controls
scientists, (government and risk based on risk
engineers, security, contractor, US and analysis
and CI professionals foreign), Develop controls
components where Review final which mitigate risks Continuously
P3 - Evaluate Vulnerabilities
Reach back to MCI resides (element specific) and bring risk into monitor and
contractor threat product “acceptable” limits improve the
teammates Implement initial protection process
scientists and transparent controls Determine threats
engineers as to MCI in programs, Ensure
necessary facilities, systems, improvements are
components, and documented and
MCI and information personnel considered for
requiring controls implementation
identified Prioritize
vulnerabilities of
Immediate controls MCI
placed on
information as Adjust initial
required controls if necessary
MCIA Report Initial Controls Final Controls Report Implementation Plan
Significant Issues Report
Portfolio Sections I - V Portfolio Section VI Portfolio Section VII Portfolio Section VIII
24. Element, Project, Technology Protection Portfolios
Program Management Technology Protection Process Brief
Section I This brief provides an overview of the NASA Technology Protection (TP) Process. This overview includes key participants, defines key terminology,
outlines the phases of the TP Process and provides details of the products from the various phases of the TP Process.
Technology Protection Process Execution Plan (EP)
Section II This plan describes in detail the TP Process phases and associated documentation. The plan also provides a schedule, personnel selected by the
Element Manager (EM), and NASA TP Program points of contact.
Scientist and Engineers Technology Protection Process Brief
Section III This brief provides an overview of the NASA TP Program and outlines the roles and responsibilities of the scientists and engineers identified by the EM.
The brief also presents the initial results of the discovery phase of the TP Process.
Mission Critical Information (MCI) Technical Discussions Results Brief
Section IV This brief provides the EM MCI recommendations from the Technology Protection Working Group (TPWG) based on the analysis of the technical
discussions with Element scientists and engineers.
Mission Critical Information Assessment Report (MCIA-R)
Section V This report documents the EM determination of MCI. The report also provides detailed information about Element MCI and highlights any significant
issues identified during the TP Process.
Initial Controls Report (ICR)
Section VI This report documents the TPWG recommendations for initial Element controls to immediately enhance the protection of MCI based on the baseline
threats to the Element MCI. The report also includes Element general threat awareness.
Final Controls Report (FCR)
Section VII This report contains the NASA Headquarters Counterintelligence (CI) validated threats to Element MCI, vulnerability analysis, and TPWG recommended
final controls based on the level of risk acceptable to the EM and metrics obtained from the initial controls selected in the ICR.
Implementation Guidance
Section VIII This document provides recommendations to the EM detailing the manner in which the EM selected final controls may be implemented. This
guidance is focused on the MCI only.
26. The Information Dilemma
Desire / need Department of
to publish Commerce
Mandate to Department of
collaborate State
International National
partnerships Security
Need to Share Need to Protect
National Aeronautics and Space Act of 1958 calls National Space Policy, 2006, states that space
for the widespread dissemination of newfound capabilities are vital to the Nation’s interests and
technologies to the public. the U.S. will “take those actions necessary to
protect its space capabilities.”
27. ESMD Technology Protection Program To-date
On center activities
Planned center activities (< 6 months)
Planned center activities (> 6 months)
28. Technology Protection Program Full Integration
Pilot Program (Years 1-2) Year 3 Year 4+
Program Development Lunar Lander Ares V
Ares I Extravehicular Activities Science and Technology Elements
Orion Program refinement Systems Integration Elements
33. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat
34. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat
35. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
36. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
37. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
38. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
39. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
40. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
41. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
42. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
43. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
44. Horizontal Protection and Awareness of NASA MCI
Element SM US
MCI 1 2 3 4 5 6 7
Location A B C D E F G H I J K L M
Threat α β γ δ
45. Technology Protection Program Benefits to the PM
Increased Project Manager Control
• Puts PM in control of Technology Protection process
• Program specific tailored execution plan
• Programs will be proactive instead of remaining reactive
• Function is responsive to the Program
• Real time Technology Protection status and metrics
• Not an audit or inspection
Increased Value
• Multi-disciplinary team of unbiased subject matter experts
• Extremely useful products (TP Portfolio with 8 sections) which is
100% consistent with existing NPR and other policy requirements
• Horizontal aspects
Communication
Integration
Protection resulting in consolidated ESMD MCI List
• Team develops all Technology Protection related documents
Coordinating with all relevant Program, Center, Directorate,
and NASA HQ Technology Protection stakeholders
46. Results Oriented
We Moved From… …To
Not Knowing Program Expectations and Security Needs Direct PM Involvement and Decision Making
Minimal Direct Security Staff Involvement w/ Projects Cohesive Team w/ Core Security Competencies
Implementation of Security Risk Management;
No candidate program security risks
Mitigation of two Top Directorate Security Risks
Inconsistent Adherence to Security Policy and Practices PM approved comprehensive Security Management Plan
“Reactive” Security Response to Projects “Proactive” Security Response/Results Oriented
Greater Employee Security Awareness, online education
Negligible Program Workforce Security Awareness
tools, and quality briefings
Minimal Understanding of Threats directed at NASA Current Program Threat Assessment
No Process to Determine Mission Critical Information Model Process for Determining MCI
Few Quality Security Products Multiple High Quality Security Products
No Cross-cutting Communications Established Integrated Product Team (IPT)
No overall Program Protection Strategy Protection Strategies Designed to Ensure Success
TPWG is the controlling element of a Closed-Loop Security System
47. Acronyms
ACD -
CI - Counterintelligence
CoP - Community of Practice
CPP - Certified Protection Professional
CxP - Constellation Program
DIO - Directorate Integration Office
EP - Execution Plan
ESMD - Exploration Systems Mission Directorate
FCR - Final Controls Report
HQ - Headquarters
IA - Information Assurance
ICR - Initial Controls Report
IPO - Information Protection Officer
IT - Information Technology
MCI - Mission Critical Information
MCIA - Mission Critical Information Assessment
MCIA-R - Mission Critical Information Assessment Report
NCIX - National Counterintelligence Executive
NPR - NASA Procedural Requirements
OCIO - Office of the Chief Information Officer
OSPP - Office of Security and Program Protection
RM - Risk Manager
S&MA - Safety and Mission Assurance
SM - Service Module
TBD - To be determined
TP - Technology Protection
TPO - Technology Protection Officer
TPWG - Technology Protection Working Group
TVA - Threat and Vulnerability Assessment
US - Upper Stage
WBS - Work Breakdown Structure
49. When Technology Protection? Earlier the better…
Desired Capability
X >> Y
X Y
Capability
s
ss
s
re
gre
g
ro
rp
pro
a
ne
Li
ted
elera
Acc
We are
here…..
But on this track? Or, on this track?
Capability / maturation level when initial
implementation of TP is too late Time http://www.foresight.org/UTF/Unbound_LBW/chapt_4.html
50. CxP Security Documentation Tree
Program Plan
A1: Needs, Goals & Objectives
CxP 70003
A2: Integrated Master Plan
A3: Acquisition Plan
System s M anagem ent Architecture
Cx Architecture Safety, Reliability & Program Description
Engineering Risk M anagem ent System s Plan
Requirement Quality Assurance M anagem ent Plan Docum ent
M anagem ent Plan Plan (RM ) (M SP)
Docum ent (CARD ) (SR&QA) (PMP) (ADD )
(SEMP) 70056 70072
70000 70055 70070 70077
70013
CxP 70070-ANX05-03 - SMP CxP 70171 – Information
CxP 70170 - Functional CxP 70070-ANX05 Book 3: Information Systems
Contingency Planning & Technology Security
Security Requirements
Security Reporting Architecture (Form erly
(Formerly SMP Book 1)
SMP Book 2)
M anagement Plan CxP 70070-ANX05-04 - SMP
Book 4: Technology Protection
(SMP) Program Plan (TPPP)
CxP 70070-ANX05-05 - SMP
Book 5: Emergency Response
& Continuity of Operations Plan
(COOP)
M ission Ground
EVA System s Lunar System s
Orion Ares Operations Operations Altair
(ES) Surface
Project Plan Project Plan (M O) (GO) Project Plan
Project Plan Project Plan
Project Plan Project Plan
51. Technology Protection Program – The Early Days
• Focused on the “bigger picture” – broader national perspective
• Performed an early Gap Analysis to determine in-place vs. desired end state for security
• Identified and applied security Lessons Learned from past NASA and DoD programs
• Heavily leveraged use of institutional security support, thus gaining PM backing
• Tracked the program “flow of events” to establish what issues are most important to attack first
• Recruited team players; valued all contributions
• Brought energy, intensity, and a creative new approach to security planning
• Took small steps over time and quietly overcame objections or obstacles
• Established a holistic approach for prioritizing security goals based on mission objectives
• Leveraged use of in-house (no cost) software tools to enhance efficiency
Building future capability and gaining respect from within the intelligence and DoD communities
52. Benefits/Value
• Customer Focused – better able to satisfy most urgent ESMD security needs
• Early life-cycle Planning – so that resources can be applied and managed; early
discovery and resolution of problems
• Maximum Flexibility – encourage creative problem solving
• Event Driven – to ensure security product maturity is incrementally demonstrated,
i.e., response to key decision point / critical milestone reviews
• Multi-disciplinary Teamwork – Synergy: right people at the right place and at the
right time to make timely decisions
• Seamless Management and Communication Tools – to ensure teams have all
available information, i.e., risk management tool, community of practice, etc.
• Proactive Risk Identification – rapid reduction of risk/uncertainty
Technology Protection must demonstrate a Return on Investment