Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Center Spotlights Critical Information

A U.S. Army organization is changing the way information is protected by embedding personnel and assessment processes into research and development programs. The center works with researchers to put security procedures in place by helping program managers identify and safeguard vital data. But protecting that information is challenging because it often is difficult to determine what is and is not sensitive material.
By Henry S. Kenyon, SIGNAL Magazine

 

The U.S. Army Research and Technology Protection Center (ARTPC) originally was founded to identify and protect critical technologies associated with the Future Combat Systems (FCS) program. The ARTPC since has expanded its mandate to help program executive offices and program managers protect other Army information.

Army organization develops, supports standards for managing and securing vital research.

A U.S. Army organization is changing the way information is protected by embedding personnel and assessment processes into research and development programs. The center works with researchers to put security procedures in place by helping program managers identify and safeguard vital data. But protecting that information is challenging because it often is difficult to determine what is and is not sensitive material.

The Army Research and Technology Protection Center (ARTPC), Crystal City, Virginia, assists program executive officers and program managers to identify critical program information and helps them decide how to protect it, says Richard Henson, chief, ARTPC. It officially opened its doors in 2002 with the initial mission of protecting the technologies being developed for the Army’s Future Combat Systems (FCS) program.

Henson explains that in 2000, then Army Chief of Staff Gen. Eric Shinseki, USA, commissioned a report about security that identified the need for the coordination of security efforts. “A lot of people were working on it [security], but there was no one place where it either all came together or where it was all visible,” he says. As a result, the Army created the ARTPC as a center of excellence to focus on research and technology protection activities.

In its early days, the ARTPC supported the FCS by identifying and defining crucial program information as well as ways to protect it. The challenge was conducting these processes in a systemic manner. While policies existed that required program managers to identify critical technologies and to develop a protection plan, no specific criteria existed to identify or define critical program information. Deciding which technologies to protect was up to the program manager’s discretion, Henson notes.

To address this problem, the ARTPC developed a standardized process so that the Army could uniformly identify and protect vital data. When the center’s process was applied to programs, it revealed that some managers either were unaware that they had critical technologies present or erroneously thought that vital information was present.

The center has two types of technology specialists who support Army programs: technology protection engineers and program protection architects. These experts work together and address different sides of the technology identification and classification process.

Technology protection engineers are embedded into major Army research and development efforts and work directly with program managers. The engineers identify a program’s critical technologies and seek a balance between security and information sharing concerns. However, the average intelligence, counterintelligence or security specialist does not have the language set to interview researchers properly. “When you talk to engineers, you need to have an engineering understanding,” he declares. So, to complete a security analysis, ARTPC calls in program protection architects. These individuals have security and intelligence backgrounds and are paired with the technology protection engineers to examine any technology for security and classification requirements.

To facilitate technology identification, the ARTPC developed a standard process, which Henson describes as a discussion tool. It leads an integrated process team through a conversation about a technology to ascertain if there is critical program information present, and if so, to determine what it is. “That’s the bread and butter of what we do—helping the program manager meet his or her requirement to identify critical program information, and to do it in a standard method,” he remarks.

Once critical program information is identified, the ARTPC’s program protection architects become more involved in helping a program manager develop specific protection plans. If a program requires particular approaches to technology protection, the center’s specialists can identify and recommend methods.

Because security engineers are positioned at the center of a program, they often can identify and suggest requirements and methods to the busy program managers who are focused on other matters, he says. In addition, program managers many times do not have the staff to connect with the intelligence community to acquire the necessary threat documentation or to reach out to other communities to receive advice and make informed decisions. “In a lot of these instances, one of the very first things you look at is the classification. If it is classified, do you have a security classification guide? Is it up to date? Is it good? Does it really address what you need to? And if the answer to any of those questions is no, then we have the ability to step in and help them,” he says.

Protecting critical information in research and development programs involves several methods. The first step is classifying information. While government personnel are very good at classifying critical data, accurately making that determination can be difficult. To tackle this issue, center staff members developed guidelines for Army managers to determine more efficiently which technologies to classify, Henson says.

Some measures are as simple as not posting certain information on a program Web site. “If somebody comes and asks for it [information], and they have a legitimate reason for wanting it, there’s no reason not to give it to them. But that doesn’t translate to ‘must put out for everyone in the world to see,’” he explains.

The age of a program or technology is another consideration because what may be sensitive at the beginning of a research effort may not be considered sensitive as it progresses. In a program’s early developmental stages, some technologies may be revolutionary. However, “when you field a piece of technology, it’s almost compromised at that point. The challenge is not to let that cat out of the bag any sooner than you have to,” Henson notes.

Categorizing material that does not meet government classification requirements but is still considered important is more difficult. “Sometimes protecting things is as simple as being aware that you have them, so that when you start dealing with a situation where a foreign government says, ‘I would like that or I would like to know about that,’ you can then make an educated decision as to whether or not you want them to know about it,” he says.

The Army’s research and development programs have a number of technologies that, while not classified, are restricted and cannot be shared with or sold to foreign governments. Other programs have distribution controls designed to limit access to individuals with a valid need to know specific requirements. Henson notes that the need-to-know aspect is a protection measure itself. “Not everyone in the world needs to be told there’s critical program information on a microchip. You simply have to say, ‘This is how you have to protect this chip,’” he explains.

Another challenge in protecting technology is consistency; programs must strike a balance between sharing information and protecting it. One of the ARTPC’s major successes is horizontal protection, which applies a uniform standard across the entire U.S. Defense Department. Henson maintains that it is a waste of taxpayers’ money when the services protect the same technology in different ways. “Very little technology that the Army is using is unique to the Army. Other services are using it, and in many instances it’s dual-use technology with the civilian sector,” he says.

To achieve horizontal protection, the ARTPC and the Office of the Secretary of Defense, Undersecretary of Defense for Acquisition, Technology and Logistics (AT&L), are developing an acquisition security database. This program creates a single place in which the acquisition, protection, security and counterintelligence communities can see what technologies are being protected and the methods for their defense. Henson believes that the database will save the services and individual programs time and resources by preventing duplication of efforts while learning from previous mistakes and successes.

In 2008, the AT&L and the services came together to develop a standard method to identify critical program information across all of the Defense Department’s acquisition entities. The ARTPC is involved heavily in this process. Henson considers it another of the center’s success stories. The ARTPC joined the effort with a template that enabled the department to develop a standardized technology identification and classification process that now is ready to deploy across the entire organization and the services, he says.

The ARTPC also is responsible for implementing the Defense Department’s Instruction 5200.39, which sets guidelines for protecting critical program information. Center personnel helped develop the guidelines and are assisting in their implementation across the Army.

Henson notes that when the ARTPC and the services came together to develop these Defense Department-wide guidelines, the services had their own sets of program principles. However, the center’s rules had been used more than 600 times, so it was able to leverage its experience and demonstrate how these processes helped craft policy. “We had a lot of data to go with it to say, ‘here’s what worked and here’s what didn’t,’” he says.

In the past 18 months, the center has undergone a major structural change. When the ARTPC was founded, Henson was the only government employee; his staff comprised contractors, many who worked for QinetiQ North America. Today, however, the ratio has shifted: the center has 20 civilian government employees and 11 contractors.

Changing the composition of the staff has affected the ARTPC’s capacity. Henson explains that Defense Department auditing found major shortcomings in implementing countermeasures and oversight. Now, as an organization with government personnel, it can assume different responsibilities. For example, it can become involved in the oversight and enforcement of policy, which it could not do as an organization that employed mostly contractors.

The ARTPC is in the process of examining its options to enter this effort. “If it is appropriate that the ARTPC become involved in that, what would our position be and how would we do that?” he asks.

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA