Apparatus and method for providing program protection engineering, security management, and report preparation for sensitive and classified projects

US 20070186283A1
Filed: 02/06/2006
Published: 08/09/2007
Est. Priority Date: 02/06/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus for providing program protection engineering, security management, and report preparation for sensitive and classified projects, comprising:

a program protection engineering (P2E) toolkit, comprising;

a core architectural module that provides internal navigational controls, standard style sheets, and standard color palettes, database connectivity, text string functions, date functions, encryption and decryption algorithms, user, permission functions, hidden data value transfer functions, window functions, table handling functions, floating menu handling functions, combo box and list box functions, frame functions, menu functions, image functions, document and report functions, sorting functions, and password validation functions;

a program information module that provides information on a user specified acquisition program, wherein the user specified acquisition program includes technical components and programmatic components;

a timeline module that provides and displays a timeline of the user specified acquisition program;

a system deconstruction module that identifies the technical components that need security protections using questionnaires directed to the technical components;

a system programmatics module that identifies the programmatic components that need security protections using questionnaires directed to the programmatic components;

a questionnaire module that presents questionnaires to determine factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each technical component and each programmatic component that need security protections; and

a report module that provides a report based on user specified reporting requirements of the user specified acquisition program.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method using a program protection engineering (P2E) toolkit to provide program protection engineering, security management, and report preparation for sensitive and classified projects. The P2E toolkit is an implementation of security policies, procedures, and methodologies associated with acquisition programs. Acquisition programs may range from large-scale classified systems for the government to sensitive corporate acquisition programs focusing on company proprietary or intellectual property issues. Specifically, the P2E toolkit provides end-to-end program protection engineering, security management, and report preparation for sensitive and classified programs throughout the program lifecycle, and assists security professionals and program managers to make appropriate decisions to protect their acquisition programs from compromise due to foreign intelligence threats or corporate/industrial espionage. The P2E toolkit enhances the traditional program management concerns of technical performance, schedule, and cost, by adding lifecycle protection as in integral component.

Citations

51 Claims

1. An apparatus for providing program protection engineering, security management, and report preparation for sensitive and classified projects, comprising:
- a program protection engineering (P2E) toolkit, comprising;
  
  a core architectural module that provides internal navigational controls, standard style sheets, and standard color palettes, database connectivity, text string functions, date functions, encryption and decryption algorithms, user, permission functions, hidden data value transfer functions, window functions, table handling functions, floating menu handling functions, combo box and list box functions, frame functions, menu functions, image functions, document and report functions, sorting functions, and password validation functions;
  
  a program information module that provides information on a user specified acquisition program, wherein the user specified acquisition program includes technical components and programmatic components;
  
  a timeline module that provides and displays a timeline of the user specified acquisition program;
  
  a system deconstruction module that identifies the technical components that need security protections using questionnaires directed to the technical components;
  
  a system programmatics module that identifies the programmatic components that need security protections using questionnaires directed to the programmatic components;
  
  a questionnaire module that presents questionnaires to determine factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each technical component and each programmatic component that need security protections; and
  
  a report module that provides a report based on user specified reporting requirements of the user specified acquisition program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The apparatus of claim 1, wherein the P2E toolkit further comprises:
    - an observable notebook module that provides information and manages operational security concerns; and
      
      a toolkit administrative module that manages user accounts and user permissions.
  - 3. The apparatus of claim 2, wherein the observable notebook module identifies and monitors operational security (OPSEC) observables.
  - 4. The apparatus of claim 2, wherein the toolkit administrative module provides login and password control and is capable of creating a new user specified acquisition program, opening an existing user specified acquisition program, and managing the P2E toolkit.
  - 5. The apparatus of claim 1, wherein the P2E toolkit copies variables from a master database to a program specific database, wherein the variables include phase groups, phases, milestones, protection activities, and report templates for the user specified acquisition program.
  - 6. The apparatus of claim 1, wherein the timeline module provides a graphical display of timeline charts, milestones, and protection activities of the user specified acquisition program.
  - 7. The apparatus of claim 1, wherein the timeline module provides a specification of start, end, and completion dates for milestones and activities of the user specified acquisition program.
  - 8. The apparatus of claim 1, wherein the timeline module provides a notification of overdue milestones and activities of the user specified acquisition program.
  - 9. The apparatus of claim 1, wherein the timeline module enables the user to modify milestones and activities in the timeline module.
  - 10. The apparatus of claim 1, wherein the timeline module enables the user to create multiple timelines for the insertion of new technology in the timeline module.
  - 11. The apparatus of claim 1, wherein the system deconstruction module provides a breakdown tree structure for identification of critical technical components.
  - 12. The apparatus of claim 11, wherein the system deconstruction module uses questionnaires for each node in the breakdown tree structure.
  - 13. The apparatus of claim 12, wherein the questionnaires are selected from a group consisting of system programmatics, criticality assessment, Gray Zone issues, eligibility determination, classification level determination, sensitive compartmented information (SCI) determination, identification of countermeasures, and assessment of residual risks.
  - 14. The apparatus of claim 1, wherein the system programmatics module provides operational support for the user specified acquisition program, including support for budget, contractor relationships, technical methods and plans, training, maintenance, and testing issues.
  - 15. The apparatus of claim 14, wherein the system programmatics module uses questionnaires for each issue in the system programmatics module.
  - 16. The apparatus of claim 15, wherein the questionnaires are selected from a group consisting of system programmatics, criticality assessment, Gray Zone issues, eligibility determination, classification level determination, sensitive compartmented information (SCI) determination, identification of countermeasures, and assessment of residual risks.
  - 17. The apparatus of claim 1, wherein the questionnaire module contains a ruleset to determine an order for presenting questionnaires to the user.
  - 18. The apparatus of claim 1, wherein the report module provides reports with a paragraph layout and reports with a tabular style.
  - 19. The apparatus of claim 1, wherein the report module enables the user to configure a report structure to accommodate specific customer requirements.
  - 20. The apparatus of claim 1, wherein the report module generates a rich text format (rtf) file.
  - 21. The apparatus of claim 1, wherein the report module generates an extensible markup language (XML) file for security classification guides (SCG).
  - 22. The apparatus of claim 1, wherein the core architectural module is capable of incorporating modules developed at a future time.

23. A method for providing program protection engineering, security management, and report preparation for sensitive and classified projects, comprising:
- enabling a user to login to a program protection engineering (P2E) toolkit;
  
  enabling the user to specify an acquisition program, wherein the acquisition program includes technical components and programmatic components;
  
  copying variables from a master database to a program specific database, wherein the variables include timeline phase groups, phases, milestones, protection activities for the specified acquisition program, and templates for required report documents;
  
  providing and displaying a timeline of the specified acquisition program;
  
  identifying the technical components that need security protections;
  
  identifying critical technical components using questionnaires directed to the technical components;
  
  determining factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each technical component that needs security protections;
  
  identifying the programmatic components that need security protections;
  
  identifying critical system programmatics components using questionnaires directed to the programmatic components;
  
  determining factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each programmatic component that needs security protections; and
  
  providing reports based on timeline phase and specific acquisition program reporting requirements.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 24. The method of claim 23, wherein the P2E toolkit comprises modules including a core architectural module, program information module, a timeline module, a system deconstruction module, a system programmatics module, and a report module.
  - 25. The method of claim 23, further comprising using a system deconstruction module to identify the technical components that need security protections.
  - 26. The method of claim 23, further comprising using a system programmatics module to identify the programmatic components that need security protections.
  - 27. The method of claim 23, further comprising:
    - providing an observable notebook to identify, track, and manage operational security issues throughout an acquisition lifecycle; and
      
      providing a toolkit administrative module to manage user accounts and toolkit configuration.
  - 28. The method of claim 23, wherein the providing the timeline step comprises:
    - loading the phase groups and the phases from the program specific database;
      
      loading the milestones and the protection activities for a specific phase;
      
      displaying the milestones and the protection activities in a menu;
      
      inserting multiple timeline tracks when new technologies are inserted into the timeline module; and
      
      enabling the user to select from a group consisting of;
      
      a specific milestone, a specific activity, an activity link, a phase timeline, a lifecycle timeline, a milestone and activity management option, and a phase management option.
  - 29. The method of claim 23, wherein using the system deconstruction module step comprises:
    - enabling the user to insert one or more nodes under a root node in a tree structure, each node representing a component of the acquisition program;
      
      for each node inserted into the tree structure, providing basic information identifying the component associated with the node; and
      
      for the component associated with each node, determining whether the component requires security protection measures and if it is a critical component of the acquisition program.
  - 30. The method of claim 23, wherein using the system programmatics module step comprises:
    - retrieving a system programmatics tree structure from the master database, the system programmatics tree structure including nodes representing system programmatics questions;
      
      expanding nodes to a lowest level to indicate specific questions that need to be answered;
      
      enabling the user to provide a formal answer to a system programmatics question;
      
      determining whether the formal answer requires security protections and if it is a critical component of the acquisition program;
      
      using a fact of statement question to ask for facts that can be derived from the formal answer; and
      
      determining whether statements associated with the fact of statements require security protections.
  - 31. The method of claim 30, wherein the determine the formal answer step comprises leading the user through a series of questions designed to identify risks associated with each component.
  - 32. The method of claim 23, wherein using the questionnaire module step comprises:
    - passing a question index indicating which specific question is the beginning;
      
      initializing questionnaire variables;
      
      retrieving question specifics from the program specific database;
      
      retrieving previous answers from the program specific database;
      
      constructing questions based on a question type;
      
      accepting an answer from the user;
      
      saving the answer to the program specific database;
      
      processing specific rules; and
      
      determining a next question index.
  - 33. The method of claim 23, further comprising managing Gray Zone questions to determine whether a component requires security precautions by:
    - determining an impact of loss;
      
      determining a difficulty to exploit;
      
      determining the eligibility for classification;
      
      determining a classification level;
      
      determining a sensitive compartmented information (SCI)/special access program (SAP)/special access requirements (SAR) level.
  - 34. The method of claim 23, wherein the steps of determining the residual risk include determining the residual risk for critical program information (CPI), critical system resources (CSR), and critical research technologies (CRT) components, and further comprises:
    - determining the eligibility for classification;
      
      determining a classification level;
      
      determining a sensitive compartmented information (SCI)/special access program (SAP)/special access requirements (SAR) level;
      
      determining an impact of loss;
      
      determining a probability of loss;
      
      assessing a criticality;
      
      determining a susceptibility;
      
      assessing a threat;
      
      determining a vulnerability;
      
      determining signatures;
      
      determining countermeasures;
      
      assessing effectiveness of the countermeasures; and
      
      determining a residual risk.
  - 35. The method of claim 23, wherein the providing the report step comprises:
    - loading report framesets into a main content frame;
      
      loading a list of available reports for the specified acquisition program and a current phase;
      
      retrieving information regarding a report structure and previously entered report data from the program specific database;
      
      process a ruleset to obtain new report data; and
      
      comparing the new report data with the previously entered report data.
  - 36. The method of claim 35, wherein the providing the report step further comprises:
    - editing the report;
      
      previewing the report;
      
      generating an extensible markup language (XML) file for security classification guides compatible with a Northrop Grumman Corporation Portion Marking and Verification Tool™
      
      (PMVT) tool;
      
      generating a printable version of the report; and
      
      modifying the report structure.
  - 37. The method of claim 23, further comprising providing an interface for the user to interact with the P2E toolkit.
  - 38. The method of claim 37, wherein the providing the interface step comprises:
    - enabling the use to select a module from a tools menu;
      
      loading module framesets;
      
      loading server-side functions and server-side variables at a server-side;
      
      processing the server-side functions and the server-side variables;
      
      linking the server-side functions and the server-side variables with client-side functions at a client-side;
      
      transferring the server-side variables to the client-side;
      
      generating a web-page using the server-side variables;
      
      displaying data on the web-page;
      
      processing user actions using off screen frames;
      
      validating data input from the user; and
      
      updating the database in the off screen frames.
  - 39. The method of claim 37, wherein the providing the interface step comprises:
    - processing user login and passwords;
      
      loading core module framesets;
      
      loading resource menu frame and navigational functions; and
      
      loading a content frame with a welcome message.

40. A computer readable medium providing instructions for providing program protection engineering, security management, and report preparation for sensitive and classified projects, the instructions comprising:
- enabling a user to login to a program protection engineering (P2E) toolkit;
  
  enabling the user to specify an acquisition program, wherein the acquisition program includes technical components and programmatic components;
  
  copying variables from a master database to a program specific database, wherein the variables include timeline phase groups, phases, milestones, protection activities for the specified acquisition program, and templates for required report documents;
  
  providing and displaying a timeline of the specified acquisition program;
  
  identifying the technical components that need security protections;
  
  identifying critical technical components using questionnaires directed to the technical components;
  
  determining factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each technical component that needs security protections;
  
  identifying the programmatic components that need security protections;
  
  identifying critical system programmatics components using questionnaires directed to the programmatic components;
  
  determining factors including criticality, vulnerabilities, threats, susceptibilities, countermeasures, and a residual risk for each programmatic component that needs security protections; and
  
  providing reports based on timeline phase and specific acquisition program reporting requirements.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 41. The computer readable medium of claim 40, wherein the P2E toolkit comprises modules including a core architectural module, program information module, a timeline module, a system deconstruction module, a system programmatics module, and a report module.
  - 42. The computer readable medium of claim 40, further comprising using a system deconstruction module to identify the technical components that need security protections.
  - 43. The computer readable medium of claim 40, further comprising using a system programmatics module to identify the programmatic components that need security protections.
  - 44. The computer readable medium of claim 40, further comprising instructions for:
    - providing an observable notebook module to identify, track, and manage operational security issues during an acquisition lifecycle; and
      
      providing a toolkit administrative module to manage user accounts and toolkit configuration.
  - 45. The computer readable medium of claim 44, wherein the observable notebook module manages operational security issues, and wherein the computer readable medium further comprises instructions for:
    - identifying operational security issues;
      
      assigning a point of contact for managing the issue;
      
      managing status, impact, and threat levels for each observable; and
      
      describing a containment method and residual risk for each observable.
  - 46. The computer readable medium of claim 44, wherein the toolkit administrative module manages user accounts, toolkit configuration, and various look up list items used throughout the toolkit, and wherein the computer readable medium further comprises instructions for:
    - managing user accounts and permissions;
      
      managing a status of tools available in the toolkit; and
      
      managing look up values for various lists in the toolkit including contents for all dropdown lists, lists of organizations, master templates for acquisition models and report structures, and numerical values used in calculations.
  - 47. The computer readable medium of claim 40, wherein the instructions for providing and displaying the timeline comprise:
    - loading the phase groups and the phases from the program specific database;
      
      loading the milestones and the protection activities for a specific phase;
      
      displaying the milestones and the protection activities in a menu;
      
      inserting multiple timeline tracks when new technologies are inserted into the timeline module; and
      
      enabling the user to select from a group consisting of;
      
      a specific milestone, a specific activity, an activity link, a phase timeline, a lifecycle timeline, a milestone and activity management option, and a phase management option.
  - 48. The computer readable medium of claim 40, wherein the instructions for using the system deconstruction module comprise:
    - enabling the user to insert one or more nodes under a root node in a component breakdown tree structure;
      
      for each node inserted into the tree structure, providing basic information identifying the component associated with the node; and
      
      for the component associated with each node, determining whether the component requires security protection measures and if it is a critical component of the acquisition program.
  - 49. The computer readable medium of claim 40, wherein the instructions for using the system programmatics module comprise:
    - retrieving a system programmatics tree structure from the master database, the system programmatics tree structure including nodes representing system programmatics questions;
      
      expanding nodes to a lowest level to indicate specific questions that need to be answered;
      
      enabling the user to provide a formal answer to a system programmatics question;
      
      determining whether the formal answer requires security protections;
      
      using a fact of statement question to ask for facts that can be derived from the formal answer; and
      
      determining whether statements associated with the fact of statement require security protections.
  - 50. The computer readable medium of claim 40, wherein the questionnaire module presents questions, and wherein the computer readable medium further comprises instructions for:
    - passing a question index indicating which specific question is the beginning;
      
      initializing questionnaire variables;
      
      retrieving question specifics from the program specific database;
      
      retrieving previous answers from the program specific database;
      
      constructing questions based on a question type;
      
      accepting an answer from the user;
      
      saving the answer to the program specific database;
      
      processing specific rules; and
      
      determining a next question index.
  - 51. The computer readable medium of claim 40, wherein the report module presents reports based on current acquisition phase and reporting requirements, and wherein the computer readable medium further comprises instructions for:
    - loading report framesets;
      
      loading a list of available reports;
      
      enabling the user to select a specific report;
      
      loading a report structure from the program specific database;
      
      processing a ruleset to populate the report using database information;
      
      retrieving previously entered report information and showing a presence of new or modified data;
      
      enabling the user to edit the report, preview the report, and generate a Microsoft Word compatible version of the report;
      
      enabling the user to generate an extensible markup language (XML) script for a Northrop Grumman Corporation Portion Marking and Verification Tool™
      
      (PMVT) tool;
      
      enabling the user to generate paragraph and tabular reports;
      
      enabling the user to generate a CPI report that calculates an overall program residual risk; and
      
      enabling the user to modify the report structure as needed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Engility Corp. (Science Applications International Corporation)
Original Assignee
TASC Incorporated
Inventors
Davis, James, Brumbaugh, Kenneth, Hamilton, Gregory, Fan, Wendy, Low, Howard

Granted Patent

US 7,865,388 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/06   Resources, workflows, human...

G06Q 10/06311   Scheduling, planning or tas...

Apparatus and method for providing program protection engineering, security management, and report preparation for sensitive and classified projects

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for providing program protection engineering, security management, and report preparation for sensitive and classified projects

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links