Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF NOVEMBER 09, 2017 FBO #5830
MODIFICATION

A -- Innovative Cross-Domain Cyber Reactive Information Sharing (ICCyRIS)

Notice Date
11/7/2017
 
Notice Type
Modification/Amendment
 
Contracting Office
Department of the Air Force, Air Force Materiel Command, AFRL/RIK - Rome, 26 Electronic Parkway, Rome, New York, 13441-4514, United States
 
ZIP Code
13441-4514
 
Solicitation Number
BAA-RIK-14-02
 
Point of Contact
Gail E. Marsh, Phone: 315-330-7518
 
E-Mail Address
Gail.Marsh@us.af.mil
(Gail.Marsh@us.af.mil)
 
Small Business Set-Aside
N/A
 
Description
AMENDMENT 10 to BAA RIK-14-02 The purpose of this amendment is to republish the original announcement, incorporating all previous modifications, pursuant to FAR 35.016(c). This republishing also includes the following changes: (a) Section II: Revise the BAA ceiling and estimated funding plan (b) Section III: Updated to reflect current access requirements and renumber the paragraphs (c) Section IV.2 Updated proposal instructions and renumber the paragraphs (d) Section IV.6: Revised to reflect current NISPOM change (e) Section IV.7: Updated BAA Manager information and electronic submission instructions (f) Section VI.2: Update paragraph 2 with current DLA information (g) Section VI.5: Updated to reflect current information (h) Section VII: Revised/Updated BAA Manager, Deputy BAA Manager and Ombudsman information. No other changes have been made. NAICS CODE: 541712 FEDERAL AGENCY NAME: Department of the Air Force, Air Force Material Command, AFRL-Rome Research Site, AFRL/Information Directorate, 26 Electronic Parkway, Rome NY 13441-4514 TITLE: Innovative Cross-domain Cyber Reactive Information Sharing (ICCyRIS) ANNOUNCEMENT TYPE: Initial Announcement FUNDING OPPORTUNITY NUMBER: BAA-RIK-14-02 CFDA NUMBER: 12.800 I. FUNDING OPPORTUNITY DESCRIPTION : The Cross Domain Innovation & Science (CDIS) group of the Air Force Research Laboratory's Information Directorate is interested in new innovative technologies and capabilities, within the Multi-Level Security (MLS) and Cyber Security environments, that promote the state of the art for secure, accreditable resilient and reactive capabilities to enhance the sharing of information between multiple security domains within both enterprise and mobile/tactical environments. This BAA focuses on developing new technologies to allow secure data sharing; trusted computing; smart routing; cyber defense; Multi-Level Security (MLS) trust at the tactical edge; and a comprehensive, multi-security domain, user-defined operational picture to effectively and efficiently improve the state-of-the-art for defense enterprise, cloud, and mobile/tactical computing/operations. The goals of this BAA are to improve cross-domain information sharing in five distinct technology areas: 1. Multi-Enclave/Multi-Domain Cyber User Defined Operational Picture (UDOP) - Extending enterprise status monitoring efforts and Cross Domain Solutions (CDSs) adaptability to meet greater operator need. 2. High Risk Data Type Mitigation - Providing micro-virtualized ultra-high-risk content and investigations for malicious behavior before passing them to other security domains. 3. Fine-Grained Grammar for Orchestration - Use of formal grammars for quick adaptation of workflows to meet changing mission/security/performance requirements. 4. Content and Label Based Routing - Extending the trust provided at node and network environments to the information objects being passed to assure end-to-end trust in passing and delivering information to recipients. 5. MLS Trust at the Edge - Extending the robustness and usability of MLS mobile and desktop endpoint technology to meet the critical needs of our mobile warriors. General Focus Areas Applicable to all FYs: Automatically Evaluate Video Streams for Cross-Domain Releasability: Perform an analysis of alternatives and incorporate the most mature systems into a prototype for evaluating the releasability of streaming data. This specifically includes but is not limited to speech-to-text, person recognition, and object recognition functionality plus system(s) to reason over the results of these functions. Improved Security through Virtualization: Utilize the broad swath of virtualization technologies to improve the state of the art of information assurance. Note also the related High Risk Binary Assessment Focus Area for FY 15 under this BAA, as well as the Secure Data Containers Focus Area for FY16. Novel, Trustworthy Filtration: Improve the state of data filtration through the use of techniques and procedures either previously unexplored in filtration or completely novel. Note that adding a new filter for an already covered file type is much less interesting than the ability to add classes of file types which are otherwise unaddressed by filtration engines. Note also the related High Risk Binary Assessment Focus Area for FY15 under this BAA, as well as the Imagery to Text Focus Area for FY18. Improved Orchestration Interfaces that don't require a "Man-in-the-Loop": Research and develop better automation of multiple data flows, each containing myriad functions and decision points, intended to affect large pools of data. This may be used in conjunction with various efforts such as the National Security Agency's (NSA's) Bray tool, Data Flow Configuration Format (DFCF), Guard Remote Management Protocol (GRMP), the CDS Management Information Base (MIB), and/or others. This capability includes the ability to demonstrate proposed changes against known pools of data, provide high level metrics regarding the original and changed results on those known pools of data, and to allow the user to drill down into greater, granular detail on the metrics as needed. These interfaces should not assume any particular degree of knowledge for users beyond a general computer use competency, and must ensure users' identity and authorization via appropriate methods. Improved Machine-to-Machine Automation: Many cross domain links are established between automated systems for various purposes. There are large swaths of commonality across most of these links. Build tools to leverage unmodified CDSs from the Unified Cross Domain Management Office (UCDMO) baseline to better meet the need for creating similar links in the future. Improved Commodity Multi-Level Security (MLS) Networking: Create networking capable of mandatory access control (MAC) for content, locations and users marked, approved and operating at different levels of classification (plus releasability, caveats, and other security-relevant markings) utilizing commodity hardware, operating systems, software and infrastructure as much as practical. Complete redevelopment/replacement of existing networking infrastructure and endpoints is explicitly outside the scope of this effort. CAC Authentication via MicroSD Certificate Storage: Commercial mobile devices on their own, with standard configuration, are not secure enough for government use. However, to save money, many agencies are looking to leverage them. This poses a challenge for securing government/sensitive data access by the device user, while maintaining all the functionality of the commercial device itself. One approach is to utilize micro/nano Secure Digital (SD) cards to provide secure storage of access certificates. Phase one of this focus area will develop a secure, "read only" certificate store utilizing the Micro and Nano SD card form factors for use in physically unmodified Commercial-Off-The-Shelf (COTS) Mobile Platforms. Software applications may be modified or created in order to demonstrate the functionality. The second phase of this focus area will test the proposed solution against real world scenarios utilizing life-like certificate data to ascertain robustness against published Security Technical Implementation Guides (STIGS). Securing Commercial Off-The-Shelf (COTS) Mobile Device Common Access Card (CAC) Authentication via Near-Field Communication (NFC): Several COTS mobile devices feature NFC capabilities. Concurrently, there are requirements for warfighters to authenticate on computing resources with their Common Access Card (CAC). Unfortunately, physical external readers for CACs are unwieldy extensions to mobile devices. As such, there may be an opportunity to investigate utilizing the COTS NFC capabilities assuming they meet or exceed the security requirements accomplished by the physical readers. Given the repeated demonstrations given at most modern Black Hat events exploiting COTS NFC capabilities in many various ways, skepticism as to these devices' security capabilities will need to be assuaged and demonstrated as mitigated appropriately for operationally meaningful situations. Additionally, the demonstrated solution has additional challenges: It must be able to prevent unauthorized access to sensitive data provided via CAC PKI capabilities, it must securely account for users with multiple credentials and access their existing certificates within appropriate networks (as in Global Access List, Lightweight Directory Access Protocol (LDAP)/ Active Directory (AD), etc.), must have a segregation capability if malicious code is detected, and allow for appropriate persistence of user authentication even after the device and NFC tag are outside of scanning range. Real Time Mobile Authentication: Many mobile users, especially field operators and tactical users, require mobile devices to be unlocked or readily available at any time throughout the mission. Long passphrases can be difficult to remember and may require attention that directs their vision away from the battlefield. Unfortunately, leaving the devices unlocked poses a large security risk if the phones are lost or stolen. By leveraging the sensors on the device (ex. Camera, GPS, Accelerometer (Gate), Humidity, Temperature) along with new wearable technology (Blood pressure, Heart Beat, Body Temp) advanced policies can be created to authenticate the user with the mobile device and keep mission critical applications unlocked and ready to use. These policies should be dynamic and adapt to the environment of the user. For example, complete operations such as locking the device or in certain locations wiping the device entirely. The measures of effectiveness will measure will be measured on authentication false positive/negative rates, impacts to battery life, CPU performance, I/O performance and tactical use-cases. High Risk Binary Assessment: Demonstrate a capability to automate invocation of potentially malicious content within a secure environment (such as a sandbox, virtual machine, or ‘detonation chamber'). This capability should include scripting some appropriate number of user actions within commodity, unmodified applications and monitoring the environment for malicious or unexpected behaviors. The solution should incorporate both signature based detection of suspect behaviors as well as aberrant behavior based on a learned fingerprint of the normal functioning of the consuming application(s) within the environment. For example, if a given application doesn't normally generate alternate data streams within Windows, then generating an alternate data steam upon opening a new file in that application should be flagged. Integrity of the mechanisms that identify these unexpected behaviors must be protected from tampering or observation from within the secure environment. The solution shall also include one or more ways to adapt to new exercising applications and steps within the secure environment to either extend inspection of current file types supported and/or to offer support for new file types. In the final version delivered, no particular degree of knowledge beyond a general computer use competency should be expected from operators or those who adapt the system in the aforementioned manner(s). Situational Awareness of End-to-End Multi-level Information Flow: NSA's Cross Domain Solution Management Information Base (CDS-MIB) is a CDS-independent mechanism used to report including flow performance, errors, and other various metrics related to CDS health and status. This is only part of the picture that is necessary to efficiently be aware of the true multi-level information flow picture. The addition of information pertaining to CDS support devices such as external filtering appliances, CDS pre-processors, mission applications that leverage CDS and other IT integral to cross domain services (e.g., identity management, email infrastructure) is intended to enhance end-to-end situational awareness. This will increase situation awareness of all CDSs on the network, provide more insight into network status and services status, and provide opportunity for further integration with other activities, to include prior CDIS run efforts such as Audit-Based Sensing & Protection (ASP) and Behavior Based Risk Assurance (BBRA). Once this capability is developed, other capabilities can use the information to include load balancers and automatic failover. Dynamic Mobile Device Management (DMDM): In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered : support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, keystore, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security. Multi-Level-Security Mobile Secure Foundation: Currently we are tracking two major technical approaches for Multi-Level Security (MLS) on Commercial Off-The-Shelf (COTS) hardware running the Android ecosystem. The first approach utilizes a hypervisor to separate multiple virtual machines' operations within the secure device. The second utilizes Security Enhanced (SE) Android policy to separate (sets of) processes. Both of these efforts have disparate strengths and weaknesses, as measured by performance, battery life, boot and access times, and other metrics. Other technical approaches to achieve assured Multi Level Security operation within the Android ecosystem may also be viable, if they can be brought to a similar or higher degree of maturity as well as accomplishing the rest of the tasking by the end of this effort. This effort is to provide a secure foundation for additional development in mobile devices for multiple DoD/IC use cases. As such, the solution chosen must follow accreditation guidelines throughout the effort and ideally have zero outstanding technical issues which would preclude accreditation. Additionally, the chosen solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The architecture shall include components selected from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc. Finally, it is important that the solution be compatible with military needs for current and future tactical usage, including the continued usage of hardware peripherals. The successful solution will be based on commodity hardware, and ideally with commodity firmware utilizing hardware-based attestation (e.g. Trusted Platform Module (TPM), ARM TrustZone, Samsung KNOX, etc.) through the boot cycle and normal operation of the device. Solutions featuring custom operating systems and firmware are not ideal as they are expected to have higher procurement and maintenance costs and requirements, among other reasons. Measures of effectiveness will include the ability to integrate with existing technologies and abide by all of current and future NSA Mobility publications. The solution shall also adhere to strict requirements of battery life, CPU performance, I/O performance, boot-up times, and tactical application integration. CDS High Availability: Cross Domain Solutions (CDS) are typically less resilient than our other information technology (IT). Today we can support CDS load balancing and failover via typical mechanisms if the CDS protocols support it. There are, however, multiple technical shortfalls that limit the usability of these techniques, including the inability to: provide CDS load information to commodity load balancers, maintain configuration synchronization between multiple CDS and the ability to detect and recover from CDS failure. The purpose of this effort is to develop techniques to address these CDS availability concerns. Measures of effectiveness will include extensibility of approach to multiple CDS, ability to integrate with off-the-shelf tools for load balancing, information assurance acceptability and efficient utilization of network bandwidth for communication between components. Cross Domain Machine-to-Machine (M2M) Mediation Layer: A common approach to addressing cross domain information sharing requirements is cross-domain enablement of the underlying information technology (IT) that facilitates information sharing intra domain. Cross domain enablement of the machine-to-machine (M2M) protocols that support this IT is challenging because M2M protocols often have attributes that do not match typical CDS transfer characteristics. Some common examples include: non-atomic transactions (require more than one CDS transfer in order to complete), transactions that require ACK/NACK (CDS transfers are usually one way and may not provide failure notification) and transactions that are dependent upon one another (CDS are typically stateless and transfers are independent of one another). The purpose of this effort is to develop a mediation layer that can act as a foundation for M2M communications over a CDS. This mediation layer will be the integration point for specific protocol termination services (e.g. - DB transactions, Web Services) and would handle the necessary information management and CDS data flow understanding to map between M2M interface requirements and CDS transfer capabilities. Measures of effectiveness will include ease of integration with a new set of M2M data flows, native M2M protocol independence, ability to protect end system data integrity from CDS filtering issues, solution performance (throughput and latency) and ease of recovery when issues arise (e.g. - CDS is unavailable, CDS filters misconfigured and start failing transactions). Dynamic Mobile Device Management (DMDM): In order to provide secure containers for multiple compartments within mobile devices, a dynamic method to manage mobile devices using a secure Operating System (such as SE-Android) is required. This topic is to develop and demonstrate an innovative method for the management of such a device. This following management capabilities must be considered: support for multiple compartments on a single mobile platform, dividing each container into separate compartments, each with their own storage, key store, and applications; the ability to provide flexible policies for the communication of all applications with each other and the device; provide high-level enforcement of applications to operate as specified by policy within a container; provide typical device management which includes: user management, device lock-down, container isolation protection, tamper resistance, and remote management (including the ability to wipe the device if compromised); provide continual assessment of the devices security state and make appropriate actions when that state is compromised. The prototype delivered must incorporate as many of these capabilities as possible and demonstrate successful container separation, device and policy management, and attestation of device security. The solution must adhere to the relevant portions of the Mobility Capability Package protection profiles and National Information Assurance Partnership (NIAP) guidelines. The measures of effectiveness will be measured on application performance, agility to tactical low-no communication situations and the ability to integrate with components from the National Security Agency Commercial Solutions for Classified (CSfC) such as Data at Rest, Data in Transit, Mobile Device Management, etc. Applied Open Systems Development Techniques for C4I Trusted MLS Platforms: Further the state of the art of new and existing innovative technologies and explore other potential COTS / GOTS capabilities that address the challenges of improved security, resiliency and agility through integration of novel Open Systems technologies into modernized systems of record. Research and develop new Open Architecture technologies through studies, analysis, engineering, design, development, prototype testing, demonstration and integration of new and existing technologies. Improve secure information sharing within and among multiple security domains from the enterprise to the tactical/mobile user which includes overall cyber security capabilities for evolving multi-level solutions for the monitoring and management of their overall security environment and ecosystem. Leverage system requirements, combined with current socio-political considerations in relevant areas of responsibility to create realistic use cases and demonstration scripts for use in exercising solutions and capabilities. Topic ensures a cohesive approach to addressing the MLS solutions lifecycle; from idea to proof of concept/realistic prototype to integration and testing of new technology within live and simulated environments. On-Demand Cross Domain Solution (CDS) Filtering: Provide a trustworthy mechanism to securely store, deliver, and deploy new filters into CDSs on demand. The intent is to develop a new or extend an existing agnostic Application Programmer's Interface (API) to allow multiple disparate transfer CDSs to interrogate one or more trusted store(s) for filters to be secure delivered in near-real-time, and to provide a reference implementation for that trusted store. This is intended to allow CDSs to adapt to changing workload requirements and threat environments. If the CDS already contains a similar capability or partial capability, it is expected that this API will wrapper them rather than redeveloping. Enhance Logic and Visualization for Enterprise Capabilities: Extend the ability to monitor one or more transfer Cross Domain Solutions (CDSs) beyond prior efforts' scope by incorporating business logic through a reasoning engine to examine the data collected and stored via CDS-MIB, SNMP & perhaps alternate sources as well as performing trend analysis across this information. This would be expected to be able to automatically suggest and/or enforce reporting and warning thresholds to alert responsible parties via Simple Network Management Protocol (SNMP) (for integration with enterprise management & alert systems), email and/or text to abnormal activity with respect to the CDSs' normal functioning. Given other previously developed tools, this developed capability might be expected to automatically react to incoming data and alter one or more CDSs' operational posture, either to ensure operational goals and/or reduce data exfiltration/malware infiltration. Mobile MLS Cross Domain XML Routing: Evaluate existing XML data tagging standards for use in both IP-based wired networks and wireless mobile networking environments, both for traditional tagging roles and also in support of cross security domain routing decisions. Publish this evaluation in order to gather feedback and consensus and hopefully drive standardization across DoD/IC and eventually the mobile industry. Finally, develop a prototype that enables standardized cross domain routing originating and/or ending on a mobile platform. Advanced File Typing: Perform best of breed Analysis of Alternatives between deep content inspection and/or file parsing capabilities such as Apache Tika, Data Format Description Language (DFDL), and similar. Using the best of breed, create a prototype to perform deep content inspection of files to detect and/or extract metadata, binary blobs and/or structured text content to properly & fully identify file types (Multipurpose Internet Mail Extension (MIME) types). Develop with common programmatic API calls plus appropriate web service interfaces and NSA's Filter Componentization Effort (FCE) specification. Test and evaluate performance and reliability of file type identification. Include edge cases such as polymorphism, spoofing, multiple file type compatibilities, and container file types. Focus Areas for FY 18: Multi-Level Security Collaboration Tool Suite: Modern collaboration tools, including web-based conferencing, instant messaging, whiteboarding, and application sharing, allow remote participants to communicate and collaborate with each other within a single domain. However, many of these tools cannot be used for cross domain communication due to the lack of build-in security and not interoperable with existing Cross Domain Solutions (CDS). Additionally, replacing existing collaboration tools with more advance and secure alternatives is not an ideal solution because users will need to spend time to familiarize themselves with the new tools. The effort will research approaches to bring security and/or functionalities into existing, widely-used collaboration tools, such as Skype for Business and BigBlueButton, and make them interoperable with an existing CDS to enable cross domain communication. The approaches may include additional components (ex. proxy) to bridge any capability gaps, among others. The goal of this effort is to enable single-domain collaboration tools to do cross domain communications, with minimal changes to either the tools or the CDS. Metrics to be tracked include throughput, latency, jitter, and potentially others. FPGA - Security and Performance Enhanced Processing: FPGA coupled CPU's such as Intel's forthcoming chipset open up new possibilities for increasing specific algorithmic performance and security. This topic seeks efforts that look to expand the security capabilities of OpenXT through use of such FPGA enabled chips. Specifically, to enhance security by transferring core OS components to the fabric as a proof of concept and demonstrate the benefit to security through doing so. Techniques which improve system performance through transference to the FPGA are also sought after. Such as, efforts to enable cross domain processing that could benefit from custom FPGA fabric implementations of various algorithms. Efforts to port existing multi-level security scanning techniques to the FPGA co-processor are welcome under this topic. Finally, novel research efforts using the FPGA for next generation techniques are welcome. Enhanced Mobile Cross domain access: In recent years considerable strides have taken place on mobile virtualization technologies. Build on existing mobile virtualization solutions for ARM mobile devices capable of storing and transmitting classified information on Commercial solutions for Classified (CSfC) devices. Solution must be quickly adaptable to future commercial devices and implement security features developed by NIAP mobility protection profiles. Provide expanded functionality and virtualization of hardware features not located in the ARM application processor such as protecting the baseband cellular chip and integrated circuits involved in providing one or more hardware root(s) of trust. The end goal of this research area is to provide a mobile phone that can be approved for simultaneous access to both classified and unclassified networks on commercial systems that can be fielded before the mobile platform is considered end of life, which is typically two years on most flagship mobile platforms. Metrics to be tracked include alterations to hardware, battery life, user response latency, and CSfC exceptions, among other potential metrics. Secure Sharing of Content in Mobile Tactical Networks: DoD is becoming more reliant on COTS mobile devices to provide mission critical documents to users in the field. Once outside of a trusted network, user devices are heavily locked down to prevent information exfiltration. Consequently, this prevents users from easily transferring mission data into and out of the device. Often times, users attempt to circumvent IA procedures or use out-of-band channels for transferring data leaving a wide, unmonitored attack vector. This effort will investigate innovative mechanisms to protect the data itself, so that regardless of transport mechanisms or applications used the data will always be protected. The solution will need to work in tactical environments where access to a server nonexistent. Proposed solutions may leverage existing Digital Rights Management (DRM) technologies or DoD PKI infrastructures, but these are not required. It is desirable for proposed solution to work on both iOS and Android devices. If proposed solution requires changes to existing applications, a library or well-defined API will need to be provided. Proposed solution should not interrupt the mobile devices' root of trust. The solution's performance will be measured by battery time to live, performance overhead, additional time for users to access the device, interoperability between current and future devices, and the ability to conform to DoD Mobility Information Assurance standards. II. AWARD INFORMATION : Total funding for this BAA is approximately $24,999,500. The anticipated funding to be obligated under this BAA is broken out by fiscal year as follows: FY 15 - $6,000,000 FY 16 - $6,000,000 FY 17 - $6,000,000 FY 18 - $6,999,500 Individual awards will not normally exceed 36 months with dollar amounts normally ranging between $250K to $500K per year. There is also the potential to make awards up to any dollar value. Awards of efforts as a result of this announcement will be in the form of contracts, grants or cooperative agreements or other transactions depending upon the nature of the work proposed. The Government reserves the right to select all, part, or none of the proposals received, subject to the availability of funds. All potential Offerors should be aware that due to unanticipated budget fluctuations, funding in any or all areas may change with little or no notice. III. ELIGIBILITY INFORMATION : 1. ELIGIBILITY: All qualified offerors who meet the requirements of this BAA may apply. 2. FOREIGN PARTICIPATION/ACCESS: a. This BAA is closed to foreign participation at the Prime Contractor level. b. Foreign Ownership, Control or Influence (FOCI) companies who have mitigated FOCI may inquire as to eligibility by contacting the contracting office focal point, Gail E. Marsh, Contracting Officer, telephone (315) 330-7518, or e-mail Gail.Marsh@us.af.mil for verification prior to submitting a white paper. Please reference this BAA. c. Contractor employees requiring access to USAF bases, AFRL facilities, and/or access to U.S. Government Information Technology (IT) networks in connection with the work on contracts, assistance instruments or other transactions awarded under this BAA must be U.S. citizens. For the purpose of base and network access, possession of a permanent resident card ("Green Card") does not equate to U.S. citizenship. This requirement does not apply to foreign nationals approved by the U.S. Department of Defense or U.S. State Department under international personnel exchange agreements with foreign governments. Any waivers to this requirement must be granted in writing by the Contracting Officer prior to providing access. The above requirements are in addition to any other contract requirements related to obtaining a Common Access Card (CAC). If an IT network/system does not require AFRL to endorse a contractor's application to said network/system in order to gain access, the organization operating the IT network/system is responsible for controlling access to its system. If an IT network/system requires a U.S. Government sponsor to endorse the application in order for access to the IT network/system, AFRL will only endorse the following types of applications, consistent with the requirements above: 1. Contractor employees who are U.S. citizens performing work under contracts, assistance instruments or other transactions awarded under this BAA. 2. Contractor employees who are non-U.S. citizens and who have been granted a waiver. Any additional access restrictions established by the IT network/system owner apply. 3. FEDERALLY FUNDED RESEARCH AND DEVELOPMENT CENTERS AND GOVERNMENT ENTITIES: Federally Funded Research and Development Centers (FFRDCs) and Government entities (e.g., Government/National laboratories, military educational institutions, etc.) are subject to applicable direct competition limitations and cannot propose to this BAA in any capacity unless they meet the following conditions: a. FFRDCs : FFRDCs must clearly demonstrate that the proposed work is not otherwise available from the private sector; and FFRDCs must provide a letter on official letterhead from their sponsoring organization citing the specific authority establishing their eligibility to propose to Government solicitations and compete with industry, and their compliance with the associated FFRDC sponsor agreement's terms and conditions. This information is required for FFRDCs proposing to be prime contractors or sub-awardees. b. Government Entities : Government entities must clearly demonstrate that the work is not otherwise available from the private sector and provide written documentation citing the specific statutory authority and contractual authority, if relevant, establishing their ability to propose to Government solicitations. While 10 U.S.C.§ 2539b may be the appropriate statutory starting point for some entities, specific supporting regulatory guidance, together with evidence of agency approval, will still be required to fully establish eligibility. FFRDC and Government entity eligibility will be determined on a case-by-case basis; however, the burden to prove eligibility for all team members rests solely with the proposer. Government agencies interested in performing work related to this announcement should contact the Technical Point of Contact (TPOC). If resulting discussions reveal a mutual interest, cooperation may be pursued via other vehicles. 4. COST SHARING OR MATCHING: Cost sharing is not a requirement. 5. System for Award Management (SAM). Offerors must be registered in the SAM database to receive a contract award, and remain registered during performance and through final payment of any contract or agreement. Processing time for registration in SAM, which normally takes forty-eight hours, should be taken into consideration when registering. Offerors who are not already registered should consider applying for registration before submitting a proposal. 6. Executive Compensation and First-Tier Sub-contract/Sub-recipient Awards: Any contract award resulting from this announcement may contain the clause at FAR 52.204-10 - Reporting Executive Compensation and First-Tier Subcontract Awards. Any grant or agreement award resulting from this announcement may contain the award term set forth in 2 CFR, Appendix A to Part 25 http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=c55a4687d6faa13b137a26d0eb436edb&rgn=div5&view = text&node=2:1.1.1.41&idno=2#2:1.1.1.4.1.2.1.1 7. GOVERNMENT APPROVED ACCOUNTING SYSTEM: An offeror must have a government approved accounting system prior to award of a cost-reimbursement contract per limitations set forth in FAR 16.301-3(a) to ensure the system is adequate for determining costs applicable to the contract. The acceptability of an accounting system is determined based upon an audit performed by the Defense Contract Audit Agency (DCAA). IMPORTANT: If you do not have a DCAA approved accounting system access the following link for instructions: https://www.fbo.gov/index?s=opportunity&mode=form&id=1cffad228f48b58057072a6c9113799d&tab=core&_ cview=1 IV. APPLICATION AND SUBMISSION INFORMATION: 1. APPLICATION PACKAGE: THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION. WE ARE SOLICITING WHITE PAPERS ONLY. DO NOT SUBMIT A FORMAL PROPOSAL AT THIS TIME. Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal, see Section VI of this announcement for further details. 2. PROPOSAL FORMATING: When developing proposals, reference the AFRL "Broad Agency Announcement (BAA): Guide for Industry," Mar 2015, and RI-Specific Proposal Preparation Instructions, Jan 2017, which may be accessed at: https://www.fbo.gov/index?s=opportunity&mode=form&id=1cffad228f48b58057072a6c9113799d&tab=core&_ cview=1. Always reference the newest versions of these documents. 3. CONTENT AND FORM OF SUBMISSION: Offerors are required to submit 3 copies of a 3 to 5 page white paper summarizing their proposed approach/solution. The purpose of the white paper is to preclude unwarranted effort on the part of an offeror whose proposed work is not of interest to the Government. The white paper will be formatted as follows: Section A: Title, Period of Performance, Estimated Cost, Name/Address of Company, Technical and Contracting Points of Contact (phone, fax and email)(this section is NOT included in the page count); Section B: Task Objective; and Section C: Technical Summary and Proposed Deliverables. Multiple white papers within the purview of this announcement may be submitted by each offeror. If the offeror wishes to restrict its white papers, they must be marked with the restrictive language stated in FAR 15.609(a) and (b). All white papers shall be double spaced with a font no smaller than 12 pitch. In addition, respondents are requested to provide their Commercial and Government Entity (CAGE) number, their Dun & Bradstreet (D&B) Data Universal Numbering System (DUNS) number, a fax number, an e-mail address, and reference BAA-RIK-14-02 with their submission. All responses to this announcement must be addressed to the technical POC, as discussed in paragraph six of this section. 4. SUBMISSION DATES AND TIMES: It is recommended that white papers be received by the following dates to maximize the possibility of award: FY 15 by 30 Jan 14 FY 16 by 15 Jan 15 FY 17 by 31 Jan 16 FY 18 by 31 Jan 17 White papers will be accepted until 2pm Eastern time on 30 September 2018, but it is less likely that funding will be available in each respective fiscal year after the dates cited. FORMAL PROPOSALS ARE NOT BEING REQUESTED AT THIS TIME. 5. FUNDING RESTRICTIONS: The cost of preparing white papers/proposals in response to this announcement is not considered an allowable direct charge to any resulting contract or any other contract, but may be an allowable expense to the normal bid and proposal indirect cost specified in FAR 31.205-18. Incurring pre-award costs for ASSISTANCE INSTRUMENTS ONLY are regulated by the DoD Grant and Agreements Regulations (DODGARS). 6. All Proposers should review the NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL, (NISPOM), dated February 28, 2006, and incorporating Change 2, dated May 18, 2016, as it provides baseline standards for the protection of classified information and prescribes the requirements concerning Contractor Developed Information under paragraph 4-105. Defense Security Service (DSS) Site for the NISPOM is: http://www.dss.mil/. 7. OTHER SUBMISSION REQUIREMENTS: DO NOT send white papers to the Contracting Officer. All responses to this announcement must be addressed to the TPOC and Deputy TPOC identified in SECTION VII. Unclassified electronic submission will also be accepted. Encrypt or password-protect all proprietary information prior to sending. Offerors are responsible to confirm receipt with the TPOC listed in Section VII. AFRL is not responsible for undelivered documents. If electronic submission is used, only one copy of the documentation is required In the event of a possible or actual compromise of classified information in the submission of your white paper or proposal, immediately but no later than 24 hours, bring this to the attention of your cognizant security authority and AFRL Rome Research Site Information Protection Office (IPO): Vincent Guza 315-330-4048 0730-1630 Monday-Friday 315-330-2961 Evenings and Weekends Email: vincent.guza@us.af.mil V. APPLICATION REVIEW INFORMATION : 1. CRITERIA: The following criteria, which are listed in descending order of importance, will be used to determine whether white papers and proposals submitted are consistent with the intent of this BAA and of interest to the Government: (1) Overall Scientific and Technical Merit -- Including the degree of innovation for the approach and the use of innovative modern architectures in development and/or enhancement of the proposed technology; the use of analysis, metrics & testing and adherence to Information Assurance and Cross-Domain best practices, (2) Related Experience - The extent to which the offeror demonstrates relevant technology and domain knowledge and experience within cross-domain environments, (3) Openness, Maturity & Assurance of Solution - The extent to which existing capabilities and standards are leveraged and the relative maturity of the proposed technology in terms of degree of Information Assurance and Cross-Domain standards implemented, and (4) Reasonableness and Realism of proposed costs and fees (if any). No further evaluation criteria will be used in selecting white papers/proposals. Individual white paper/proposal evaluations will be evaluated against the evaluation criteria without regard to other white papers and proposals submitted under this BAA. White papers and proposals submitted will be evaluated as they are received. 2. REVIEW AND SELECTION PROCESS: Only Government employees will evaluate the white papers/proposals for selection. The Air Force Research Laboratory's Information Directorate has contracted for various business and staff support services, some of which require contractors to obtain administrative access to proprietary information submitted by other contractors. Administrative access is defined as "handling or having physical control over information for the sole purpose of accomplishing the administrative functions specified in the administrative support contract, which do not require the review, reading, or comprehension of the content of the information on the part of non-technical professionals assigned to accomplish the specified administrative tasks." These contractors have signed general non-disclosure agreements and organizational conflict of interest statements. The required administrative access will be granted to non-technical professionals. Examples of the administrative tasks performed include: a. Assembling and organizing information for R&D case files; b. Accessing library files for use by government personnel; and c. Handling and administration of proposals, contracts, contract funding and queries. Any objection to administrative access must be in writing to the Contracting Officer and shall include a detailed statement of the basis for the objection. 3. The Government may simultaneously evaluate proposals received under this BAA from multiple offerors. In this case, the Government may make award based on adequate price competition, and offerors must be aware that there is a possibility of non-selection due to a proposal of similar but higher-priced technical approach as compared to another offeror. 4. FEDERAL AWARDEE PERFORMANCE AND INTEGRITY INFORMATION SYSTEM (FAPIIS) PUBLIC ACCESS: As required by 2 CFR 200 of the Uniform Guidance and FAR 9.104-6, the Government is required to review and consider any information about the applicant that is in the FAPIIS before making any award in excess of the simplified acquisition threshold (currently $150,000) over the period of performance. An applicant may review and comment on any information about itself that a federal awarding agency previously entered. The Government will consider any comments by the applicant, in addition to other information in FAPIIS in making a judgment about the applicant's integrity, business ethics, and record of performance under federal awards when completing the review of risk posed by applicants as described in 2 CFR § 200.205 Federal Awarding Agency Review of Risk Posed by Applicants. VI. AWARD ADMINISTRATION INFORMATION : 1. AWARD NOTICES: Those white papers found to be consistent with the intent of this BAA may be invited to submit a technical and cost proposal. Notification by email or letter will be sent by the technical POC. Such invitation does not assure that the submitting organization will be awarded a contract. Those white papers not selected to submit a proposal will be notified in the same manner. Prospective offerors are advised that only Contracting Officers are legally authorized to commit the Government. All offerors submitting white papers will be contacted by the technical POC, referenced in Section VII of this announcement. Offerors can email the technical POC for status of their white paper/proposal no earlier than 45 days after submission. 2. ADMINISTRATIVE AND NATIONAL POLICY REQUIREMENTS: Depending on the work to be performed, the offeror may require a Secret or Top Secret facility clearance and safeguarding capability; therefore, personnel identified for assignment to a classified effort must be cleared for access to Secret or Top Secret information at the time of award. In addition, the offeror may be required to have, or have access to, a certified and Government-approved facility to support work under this BAA. This acquisition may involve data that is subject to export control laws and regulations. Only contractors who are registered and certified with the Defense Logistics Information Service (DLIS) and have a legitimate business purpose may participate in this solicitation. For questions, contact DLIS on-line at http://www.dla.mil/HQ/InformationOperations/LogisticsInformationServices.aspx or at the DLA Logistics Information Service, 74 Washington Avenue North, Battle Creek, Michigan 49037-3084, and telephone number 1-800-352-2255 (24/7). You must submit a copy of your approved DD Form 2345, Militarily Critical Technical Data Agreement, with your white paper/proposal. 3. DATA RIGHTS: The potential for inclusion of Small Business Innovation Research (SBIR) or data rights other than unlimited on awards is recognized. In accordance with (IAW) the Small Business Administration (SBA) SBIR Policy Directive, Section 8(b), SBIR data rights clauses are non-negotiable and must not be the subject of negotiations pertaining to an award, or diminished or removed during award administration. Issuance of an award will not be made conditional based on forfeit of data rights. If the SBIR awardee wishes to transfer its SBIR data rights to the Air Force or to a third party, it must do so in writing under a separate agreement. A decision by the awardee to relinquish, transfer, or modify in any way its SBIR data rights must be made without pressure or coercion by the agency or any other party. Non-SBIR data rights less than unlimited will be evaluated and negotiated on a case-by-case basis. Government Purpose Rights are anticipated for data developed with DoD-reimbursed Independent Research and Development (IR&D) funding. 4. REPORTING: a. Contract Applicable: Once a proposal has been selected for award, offerors will be given complete instructions on the submission process for the reports. b. FAPIIS Applicable: As required by 2 CFR 200 Appendix XII of the Uniform Guidance and FAR 9.104(c), non-federal entities (NFEs) are required to disclose in FAPIIS any information about criminal, civil, and administrative proceedings, and/or affirm that there is no new information to provide. This applies to NFEs that receive federal awards (currently active grants, cooperative agreements, and procurement contracts) greater than $10,000,000 for any period of time during the period of performance of an award/project. 5. NOTICE: The following provisions* apply: (a) FAR 52.209-11, Representation by Corporations Regarding Delinquent Tax Liability or a Felony Conviction under any Federal Law (b) DFARS 252.239-7017, Notice of Supply Chain Risk (c) DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls * Please note that the current versions or deviations of the related clauses will be included in any resulting contract. 6. GRANT AWARDS ONLY: For efforts proposed as grant awards, offerors must provide an abstract in their proposal (not to exceed one page) that is publically releasable and that describes - in terms the public may understand - the project or program supported by the grant. If the proposal is selected for award, the DoD will publically post the abstract to comply with Section 8123 of the Department of Defense Appropriations Act, 2015 (Pub. L. 113-235). VII. AGENCY CONTACTS : Questions of a technical nature shall be directed to the cognizant technical point of contact, as specified below: BAA Manager/TPOC Deputy BAA Manager Yat Fu Matthew Shaver AFRL/RIEBA AFRL/RIEBA 525 Brooks Rd. Rome, NY 13441 525 Brooks Rd. Rome, NY 13441 Phone: 315-330-4950 Phone: 315-330-3295 Email: yat.fu@us.af.mil Email: Matthew.Shaver.1@us.af.mil Questions of a contractual/business nature shall be directed to the cognizant contracting officer, as specified below (emails are preferred): Gail E. Marsh Telephone (315) 330-7518 Email: Gail.Marsh@us.af.mil The email must reference the solicitation (BAA) number and title of the acquisition. In accordance with AFFARS 5301.91, an Ombudsman has been appointed to hear and facilitate the resolution of concerns from offerors, potential offerors, and others for this acquisition announcement. Before consulting with an ombudsman, interested parties must first address their concerns, issues, disagreements, and/or recommendations to the contracting officer for resolution. AFFARS Clause 5352.201-9101 Ombudsman (Jun 2016) will be incorporated into all contracts awarded under this BAA. The AFRL Ombudsman and AFRL Alternate Ombudsman are as follows: Ombudsman: Ms Lisette K. LeDuc, 1864 Fourth St. Wright-Patterson AFB OH 45433-7130 937-904-4407 lisette.leduc@us.af.mil Alternate Ombudsman: Ms Kimberly L. Yoder 1864 Fourth St. Wright-Patterson AFB OH 45433-7130 937-255-4967 kimberly.yoder@us.af.mil All responsible organizations may submit a white paper which shall be considered.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/USAF/AFMC/AFRLRRS/BAA-RIK-14-02/listing.html)
 
Record
SN04734031-W 20171109/171107231403-11012fe974b8a5660070ec4684eaff7f (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.