Advanced Research Projects Agency (ARPA), Contracts Management Office (CMO), 3701 North Fairfax Drive, Arlington, VA 22203-1714

A -- INFORMATION SYSTEM SECURITY SOL BAA95-15 DUE 041795 POC Teresa F. Lunt, ARPA/CSTO, POC, FAX: (703)522-2668. The Advanced Research Projects Agency (ARPA) is soliciting proposals for research in various aspects of computer and network security, to create and integrate advanced security technologies for the DII, NII, National Challenge problems, and defense uses. This solicitation is part of a larger strategy for developing technology for defensive information warfare. Proposals are sought that address one or more of the following areas: 1) Infrastructure Protection: Proposals are sought to develop prototypes of security mechanisms, value-added security services, packet and cell encryption techniques, and seamlessly integrated security in mobile, high-data-rate, multimedia, network technologies. Of interest are the creation of modular value-added security services such as authentication, authorization, auditing and audit analysis, security management, nonrepudiation, and anonymity, and the redesign of network protocols to remove known security weaknesses, especially vulnerability to malicious denial of service attacks. In addition, research prototypes are sought for a protected infrastructure for key management that could support both symmetric and asymmetric keying needed by secure applications and network services. As a complementary method to other protection schemes, ARPA also is interested in research into packet and cell encryption devices and techniques. Proposed encryption devices should support performance ranges up to 10 gigabit/second and 10 megapacket/second, a variety of addressing schemes (unicast and multicast), and modularly replaceable cryptographic services, and should interface to a variety of network technologies. For all of the above, approaches that include multiparty software key escrow as a key management function are encouraged. Where appropriate, research should be applicable to unicast, broadcast, and dynamic group (multicast) communications and specifically address the problem of interoperability of various plausible security infrastructures. Specific deliverables may include libraries or toolkits with standard interfaces for linking security functions and services to applications. Technical POC: Teresa F. Lunt, Michael StJohns 2) Protection of End-systems: ARPA is seeking technology to allow geographically separated parts of an organization to interact as if they shared a common security perimeter. Approaches should allow uniform system-wide security policies to be enforced, and should provide a high degree of resistance to attack while providing greater interoperability with applications. Of special interest is research and prototyping of firewalls, technologies to support secure distributed applications across heterogeneous platforms, secure configuration controls, and security administration tools. Approaches should allow a variety of organization-specific security policies to be defined and enforced and allow for varying degrees of configurable assurance. Security prototypes may be integrated into standard or emerging systems or be at the core of new technology. Proposals are encouraged in the area of generating and linking policy-enforcement derived from high-level expression of security policy, constraints, and requirements into specific applications. Also of interest is technology to allow system components or devices to be mutually authenticated to provide secure configuration. Proposals regarding security management technology should result in efficient and scalable tools allowing administrators of large systems to assess their systems' vulnerabilities, to bring their systems into compliance with any given set of security requirements, to remotely monitor systems for security compliance, and to quickly assess and correct damage from security incidents. Proposals for end-system protection through appropriate design and function of operating systems and services are strongly encouraged, proposals for work in the area of operating systems and services should be submitted through the forthcoming companion BAA on Scalable Systems and Software. Technical POC: Teresa F. Lunt, Glenn Ricart 3) Assurance: Proposals are sought for prototype experimental system structuring languages, analysis methods, and systems development tools and development environment to express the structure of information systems, reason about their security and other properties, and allow efficient and secure implementations. The proposed approach should be capable of expressing modular operating system structures, networking and other system services, and distributed information system protocols including those providing security services. Approaches that also address system hardware levels and their integration into higher-level system structures are also desired. Proposed projects should be based on well-founded languages which include abstraction mechanisms suitable for expressing and reasoning about complex system structures. Reuse of current methodologies and tools is encouraged where possible. Approaches are encouraged to integrate security tools and assurance methods into existing or emerging automated programming support environments. Demonstration of the approach on state-of-the-art security systems and an assessment of the degree of increased security achieved is encouraged. Proposals are also sought for metrics, evaluation techniques, and tools for quantitative assessment of system security or strength against attack. Technical POC: Teresa F. Lunt, John Salasin. PROGRAM SCOPE: Proposed research should investigate innovative, scalable approaches that lead to or enable revolutionary advances in the state of the art. Specifically excluded is research which primarily results in evolutionary improvement to the existing state of practice or focuses on a specific system or hardware solution. Topics are not limited to those outlined above. When appropriate, new concepts are to be demonstrated by means of prototypes or reference implementations. Proposals may range from small-scale efforts that are primarily theoretical in nature, to medium-scale experimental and prototyping efforts of hardware and/or software, to larger-scale integrated systems efforts. The target computing environment includes wireless and mobile platforms as well as fixed-location hosts. Proposals may involve other research groups or industrial cooperation and cost sharing. Collaborative efforts and teaming are encouraged. Technologies which have a broad impact will be given highest priority. Proposals will be considered in each of the above areas as well as across multiple areas. Proposers are strongly encouraged to include tasks that evaluate the security of their resulting prototypes under realistic scenarios. Remaining vulnerabilities of proposed approaches should be identified, and proposers are encouraged to include techniques for the detection of attacks that exploit those weaknesses. Proposals should identify opportunities for technology transfer within the commercial marketplace and employ evolutionary concepts to allow their approaches to maintain currency with emerging technology. Scalable, efficient, and interoperable approaches are encouraged. ARPA does not advocate or endorse the use of any particular cryptographic algorithm or cryptographic system. Proposals involving the use of cryptography must be modular and independent of encryption algorithm, allowing replacement with other algorithms, and employing two or more algorithms if possible. Development of cryptographic algorithms or cryptoanalytic attacks is not within scope of this solicitation. Some Government Furnished Equipment and Information (GFE) in the form of FORTEZZA cryptographic cards and PCMCIA card readers (up to 5 per contract), the FORTEZZA C library and device drivers (for selected platforms only), and the FORTEZZA Applications Developers Guide may be available, but ARPA does not guarantee its availability. It is also anticipated that GFE software cryptography will become available during the course of projects awarded under this BAA. Proposers may request the use of such GFE, but must describe alternatives they would use in the event this GFE is not available. GENERAL INFORMATION: In order to minimize unnecessary effort in proposal preparation and review, proposers are strongly encouraged to submit brief proposal abstracts in advance of full proposals. An original and three (3) copies of the proposal abstract must be submitted to ARPA/CSTO, 3701 North Fairfax Drive, Arlington, VA 22203-1714, (ATTN: BAA 95-15) on or before 4:00 PM, February 17, 1995. Proposal abstracts received after this date may not be reviewed. Upon review, ARPA will provide written feedback on the likelihood of a full proposal being selected. Proposers must submit an original and four (4) copies of full proposals by 4:00 PM, April 17, 1995, in order to be considered. Proposers must obtain a pamphlet, BAA 95-15, Proposer Information, which provides further information on the submission, evaluation, funding processes, proposal and proposal abstract formats. This pamphlet may be obtained by fax, electronic mail, or mail request to the administrative contact address given below, as well as at URL address http://www.csto.arpa.mil/Solicitations. Proposals not meeting the format described in the pamphlet may not be reviewed. This notice, in conjunction with the pamphlet BAA 95-15, Proposer Information, constitutes the total BAA. No additional information is available, nor will a formal RFP or other solicitation regarding this announcement be issued. Requests for same will be disregarded. The Government reserves the right to select for award all, some, or none of the proposals received. All responsible sources capable of satisfying the Government's needs may submit a proposal which shall be considered by ARPA. Historically Black Colleges and Universities (HBCU) and Minority Institutions (MI) are encouraged to submit proposals and join others in submitting proposals, however, no portion of this BAA will be set aside for HBCU and MI participation due to the impracticality of reserving discrete or severable areas of information security research. Evaluation of proposals will be accomplished through a scientific review of each proposal using the following criteria, which are listed in descending order of relative importance: (1) overall scientific and technical merit, (2) potential contribution and relevance to ARPA mission, (3) offeror's capabilities and related experience, (4) plans and capability to accomplish technology transition, and (5) cost realism. Note: Cost realism will be significant only in proposals which have significantly under or over estimated the cost to complete their effort. All administrative correspondence and questions on this solicitation, including requests for information on how to submit a proposal abstract or proposal to this BAA, should be directed to one of the administrative addresses below, e-mail or fax is preferred. ARPA intends to use electronic mail and fax for correspondence regarding BAA 95-15. The administrative addresses for this BAA are: Fax: 703-522-2668 Addressed to: ARPA/CSTO, BAA 95-15 Electronic Mail: baa9515@arpa.mil Mail: ARPA/CSTO, ATTN: BAA 95-15, 3701, N. Fairfax Drive, Arlington, VA 22203-1714 (0017)

Loren Data Corp. http://www.ld.com (SYN# 0001 19950118\A-0001.SOL)