Defense Advanced Research Projects Agency (DARPA), Contract Management Directorate (CMD), 3701 N. Fairfax Dr., Arlington, VA 22203-1714

A -- INFORMATION ASSURANCE (IA) OF THE NEXT GENERATION INFORMATION INFRASTRUCTURE (NGII) SOL BAA 98-34 DUE 123098 POC Mr. O. Sami Saydjari, DARPA/ISO, Administrative FAX: (703) 516-6065 WEB: http://www.darpa.mil/baa, http://www.darpa.mil/baa. E-MAIL: baa98-34@darpa.mil, baa98-34@darpa.mil. The Defense Advanced Research Projects Agency (DARPA) is developing IA technologies for next generation information systems that will support operations envisioned in Joint Vision 2010 (JV2010). The Defense Department's Joint Vision 2010 calls for information dominance in a high-tempo, tightly-integrated multi-national environment. JV2010 also stresses the need for integrating and improving interoperability with allied and coalition forces. To achieve this vision, highly effective information assurance defense strategies, architectures, and mechanisms are needed to protect our systems. DARPA seeks innovative systems approaches that are measurably effective against practical attacks. Confidence in effectiveness must be achieved through system-level arguments involving approaches like layered complimentary mechanisms that will be cost-effective and scalable within three to five years. DARPA is seeking technology to fill gaps in the security architecture for the NGII. The architecture will be used by programs like: Joint Forces Air Component Commander (JFACC), Advanced Logistics Program (ALP), Joint Task Force Advanced Technology Demonstration (JTF-ATD), and Genoa programs, toward protecting the National Information Infrastructure of the future. Upon successful completion, it is envisioned that many of these programs -- and the underlying security architecture upon which they are based -- will transition to the Defense Information Infrastructure (DII) at the Defense Information Systems Agency (DISA) for use by operational forces. DARPA also expects resulting technology to transition to the commercial sector for direct consumption by the Defense Department and critical national information infrastructure systems. The architecture rests on a Common Object Request Broker Architecture (CORBA), Distributed Common Object Management (DCOM), and Java Remote Method Invocation (RMI) and includes a common Command and Control (C2) schema. The NGII architecture will integrate technology incrementally in phased releases over several years. Hereafter in this document "the architecture" is used to mean the NGII phased architecture. The architecture offers critical capabilities to the Department of Defense. These capabilities are of little value, however, if users are not confident that these enhanced capabilities can adequately protect their information, and can be available -- even under situations of high system stress and attack. The purpose of the IA program is to create the basis for this confidence. Thus the IA program is a critical, enabling program for most of other key technology programs in ISO. DARPA is seeking innovative technology and approaches to integrate security, network adaptability to stress, and survivability into the architecture and thus provide assurance and capability to all of its programs that use the architecture. DARPA seeks to do this in increments phased in over the next 2 years (by September 2000). Available funding is $11M but could be significantly larger pending additional available funding and quality as well as quantity of the proposals received. Proposals should focus on employing and extending existing approaches in innovative ways as opposed to conducting fundamental research. Offerors are strongly encouraged, in the development of innovative technologies and approaches, to make use of relevant results from longer-term research programs such as those conducted by the DARPA Information Technology Office (ITO) and the National Security Agency (NSA) Research and Technology Group. Information Assurance capability is to be practically measured, using a risk-reduction return on investment philosophy. In other words, security methods and mechanisms that offer the greatest security at lowest life cycle cost will be emphasized. Cost measures must include development, acquisition, and deployment cost as well as restrictions on functionality, ease-of-use. Effectiveness of IA developed technologies will be measured by red-team attacks; the principal metric of the IA Project. Further, security must be integrated in a way that keeps pace with advanced technology and the changing nature of the DoD mission as described in Joint Vision 2010. PROGRAM SCOPE: Proposals will be considered which fill technology gaps in the architecture. The known gaps are listed below as technical topic areas. Proposed research should investigate innovative, scalable approaches that lead to or enable revolutionary advances in the state of the art. Specifically excluded is research that primarily results in incremental improvement to the existing state of practice or focuses on a specific system or hardware solution. Proposals must result in systems that can be applied to the developing next generation information infrastructure (http://www.les.mil). TECHNICAL TOPIC AREAS AND CORRESPONDING SECURITY FRAMEWORK REQUIREMENTS: Advanced Boundary Controllers: Provide automated flow (no man in the loop) of information across enclave and security boundaries. Monitoring and Threat Detection: Cooperating intrusion detectors and intrusion-resistant protocols. Detect, identify, and correlate attack information to provide indications and warning (I&W) of information warfare (IW) attacks. Risk Management and Decision Support -- Security Service Desk Technologies: System state awareness, risk assessments, and risk versus performance tradeoffs on the fly. Ability to control and modify system security state to adapt to changing operational requirements and threats. Survivability -- Incident Response and Recovery: Ability to effectively deal with attacks by adapting the system to tolerate attacks while continuing mission performance. Distributing risk and functionality within the system. Automated response and reconfiguration. Vulnerability Assessment and System Analysis: System design tools that help designers and architects to map system security vulnerabilities and develop cost-effective countermeasures. Malicious Code Detectors: Tools to detect and isolate malicious code within enclaves -- malicious code that may be introduced by insiders or software agents. Technical topic areas are discussed in detail in the Proposer Information Package (PIP). Proposers must obtain a copy of the PIP as discussed below. ADDITIONAL CONSIDERATIONS: Offerors should identify the specific area(s) they are addressing. In their proposals, they should describe the requirements of the area from their perspective, describe the key technical challenges and identify why they are a challenge. They should describe their approach and indicate why they will be successful, particularly if other approaches have not been. Proposals that address greater parts of the problem space, through innovative integration of component technologies, are highly desired. Technologies with broad application, e.g., apply in Unix and NT environments, are also preferred. GENERAL INFORMATION: DARPA discourages the submission of classified proposals to BAA98-34. Abstracts in advance of actual proposals are not desired, and will not be reviewed. Proposers must submit an original and twelve (12) copies of full proposals as well as disk copy in time to reach DARPA by 4:00 PM (ET), Friday 30 October, 1998, in order to be considered for the initial evaluation. Proposers must obtain a pamphlet, BAA 98-34 Proposer Information Package (PIP), which provides further information on the areas of interest, submission, evaluation, funding processes, and full proposal formats. This pamphlet will be available September 11, 1998, and may be obtained by electronic mail, or mail request to the administrative contact address given below, as well as at URL address http://www.darpa.mil/baa. Proposals not meeting the format described in the pamphlet may not be reviewed. This Commerce Business Daily notice, in conjunction with the pamphlet BAA 98-34, Proposer Information Package, constitutes the total BAA. No additional information is available, nor will a formal RFP or other solicitation regarding this announcement be issued. Requests for same will be disregarded. The Government reserves the right to select for award all, some, or none of the proposals received. All responsible sources capable of satisfying the Government's needs may submit a proposal that shall be considered by DARPA. Historically Black Colleges and Universities (HBCU) and Minority Institutions (MI) are encouraged to submit proposals and join others in submitting proposals. However, no portion of this BAA will be set aside for HBCU and MI participation due to the impracticality of reserving discrete or severable areas of this research for exclusive competition among these entities. Evaluation of proposals will be accomplished through a scientific review of each proposal using the following criteria, which are listed in descending order of relative importance: (1) overall scientific and technical merit, (2) potential contribution and relevance to DARPA mission, (3) offeror's capabilities and related experience, (4) plans and capability to accomplish technology transition, and (5) best value. Organizational Conflict of Interest. Each cost proposal shall contain a section satisfying the requirements of the following: Awards made under this BAA are subject to the provisions of the Federal Acquisition Regulation (FAR) Subpart 9.5, Organizational Conflict of Interest. All offerors and proposed subcontractors must affirmatively state whether they are supporting any DARPA technical office(s) through an active contract or subcontract. All affirmations must state which office(s) the offeror supports and identify the prime contract number. Affirmations shall be furnished at the time of proposal submission. All facts relevant to the existence or potential existence of organizational conflicts of interest, as that term is defined in FAR 9.501, must be disclosed. This disclosure shall include a description of the action the Contractor has taken, or proposes to take, to avoid, neutralize or mitigate such conflict. If the offeror believes that no such conflict exists, then it shall so state in this section. All administrative correspondence and questions on this solicitation, including requests for information on how to submit a proposal to this BAA, must be directed to the administrative address below by 4:00 PM, 15 October, 1998; e-mail or fax is preferred. DARPA intends to use electronic mail and fax for some of the correspondence regarding BAA 98-34. Proposals may not be submitted by fax; any so sent will be disregarded. The administrative address for this BAA is: 4301 North Fairfax Drive, Suite 700, Arlington, VA 22203-1627. Posted 09/09/98 (W-SN247420). (0252)

Loren Data Corp. http://www.ld.com (SYN# 0004 19980911\A-0004.SOL)