Defense Advanced Research Projects Agency (DARPA), Contract Management Directorate (CMD), 3701 N. Fairfax Dr., Arlington, VA 22203-1714

A -- INFORMATION ASSURANCE AND SURVIVABILITY SOL BAA99-33 DUE 092099 POC O.Sami Saydari, DARPA/ISO, e-mail address ssaydari@darpa.mil WEB: http://www.darpa.mil, http://www.darpa.mil. E-MAIL: BAA99-33@darpa.mil, BAA99-33@darpa.mil. The following are the key events in this acquisition. Please note there is Industry Briefing regarding the Broad Agency Announcement for the Information Assurance and Survivability Suite of Programs in this announcement on July 29, 1999. Details regarding registration and agenda are outlined on the web site referenced below. This briefing will provide further background and context to potential proposers. Program Managers and Contracting Officers will be available for questions at that occasion. A draft Proposer Information Pamphlet (PIP) will be finalized based on inputs received from potential proposers and other sources according to the following schedule. Comments and questions are solicited and may be submitted via the Frequently Asked Questions (FAQ) process. July 17, 1999, CBD, Draft PIP posted; July 29, 1999 Industry Brief (Please register and see details at the following site: http://schafercorp-ballston.com/IA&;S_Industry_Day/); August 4, 1999, Deadline for Draft PIP comments; August 11, 1999, Final PIP posted; September 20, 1999 (local time), Deadline for proposal submission, BAA closes; December 15, 1999, Anticipated source selection results notification; February 28, 2000, Anticipated contract awards. The Defense Advanced Research Projects Agency (DARPA) is developing IA&S technologies for next generation information systems that will support operations envisioned in Joint Vision 2010 (JV2010). The Defense Department's Joint Vision 2010 calls for information dominance in a high-tempo, tightly integrated multi-national environment. In order to gain dominant battlespace awareness, JV2010 stresses the need for information superiority: the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same. JV2010 also stresses the need for integrating and improving interoperability with allied and coalition forces. To achieve this vision, highly effective Information Assurance and Survivability defense strategies, architectures, and mechanisms are needed to protect our own systems. DARPA seeks innovative systems approaches that are measurably effective against practical attacks. Confidence in effectiveness must be achieved through system-level arguments involving approaches like layered complementary mechanisms that will be cost-effective and scalable within three to five years. Approaches must find means to support the advanced functionality of future systems while maintaining a high level of confidence in the protection effectiveness. The IA&S suite is a closely coordinated group of programs consisting of the following: the Strategic Intrusion Assessment (SIA) program, the Intrusion Tolerant Systems (ITS) program, the Fault Tolerant Networks (FTN) program, the Dynamic Coalitions (DC) program, the Information Assurance (IA) program, the Information Assurance Science and Engineering Tools (IASET) program, the Autonomic Information Assurance (AIA) program, and the Cyber Command and Control (CC2) program. The programs will be coordinated by focusing on joint experimentation, sharing of laboratory facilities for experimentation, annual joint Principal Investigator meetings, and joint monthly meetings between DARPA Program Managers and Systems Integrators (for those programs with significant integration roles) to exchange information, enhance innovation, and reduce redundancy. Of those programs in the IA&S group, the SIA, ITS, FTN and IA programs are not part of this solicitation and are not discussed further. A brief description of the programs of interest in this solicitation follows. The Dynamic Coalitions program seeks to develop technologies that enable secure collaboration within dynamically established mission-specific coalitions while minimizing potential threats from compromised partners and external attackers. The Information Assurance Science and Engineering Tools program, by creating a science-based design and assessment environment, will allow both DoD and commercial developers to create systems with understood assurance properties and measurable effectiveness against attack. By creating an autonomic defensive control system, the Autonomic Information Assurance program will allow systems to encode tactics to handle known attacks and high-speed attacks so the decision-makers can focus on the innovative and sophisticated strategic situation. To enable leaders to understand the situation and act quickly to thwart strategic information warfare campaigns, the Cyber Command and Control program seeks to create a cyber defense decision support system.PROGRAM OBJECTIVES AND SCOPE Dynamic Coalitions OBJECTIVE Existing technologies do not allow quick reaction support of secure collaboration within dynamically established mission-specific coalitions.Current COTS products fall short in providing the necessary technologies for the creation of secure coalitions of the order of 10-100 participants. In addition, the infrastructure services necessary to support such coalitions are non-existent. With the ever-increasing network-centric view of the future, these types of technologies will be critical for providing continued coalition operation while minimizing potential threats from increased access The objective of the Dynamic Coalitions (DC) Program is the creation of technologies for establishing distributed (vice hierarchical) coalition security policies for essential operations. This includes securing the underlying group communication technologies and providing the necessary coalition infrastructure services, such as authentication and authorization, which must be present for secure collaboration in a coalition environment.Dynamic Coalitions SCOPE The Dynamic Coalitions (DC) Program will focus primarily on the development of new technologies that will enable the rapid creation of secure coalitions, including securing the underlying group communications and security infrastructure services. These technologies will be demonstrated individually and integrated together to provide the requisite capabilities within several challenge scenarios. It is anticipated that the technologies developed within the DC program will be directly applicable to other programs within the IA&S suite.Information Assurance Science and Engineering Tools (IASET) Program OBJECTIVE We don't understand the science of IA in systems. We don't know how to design and assess IA in systems. These two assertions arise from inherent problems in the existing design and assessment processes that create our information systems and can only be adequately addressed by a fundamental change in IA philosophy. Existing processes are inconsistent, inefficient, do not approach problems with a systems perspective, and have goals and results limited by the currently abstract and immature nature of the discipline. These limitations cannot be overcome by simply applying additional evolutionary research in the same core concepts such as vulnerabilities, threats, and countermeasures. A new IA paradigm is required -- one that enables the designer and analyst to capture and probe the causality, relationships, and objectives of an entire system. The IASET program will address this problem by developing this new paradigm. The program will develop underlying sciences that allow formal understanding of the IA problem at hand and will develop the tools and an environment that designers and assessors can use to solve real IA problems. The objective of the IASET Program is the creation of science-based metrics, methodologies, and tools for the implementation of assurance in information system design and assessment processes. This program seeks to overcome inherent deficiencies in the present processes in order to address assurance considerations with a true "system-level" viewpoint. Success will lead to more robust and secure systems that can be developed more rapidly, and will have lower life cycle costs.IASET SCOPE IASET will focus primarily on design/assessment-time activities rather than operational-time response to IA threats. It will prove its concepts sufficiently to advance the field of study and demonstrate utility of an integrated environment for IA design and assessment. In the area of science, IASET will focus on the development of cyberscience, IA metrics, and mathematics and models. Cyberscience consists of the fundamental laws and relationships that define information systems and cyberspace. In the area of engineering tools, IASET will develop science-based methods for IA design and assessment, IA design and assessment tools, and an integrated environment for IA design and assessment. IASET will mutually support related IA&S programs including Autonomic IA (AIA) and Cyber Command and Control (CC2). IASET's sciences work will supplement basic research in both AIA and CC2, while the engineering tools work will support the design and assessment of AIA and CC2 demonstration systems.AIA PROGRAM OBJECTIVE: Automated attacks happen too fast for people to think about appropriate responses. They require automated defenses that can adapt at execution time to either stop the attack or minimize its damage to the organization's mission or business. The Autonomic Information Assurance program is seeking to develop innovative technology and approaches for fast, adaptive defenses against automated attacks. By stopping previously known attacks, stopping large classes of preventable attacks, and reducing damage, these intelligent reflexes should dramatically raise the work, risk, and cost factors for unsophisticated and moderately sophisticated adversaries, and give defending parties more time to define more effective or more appropriate countermeasures.AIA defenses must be capable of effective adaptation in accelerated machine time. Further, security must be integrated with functionality in a way that keeps pace with advanced technology and the changing nature of both the Defense Department mission and modern business as a whole. Technologies must facilitate upgrading to future, better solutions, and must accommodate rapid advances in base computing and networking technologies. Teaming is strongly encouraged between security and survivability specialists, research organizations in complementary outside fields, and commercial partners.AIA PROGRAM SCOPE: AIA will focus on the development of fast, adaptive closed-loop response to defend against automated attacks. This will include development of light autonomic defenses to protect individual shared resources; integration of defenses to protect the system of systems; experimentation to evaluate system response performance, selection techniques for quickly choosing effective responses to counter or diminish attacks, assurance posture specification languages; policy projection models that reduce complexity without degrading response effectiveness; flexible defensive response mechanisms that enable adaptive control and counter broad classes of attacks; and system state estimation and instrumentation. Proposals will be considered that fill gaps in technology, improve systems level behavior, or address very focused areas of basic IA sciences in modeling and policy relevant to AIA. CC2 PROGRAM OBJECTIVE: Current defensive technology leaves commanders and decisionmakers with no capabilities for assessing and responding to the cyber attack situation at a strategic level. CC2 seeks to develop decision support over system and network capabilities for security, adaptability to stress, and survivability to allow humans to assess the cyber situation and provide strategic direction to counter attack campaigns while best maintaining the system's ability to carry out its operational functions. This decision support essentially serves as battle management over defense of systems actively under attack by sophisticated adversaries seeking to achieve strategic goals. It will assist human beings in ascertaining activities and goals of adversaries attacking the system, and determining and carrying out the most effective courses of action to counter them. CC2 will work with and complement other defensive capabilities, such as the fast, reflexive defenses to be developed in theAIA program. CC2 will allow humans to monitor, advise on, and adjust the operation of a wide range of passive, active, and reflexive information assurance mechanisms. It will explicitly represent and dynamically compute system costs and mission dependencies to allow well-informed tradeoffs to optimize the system's ability to carry out its mission. CC2 PROGRAM SCOPE: A variety of capabilities are becoming available for sensing and managing a system's security state (such as protection mechanisms and intrusion detection and response capabilities). CC2 will raise the analysis and presentation of the cyber attack situation and available cyber defense options to a semantic level appropriate for consideration by a commander or other operational decision-maker. Situation awareness will derive and represent the attack state in terms of hypotheses concerning the adversary's plan and its impact on the system's operational functions. Course of action capabilities will determine, assess, and carry out possible coordinated responses to the current and projected attack situation, with contingency monitoring and dynamic adjustment. Forensics and damage assessment will analyze what information, system functions, and mission decisions have been affected by the attack situation, and will assist humans in discovering and analyzing evidence symptomatic of new forms of attack or malicious code to identify ways to remove, isolate, or counter them. CC2 will draw on related areas, such as situation assessment and planning for command and control in the traditional battlespace domains. ADDITIONAL CONSIDERATIONS Offerors should identify the specific area(s) they are addressing. In their proposals, they should describe the requirements of the area from their perspective, describe the key technical challenges and identify why they are a challenge. They should describe their approach and indicate why they will be successful, particularly if other approaches have not been. Proposals that address greater parts of the problem space, through innovative integration of component technologies, are highly desired. Technologies with broad application, e.g., apply in Unix and NT environments, are also preferred.FUNDING SUMMARY: The following summarizes by individual program the anticipated funding level ($ in millions) Programs DC FY00 (8.0), FY01 (11.0), FY02 (13.0), FY03 (10.0); IASET FY00 (12.0), FY01 (18.0), FY02 (17.0), FY03 (11.0); AIA FY00 (10.5), FY01 (17.4), FY02 (9.0), FY03 (9.0); CC2 FY00 (3.0), FY01 (8.0), FY02 (15.0), FY03 (14.0) GENERAL INFORMATION DARPA will not accept classified proposals to BAA99-33. Abstracts in advance of actual proposals are not required, and will not be reviewed. Proposers must submit an original and three (3) hard copies of full proposals as well as 10 disk copies in time to reach DARPA by 4:00 PM (local time), September 20, 1999, in order to be considered for the initial evaluation. Proposers must obtain a pamphlet, BAA99-33 Proposer Information Package (PIP), which provides further information on the areas of interest, submission, evaluation, funding processes, and full proposal formats. This pamphlet will be available in draft July 15, 1999, and may be obtained by electronic mail, or mail request to the administrative contact address given below, as well as at URL address http://www.darpa.mil/baa. Proposals not meeting the format described in the pamphlet may not be reviewed. This Commerce Business Daily notice, in conjunction with the pamphlet BAA99-33, Proposer Information Package, constitutes the total BAA. No additional information is available, nor will a formal RFP or other solicitation regarding this announcement be issued. Requests for same will be disregarded. The Government reserves the right to select for award all, some, or none of the proposals received. All responsible sources capable of satisfying the Government's needs may submit a proposal that shall be considered by DARPA. Historically Black Colleges and Universities (HBCU) and Minority Institutions (MI) are encouraged to submit proposals and join others in submitting proposals. However, no portion of this BAA will be set aside for HBCU and MI participation due to the impracticality of reserving discrete or severable areas of this research for exclusive competition among these entities. Evaluation of proposals will be accomplished through a scientific review of each proposal using the following criteria, which are listed in descending order of relative importance (1) Overall scientific and technical merit; The overall scientific and technical merit must be clearly identifiable. The technical concept should be clearly defined and developed. Emphasis should be placed on the technical value of the development and experimentation approach. (2) Innovative technical solution to the problem;Proposed efforts should apply new or existing technology in a new way such as is advantageous to the IA&S objectives. Plan on how offeror intends to get developed technology and information to the user community should be considered.(3) Potential contribution and relevance to DARPA mission; The offeror must clearly address how the proposed effort will meet the goals of the IA&S undertaking. The relevance is further indicated by the offeror's understanding of the operating environment of the capability to be developed.(4) Offeror's capabilities and related experience; The qualifications, capabilities, and demonstrated achievements of the proposed principals and other key personnel for the primary and subcontractor organizations must be clearly shown.(5) Plans and capability to accomplish technology transition; The offeror should provide a clear explanation of how the technologies to be developed will be transitioned to capabilities for military forces. Technology transition should be a major consideration in the design of experiments, particularly considering the potential for involving potential transition organizations in the experimentation process.(6) Best value; The overall estimated cost to accomplish the effort should be clearly shown as well as the substantiationof the costs for the technical complexity described. Evaluation will consider the value to Government of the research and the extent to which the proposed management plan will effectively allocate resources to achieve the capabilities proposed. Organizational Conflict of Interest. Each cost proposal shall contain a section satisfying the requirements of the following: Awards made under this BAA are subject to the provisions of the Federal Acquisition Regulation (FAR) Subpart 9.5, Organizational Conflict of Interest. All offerors and proposed subcontractors must affirmatively state whether they are supporting any DARPA technical office(s) through an active contract or subcontract. All affirmations must state which office(s) the offeror supports and identify the prime contract number. Affirmations shall be furnished at the time of proposal submission. All facts relevant to the existence or potential existence of organizational conflicts of interest, as that term is defined in FAR 9.501, must be disclosed. Thisdisclosure shall include a description of the action the Contractor has taken, or proposes to take, to avoid, neutralize or mitigate such conflict. If the offeror believes that no such conflict exists, then it shall so state in this section. Restrictive notices notwithstanding, proposals may be handled, for administrative purposes only, by a support contractor. This support contractor is prohibited from competition in DARPA technical research and is bound by appropriate non-disclosure requirements. Only Government officials will evaluat Posted 07/16/99 (W-SN355340). (0197)

Loren Data Corp. http://www.ld.com (SYN# 0003 19990720\A-0003.SOL)