20 September 1998


[Commerce Business Daily: Posted in CBDNet on September 9, 1998]
[Printed Issue Date: September 11, 1998]
From the Commerce Business Daily Online via GPO Access
[cbdnet.access.gpo.gov]

PART: U.S. GOVERNMENT PROCUREMENTS
SUBPART: SERVICES
CLASSCOD: A--Research and Development
OFFADD: Defense Advanced Research Projects Agency (DARPA), Contract
  Management Directorate (CMD), 3701 N. Fairfax Dr., Arlington,
  VA 22203-1714

SUBJECT: A--INFORMATION ASSURANCE (IA) OF THE NEXT GENERATION
  INFORMATION INFRASTRUCTURE (NGII)

SOL BAA 98-34
DUE 123098
POC Mr. O. Sami Saydjari, DARPA/ISO, Administrative FAX: (703)
  516-6065

DESC: 

  The Defense Advanced Research Projects Agency (DARPA) is
  developing IA technologies for next generation information
  systems that will support operations envisioned in Joint Vision
  2010 (JV2010). The Defense Department's Joint Vision 2010 calls
  for information dominance in a high-tempo, tightly-integrated
  multi-national environment. JV2010 also stresses the need for
  integrating and improving interoperability with allied and
  coalition forces. To achieve this vision, highly effective
  information assurance defense strategies, architectures, and
  mechanisms are needed to protect our systems. DARPA seeks innovative
  systems approaches that are measurably effective against practical
  attacks. Confidence in effectiveness must be achieved through
  system-level arguments involving approaches like layered complimentary
  mechanisms that will be cost-effective and scalable within
  three to five years. DARPA is seeking technology to fill gaps
  in the security architecture for the NGII. The architecture
  will be used by programs like: Joint Forces Air Component Commander
  (JFACC), Advanced Logistics Program (ALP), Joint Task Force
  Advanced Technology Demonstration (JTF-ATD), and Genoa programs,
  toward protecting the National Information Infrastructure of
  the future. Upon successful completion, it is envisioned that
  many of these programs - and the underlying security architecture
  upon which they are based - will transition to the Defense
  Information Infrastructure (DII) at the Defense Information
  Systems Agency (DISA) for use by operational forces. DARPA
  also expects resulting technology to transition to the commercial
  sector for direct consumption by the Defense Department and
  critical national information infrastructure systems. The architecture
  rests on a Common Object Request Broker Architecture (CORBA),
  Distributed Common Object Management (DCOM), and Java Remote
  Method Invocation (RMI) and includes a common Command and Control
  (C2) schema. The NGII architecture will integrate technology
  incrementally in phased releases over several years. Hereafter
  in this document "the architecture" is used to mean the NGII
  phased architecture. The architecture offers critical capabilities
  to the Department of Defense. These capabilities are of little
  value, however, if users are not confident that these enhanced
  capabilities can adequately protect their information, and
  can be available - even under situations of high system stress
  and attack. The purpose of the IA program is to create the
  basis for this confidence. Thus the IA program is a critical,
  enabling program for most of other key technology programs
  in ISO. DARPA is seeking innovative technology and approaches
  to integrate security, network adaptability to stress, and
  survivability into the architecture and thus provide assurance
  and capability to all of its programs that use the architecture.
  DARPA seeks to do this in increments phased in over the next
  2 years (by September 2000). Available funding is $11M but
  could be significantly larger pending additional available
  funding and quality as well as quantity of the proposals received.
  Proposals should focus on employing and extending existing
  approaches in innovative ways as opposed to conducting fundamental
  research. Offerors are strongly encouraged, in the development
  of innovative technologies and approaches, to make use of relevant
  results from longer-term research programs such as those conducted
  by the DARPA Information Technology Office (ITO) and the National
  Security Agency (NSA) Research and Technology Group. Information
  Assurance capability is to be practically measured, using a
  risk-reduction return on investment philosophy. In other words,
  security methods and mechanisms that offer the greatest security
  at lowest life cycle cost will be emphasized. Cost measures
  must include development, acquisition, and deployment cost
  as well as restrictions on functionality, ease-of-use. Effectiveness
  of IA developed technologies will be measured by red-team attacks;
  the principal metric of the IA Project. Further, security must
  be integrated in a way that keeps pace with advanced technology
  and the changing nature of the DoD mission as described in
  Joint Vision 2010. PROGRAM SCOPE: Proposals will be considered
  which fill technology gaps in the architecture. The known gaps
  are listed below as technical topic areas. Proposed research
  should investigate innovative, scalable approaches that lead
  to or enable revolutionary advances in the state of the art.
  Specifically excluded is research that primarily results in
  incremental improvement to the existing state of practice or
  focuses on a specific system or hardware solution. Proposals
  must result in systems that can be applied to the developing
  next generation information infrastructure (http://www.les.mil).

TECHNICAL TOPIC AREAS AND CORRESPONDING SECURITY FRAMEWORK
REQUIREMENTS: 

  Advanced Boundary Controllers: Provide automated  flow (no man in 
  the loop) of information across enclave and  security boundaries. 

  Monitoring and Threat Detection: Cooperating intrusion detectors 
  and intrusion-resistant protocols. Detect, identify, and correlate
  attack information to provide indications and warning (I&W) of 
  information warfare (IW) attacks. 

  Risk Management and Decision Support - Security Service Desk 
  Technologies: System state awareness, risk assessments, and risk 
  versus performance tradeoffs on the fly. Ability to control and 
  modify system security state to adapt to changing operational 
  requirements and threats. 

  Survivability - Incident Response and Recovery: Ability to 
  effectively deal with attacks by adapting the system to tolerate 
  attacks while continuing mission performance. Distributing
  risk and functionality within the system. Automated response
  and reconfiguration. 

  Vulnerability Assessment and System Analysis: System design tools 
  that help designers and architects to map system security 
  vulnerabilities and develop cost-effective countermeasures. 

  Malicious Code Detectors: Tools to detect and isolate malicious 
  code within enclaves - malicious code that may be introduced by 
  insiders or software agents. 

  Technical topic areas are discussed in detail in the Proposer
  Information Package (PIP). Proposers must obtain a copy of the 
  PIP as discussed below. 

ADDITIONAL CONSIDERATIONS: 

  Offerors should identify the specific area(s) they are addressing.
  In their proposals, they should describe the requirements of the 
  area from their perspective, describe the key technical challenges
  and identify why they are a challenge. They should describe their 
  approach and indicate why they will be successful, particularly if
  other approaches have not been. Proposals that address greater parts
  of the problem space, through innovative integration of component
  technologies, are highly desired. Technologies with broad application,
  e.g., apply in Unix and NT environments, are also preferred.
  
GENERAL INFORMATION:

  DARPA discourages the submission of classified proposals to 
  BAA98-34. Abstracts in advance of actual proposals are not desired,
  and will not be reviewed. Proposers must submit an original and 
  twelve (12) copies of full proposals as well as disk copy in time 
  to reach DARPA by 4:00 PM (ET), Friday 30 October, 1998, in order 
  to be considered for the initial evaluation. Proposers must obtain
  a pamphlet, BAA 98-34 Proposer Information Package (PIP), which 
  provides further information on the areas of interest, submission,
  evaluation, funding processes, and full proposal formats. This 
  pamphlet will be available September 11, 1998, and may be obtained
  by electronic mail, or mail request to the administrative contact 
  address given below, as well as at URL address http://www.darpa.mil/baa.
  Proposals not meeting the format described in the pamphlet
  may not be reviewed. This Commerce Business Daily notice, in
  conjunction with the pamphlet BAA 98-34, Proposer Information
  Package, constitutes the total BAA. No additional information
  is available, nor will a formal RFP or other solicitation regarding
  this announcement be issued. Requests for same will be disregarded.
  The Government reserves the right to select for award all,
  some, or none of the proposals received. All responsible sources
  capable of satisfying the Government's needs may submit a proposal
  that shall be considered by DARPA. Historically Black Colleges
  and Universities (HBCU) and Minority Institutions (MI) are
  encouraged to submit proposals and join others in submitting
  proposals. However, no portion of this BAA will be set aside
  for HBCU and MI participation due to the impracticality of
  reserving discrete or severable areas of this research for
  exclusive competition among these entities. Evaluation of proposals
  will be accomplished through a scientific review of each proposal
  using the following criteria, which are listed in descending
  order of relative importance: (1) overall scientific and technical
  merit, (2) potential contribution and relevance to DARPA mission,
  (3) offeror's capabilities and related experience, (4) plans
  and capability to accomplish technology transition, and (5)
  best value. Organizational Conflict of Interest. Each cost
  proposal shall contain a section satisfying the requirements
  of the following: Awards made under this BAA are subject to
  the provisions of the Federal Acquisition Regulation (FAR)
  Subpart 9.5, Organizational Conflict of Interest. All offerors
  and proposed subcontractors must affirmatively state whether
  they are supporting any DARPA technical office(s) through an
  active contract or subcontract. All affirmations must state
  which office(s) the offeror supports and identify the prime
  contract number. Affirmations shall be furnished at the time
  of proposal submission. All facts relevant to the existence
  or potential existence of organizational conflicts of interest,
  as that term is defined in FAR 9.501, must be disclosed. This
  disclosure shall include a description of the action the Contractor
  has taken, or proposes to take, to avoid, neutralize or mitigate
  such conflict. If the offeror believes that no such conflict
  exists, then it shall so state in this section. All administrative
  correspondence and questions on this solicitation, including
  requests for information on how to submit a proposal to this
  BAA, must be directed to the administrative address below by
  4:00 PM, 15 October, 1998; e-mail or fax is preferred. DARPA
  intends to use electronic mail and fax for some of the correspondence
  regarding BAA 98-34. Proposals may not be submitted by fax;
  any so sent will be disregarded. The administrative address
  for this BAA is: 4301 North Fairfax Drive, Suite 700, Arlington,
  VA 22203-1627.

LINKURL: http://www.darpa.mil/baa
LINKDESC: http://www.darpa.mil/baa
EMAILADD: baa98-34@darpa.mil
EMAILDESC: baa98-34@darpa.mil
CITE: (W-252 SN247420)


See also: http://www.darpa.mil/iso/ia/additional_information.htm